[SOLVED] Why there are two separate parameters in /proc/sys/net/ipv4/ for security parameters

gprathap1121@gmail.com · 07-07-2014, 07:14 AM

In proc file system, there are 2 parameters for each setting, one in "default" and other in "all".
/proc/sys/net/ipv4/conf/default/accept_redirects
/proc/sys/net/ipv4/conf/all/accept_redirects

write /proc/sys/net/ipv4/conf/all/secure_redirects 0
write /proc/sys/net/ipv4/conf/default/secure_redirects 0

Does setting the value of parameter in "all" doesn't configure the default value as well.

Do we need to set both the proc entries to work as desired?
Why do we have 2 parameters for each configuration?

Does the default values come in to picture when we change the VLAN settings, and switch to a different interface?

Ser Olmy · 07-10-2014, 08:02 PM

The "default" subdirectory contains parameters assigned to new interfaces, including logical interfaces one might create, such as VLAN and tunnel interfaces.

The "all" subdirectory contains parameters assigned to all interfaces. Changing a parameter in /proc/sys/net/ipv4/conf/all/ will cause it to be applied to all interfaces immediately. It also changes the corresponding /proc/sys/net/ipv4/conf/default/ value.

gprathap1121@gmail.com · 07-11-2014, 01:15 AM

Thank you.
So you mean, setting the value in /proc/sys/net/ipv4/conf/all/, will also update the value in /proc/sys/net/ipv4/conf/default/ right?

But I found that setting the value in /proc/sys/net/ipv4/conf/all/ doesn't update the values in /proc/sys/net/ipv4/conf/default/.
For example:
If we have value 1 for a parameter in /proc/sys/net/ipv4/conf/all/ sub directory and value 0 for the same parameter in /proc/sys/net/ipv4/conf/default/.
Default parameter will be set to 1, even though it is shown as 0?

Ser Olmy · 07-11-2014, 01:45 AM

It's been a while since I read the sysctl documentation so I double-checked, and you're right; it turns out the behavior of the parameters in /proc/sys/net/ipv4/conf/all/ is highly parameter-specific.

In some cases, all/<foo> must be set to 1 (true) for the interface-specific parameter to have any effect at all (true for accept_source_route among others), while in other cases (like igmp_max_memberships) the parameter in /proc/sys/net/ipv4/conf/all/ does indeed affect all interfaces.

In other words, you'll have to check the kernel sysctl documentation for every parameter (and make sure the document you're reading applies to your kernel version).

gprathap1121@gmail.com · 07-14-2014, 12:41 AM

Below 3 parameters need to be updated explicitly for "all" and "default" sub directories.
/proc/sys/net/ipv4/conf/default/send_redirects 1
/proc/sys/net/ipv4/conf/default/accept_source_route 1
/proc/sys/net/ipv4/conf/default/rp_filter 1