F42 Change Proposal: Firewalld IPv6_rpfilter default to loose on Workstations (self-contained)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Wiki - https://fedoraproject.org/wiki/Changes/Firewalld_IPv6_rpfilter_Default_Loose
Discussion Thread -
https://discussion.fedoraproject.org/t/f42-change-proposal-firewalld-ipv6-rpfilter-default-to-loose-on-workstations-self-contained/138980

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==
Default firewalld to using `IPv6_rpfilter=loose` for new Workstation installs.

== Owner ==
* Name: [[User:erig0| Eric Garver]]
* Email: egarver@xxxxxxxxxx


== Detailed Description ==
Fedora Workstation variants use connectivity checks by default. These
checks can fail for multi-homed hosts where firewalld uses
`IPv6_rpfilter=strict`. As such, for these variants we should instead
default to `IPv6_rpfilter=loose` to allow connectivity checks to
function as intended.

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2324434

For IPv4 the rpfilter setting is already set to loose by default on
all editions starting with Fedora 30. See:
https://github.com/systemd/systemd/commit/230450d4e4f1f5fc9fa4295ed9185eea5b6ea16e

== Feedback ==

== Benefit to Fedora ==
The benefit is that connectivity checks will work properly on
multi-homed, e.g. wifi + LAN, workstations. This helps avoid certain
scenarios that can degrade user experience when switching between
modes of connectivity.

== Scope ==
* Proposal owners: The change is a small patch in the RPM spec file.
The only affected file will be `/etc/firewalld/firewalld.conf`.

* Other developers: N/A

* Release engineering: N/A [https://pagure.io/releng/issues #Releng
issue number]

* Policies and guidelines: N/A (not needed for this Change)

* Trademark approval: N/A (not needed for this Change)

* Alignment with the Fedora Strategy:


== Upgrade/compatibility impact ==
For systems upgrading to f42, the new value of `IPv6_rpfilter` depends
on whether the user has customized `/etc/firewalld/firewalld.conf`. If
no, then the RPM upgrade process will update the configuration to
`IPv6_rpfilter=loose`. If yes, then the user configuration will be
retained.

It's important to note that this change is a deviation from firewalld
upstream. Firewalld upstream will still default to
`IPv6_rpfilter=strict`.


== Early Testing (Optional) ==

Do you require 'QA Blueprint' support? N


== How To Test ==
No special hardware is required. A default Workstation should be sufficient.

Testing requires multiple network interfaces with internet access.
Connectivity checks must be enabled (default). Tester must verify that
the connectivity checks pass for both links.



== User Experience ==

Connectivity checks work properly for multiple interfaces.

There is one specific scenario in which a non-functioning connectivity
check can lead to a degraded user experience:
A user with a laptop that is connected to their home WiFi connects
said laptop to their home network using Ethernet, for example to
transfer a larger file to a network drive. The user's home network
provides internet access using both IPv4 and IPv6 addressing.
The user expects the Ethernet connection to take precedence over the
already established WiFi connection. However, due to the
`IPv6_rpfilter=strict` setting the IPv6 connectivity check fails and
the Ethernet connection is deemed not connected to the internet.
NetworkManager thus adds a penalty to the Ethernet interface's routing
metric resulting in traffic to the local network and the internet
preferring the WiFi interface over the Ethernet interface. If the WiFi
connection is slower than the Ethernet connection this will lead to a
degraded performance when transferring that large file.

== Dependencies ==
No dependencies.


== Contingency Plan ==
* Contingency mechanism: Keep existing default of `IPv6_rpfilter=strict`.
* Contingency deadline: beta freeze
* Blocks release? No

== Documentation ==
https://bugzilla.redhat.com/show_bug.cgi?id=2324434


== Release Notes ==
Connectivity checks now work properly for multi-homed Workstations.


-- 
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney

-- 
_______________________________________________
devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux