commit da741688c1b1d5cf2c27f45858fb45bfd1063b25 Author: Andrew Bonney Date: Mon Aug 24 15:50:07 2020 +0100 Allow 'rp_filter' to be configured by individual deployments The value of '0' for rp_filter appears to be unnecessary in at least some deployments, and can lead to confusing symptoms where apparently impossible network routes are available. It may also pose a security risk for hosts which are closer to the Internet. Changing this default could be very disruptive to deployments which depend upon it, but for those that wish to change it this currently requires re-definition of the entire 'openstack_kernel_options' dict. This patch adds two new variables to enable user-configuration of the 'net.ipv4.conf.all.rp_filter' and 'net.ipv4.conf.default.rp_filter' parameters. Change-Id: I75093e50a2786956e3669f89027042cc74b62d22 diff --git a/defaults/main.yml b/defaults/main.yml index f340076..14b86bb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -88,14 +88,18 @@ openstack_host_environment_path: - /usr/games - /usr/local/games +# Set the level of reverse path filtering to use +openstack_host_rp_filter_all: 0 +openstack_host_rp_filter_default: 0 + # Set the maximum size of the connection tracking table. openstack_host_nf_conntrack_max: 262144 # System control kernel tuning openstack_kernel_options: - { key: 'fs.inotify.max_user_watches', value: 1048576 } - - { key: 'net.ipv4.conf.all.rp_filter', value: 0 } - - { key: 'net.ipv4.conf.default.rp_filter', value: 0 } + - { key: 'net.ipv4.conf.all.rp_filter', value: "{{ openstack_host_rp_filter_all }}" } + - { key: 'net.ipv4.conf.default.rp_filter', value: "{{ openstack_host_rp_filter_default }}" } - { key: 'net.ipv4.ip_forward', value: 1 } - { key: 'net.netfilter.nf_conntrack_max', value: "{{ openstack_host_nf_conntrack_max }}" } - { key: 'vm.dirty_background_ratio', value: 5 }