From 9fa973f15f78e7c57e629b40894b0465442e6ffe Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 17 Apr 2018 09:13:03 +0200
Subject: [PATCH] device: fix setting 'rp_filter' value (rh #1565529)

---
 ...device-check-rp_filter-all-rh1565529.patch | 85 +++++++++++++++++++
 NetworkManager.spec                           |  7 +-
 2 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 0002-device-check-rp_filter-all-rh1565529.patch

diff --git a/0002-device-check-rp_filter-all-rh1565529.patch b/0002-device-check-rp_filter-all-rh1565529.patch
new file mode 100644
index 0000000..e09c0b0
--- /dev/null
+++ b/0002-device-check-rp_filter-all-rh1565529.patch
@@ -0,0 +1,85 @@
+From 528f8c33caff199f78704776b5f36ba502f85fb0 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Tue, 10 Apr 2018 16:22:00 +0200
+Subject: [PATCH] device: look at 'all' rp_filter value too to determine actual
+ value
+
+Currently we overwrite the interface rp_filter value with 2 ("loose")
+only when it is 1 ("strict") because when it is 0 ("no validation") it
+is already more permissive.
+
+So, if the value for the interface is 0 and
+net/ipv4/conf/all/rp_filter is 1 (like it happens by default on Fedora
+28), we don't overwrite it; since kernel considers the maximum between
+{all,$dev}/rp_filter, the effective value remains 'strict'.
+
+We should instead combine the two {all,$dev}/rp_filter, and if it's 1
+overwrite the value with 2.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1565529
+(cherry picked from commit 150cf44d501c82810e7033b7a8278713919d1d89)
+(cherry picked from commit 0a1b1a4e5ca98ab9a34f384b9d4293357b56745d)
+---
+ src/devices/nm-device.c | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
+index b8828d14c..c3bba5206 100644
+--- a/src/devices/nm-device.c
++++ b/src/devices/nm-device.c
+@@ -879,19 +879,36 @@ nm_device_ipv4_sysctl_set (NMDevice *self, const char *property, const char *val
+ }
+ 
+ static guint32
+-nm_device_ipv4_sysctl_get_uint32 (NMDevice *self, const char *property, guint32 fallback)
++nm_device_ipv4_sysctl_get_effective_uint32 (NMDevice *self, const char *property, guint32 fallback)
+ {
+ 	char buf[NM_UTILS_SYSCTL_IP_CONF_PATH_BUFSIZE];
++	gint64 v, v_all;
+ 
+ 	if (!nm_device_get_ip_ifindex (self))
+ 		return fallback;
+ 
+-	return nm_platform_sysctl_get_int_checked (nm_device_get_platform (self),
+-	                                           NMP_SYSCTL_PATHID_ABSOLUTE (nm_utils_sysctl_ip_conf_path (AF_INET, buf, nm_device_get_ip_iface (self), property)),
+-	                                           10,
+-	                                           0,
+-	                                           G_MAXUINT32,
+-	                                           fallback);
++	v = nm_platform_sysctl_get_int_checked (nm_device_get_platform (self),
++	                                        NMP_SYSCTL_PATHID_ABSOLUTE (nm_utils_sysctl_ip_conf_path (AF_INET,
++	                                                                                                  buf,
++	                                                                                                  nm_device_get_ip_iface (self),
++	                                                                                                  property)),
++	                                        10,
++	                                        0,
++	                                        G_MAXUINT32,
++	                                        -1);
++
++	v_all = nm_platform_sysctl_get_int_checked (nm_device_get_platform (self),
++	                                            NMP_SYSCTL_PATHID_ABSOLUTE (nm_utils_sysctl_ip_conf_path (AF_INET,
++	                                                                                                      buf,
++	                                                                                                      "all",
++	                                                                                                      property)),
++	                                            10,
++	                                            0,
++	                                            G_MAXUINT32,
++	                                            -1);
++
++	v = NM_MAX (v, v_all);
++	return v > -1 ? (guint32) v : fallback;
+ }
+ 
+ gboolean
+@@ -2981,7 +2998,7 @@ ip4_rp_filter_update (NMDevice *self)
+ 
+ 	if (   priv->v4_has_shadowed_routes
+ 	    || nm_device_get_best_default_route (self, AF_INET)) {
+-		if (nm_device_ipv4_sysctl_get_uint32 (self, "rp_filter", 0) != 1) {
++		if (nm_device_ipv4_sysctl_get_effective_uint32 (self, "rp_filter", 0) != 1) {
+ 			/* Don't touch the rp_filter if it's not strict. */
+ 			return;
+ 		}
+-- 
+2.14.3
+
diff --git a/NetworkManager.spec b/NetworkManager.spec
index 267875d..fd51d56 100644
--- a/NetworkManager.spec
+++ b/NetworkManager.spec
@@ -9,7 +9,7 @@
 %global epoch_version 1
 %global rpm_version 1.10.6
 %global real_version 1.10.6
-%global release_version 1
+%global release_version 2
 %global snapshot %{nil}
 %global git_sha %{nil}
 
@@ -91,6 +91,7 @@ Source2: 00-server.conf
 Source3: 20-connectivity-fedora.conf
 
 Patch1: 0001-fix-build-with-gcc8.patch
+Patch2: 0002-device-check-rp_filter-all-rh1565529.patch
 
 Requires(post): systemd
 Requires(preun): systemd
@@ -359,6 +360,7 @@ by nm-connection-editor and nm-applet in a non-graphical environment.
 %setup -q -n NetworkManager-%{real_version}
 
 %patch1 -p1
+%patch2 -p1
 
 %build
 %if %{with regen_docs}
@@ -710,6 +712,9 @@ fi
 %endif
 
 %changelog
+* Tue Apr 17 2018 Beniamino Galvani <bgalvani@redhat.com> - 1:1.10.6-2
+- device: fix setting 'rp_filter' value (rh #1565529)
+
 * Wed Mar 14 2018 Iryna Shcherbina <ishcherb@redhat.com> - 1:1.10.6-1.1
 - Update Python 2 dependency declarations to new packaging standards
   (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)