What does this negative kernel value mean ?

[Denna]

What does the following negative kernel value mean ?

net.ipv4.conf.all.rp_filter = -1

 

[RMerlin]

Tried Googling it?

 

[Denna]

I see references for values of 0 and 1, but not -1.

 

[Denna]

The "-1" value appears to be a mistake or typo as there is no valid "-1" value.

    0 - No source validation.
    1 - Strict mode as defined in RFC3704 Strict Reverse Path
        Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail.
        By default failed packets are discarded.
    2 - Loose mode as defined in RFC3704 Loose Reverse Path
        Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.

In the current version of Asuswrt-Merlin, the following "-1" values appear.

net.ipv4.conf.all.rp_filter = -1
net.ipv6.conf.ifb0.accept_dad = -1
net.ipv6.conf.ifb1.accept_dad = -1
net.ipv6.conf.lo.accept_dad = -1

 

[Denna]

Does anyone know what the "-1" value means ?

 

[Denna]

Are there any developers that have input on this ?

 

[RMerlin]

Are there any developers that have input on this ?

You'd have to ask the Linux kernel developers.

 

[Fitz Mutch]

Are there any developers that have input on this ?

https://github.com/RMerl/asuswrt-me...2.6.36/Documentation/networking/ip-sysctl.txt
"The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}."

I think the Linux kernel chooses the greater of either the "all" value or the per-interface value.

See all the values:

for I in /proc/sys/net/ipv4/conf/*; do echo "$I/rp_filter = $(cat $I/rp_filter)"; done

Here all the values. It looks good to me, but you should ask a kernel developer anyway just to be sure.

#for I in /proc/sys/net/ipv4/conf/*; do echo "$I/rp_filter = $(cat $I/rp_filter)"; done
/proc/sys/net/ipv4/conf/all/rp_filter = -1
/proc/sys/net/ipv4/conf/br0/rp_filter = 1
/proc/sys/net/ipv4/conf/default/rp_filter = 1
/proc/sys/net/ipv4/conf/eth0/rp_filter = 1
/proc/sys/net/ipv4/conf/eth1/rp_filter = 1
/proc/sys/net/ipv4/conf/eth2/rp_filter = 1
/proc/sys/net/ipv4/conf/ifb0/rp_filter = 1
/proc/sys/net/ipv4/conf/ifb1/rp_filter = 1
/proc/sys/net/ipv4/conf/lo/rp_filter = 1
/proc/sys/net/ipv4/conf/tun21/rp_filter = 1
/proc/sys/net/ipv4/conf/vlan1/rp_filter = 1
/proc/sys/net/ipv4/conf/vlan2/rp_filter = 1
/proc/sys/net/ipv4/conf/wl0.1/rp_filter = 1
/proc/sys/net/ipv4/conf/wl0.2/rp_filter = 1
/proc/sys/net/ipv4/conf/wl1.1/rp_filter = 1
/proc/sys/net/ipv4/conf/wl1.2/rp_filter = 1


#for I in /proc/sys/net/ipv6/conf/*; do echo "$I/accept_dad = $(cat $I/accept_dad)"; done
/proc/sys/net/ipv6/conf/all/accept_dad = 1
/proc/sys/net/ipv6/conf/br0/accept_dad = 2
/proc/sys/net/ipv6/conf/default/accept_dad = 2
/proc/sys/net/ipv6/conf/eth0/accept_dad = 2
/proc/sys/net/ipv6/conf/eth1/accept_dad = 2
/proc/sys/net/ipv6/conf/eth2/accept_dad = 2
/proc/sys/net/ipv6/conf/ifb0/accept_dad = -1
/proc/sys/net/ipv6/conf/ifb1/accept_dad = -1
/proc/sys/net/ipv6/conf/lo/accept_dad = -1
/proc/sys/net/ipv6/conf/tun21/accept_dad = -1
/proc/sys/net/ipv6/conf/vlan1/accept_dad = 2
/proc/sys/net/ipv6/conf/vlan2/accept_dad = 2
/proc/sys/net/ipv6/conf/wl0.1/accept_dad = 2
/proc/sys/net/ipv6/conf/wl0.2/accept_dad = 2
/proc/sys/net/ipv6/conf/wl1.1/accept_dad = 2
/proc/sys/net/ipv6/conf/wl1.2/accept_dad = 2

 

[Denna]

@Fitz Mutch,

Thanks for verifying it's not a typo.​

 

[Denna]

@Fitz Mutch,

So is this a concern with Asuswrt to be reported to Asus ?​

 

[Fitz Mutch]

So is this a concern with Asuswrt to be reported to Asus ?

https://www.ftc.gov
Maureen Ohlhausen, Commissioner of the Federal Trade Commission

https://en.wikipedia.org/wiki/Federal_Trade_Commission

 

[Denna]

@Fitz Mutch,

How does contacting developers involve them ?​

 

[ColinTaylor]

https://www.ftc.gov
Maureen Ohlhausen, Commissioner of the Federal Trade Commission

https://en.wikipedia.org/wiki/Federal_Trade_Commission

I think you posted this by mistake. I'm pretty sure the FTC Commissioner doesn't know anything about kernel values. (Or perhaps it's a joke that's so subtle I missed it. )

 

[john9527]

When I did a search I did find one other reference setting accept_dad to -1

And apparently it's a valid, but undocumented, condition in the code (although I didn't trace to see what it was doing)
torvalds/linux:v4.10:net/ipv6/addrconf.c

in6_dev_hold(ndev);
    if (dev->flags & (IFF_NOARP | IFF_LOOPBACK))
        ndev->cnf.accept_dad = -1;
#if IS_ENABLED(CONFIG_IPV6_SIT)
    if (dev->type == ARPHRD_SIT && (dev->priv_flags & IFF_ISATAP)) {

 

[cybrnook]

sure, I know for example when working in SuSe or AIX, when we set our ulimit values, -1 often is a value set to signify "unlimited".

 

[Fitz Mutch]

How does contacting developers involve them ?

Here's another place where "-1" is used.
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/firewall.c#L5352

 

[Denna]

@john9527,

I think the URL below should point to line 422.

https://github.com/torvalds/linux/blob/v4.10/net/ipv6/addrconf.c#L422​

 

[Denna]

https://www.ftc.gov
Maureen Ohlhausen, Commissioner of the Federal Trade Commission
https://en.wikipedia.org/wiki/Federal_Trade_Commission

@Fitz Mutch,

Was that a joke about Asus being audited for the next 19 years ?

https://www.ftc.gov/news-events/pre...rges-insecure-home-routers-cloud-services-put​

 

[sfx2000]

sure, I know for example when working in SuSe or AIX, when we set our ulimit values, -1 often is a value set to signify "unlimited".

And with Linux - sometimes the value of "-1" when used as an integer value means "not known" in the network stack...

 

[sfx2000]

Not all values in sysctl are boolean - many aren't - so the -1, esp. with ints, is a catchall when looking at case statements - if it wasn't there, one might crash with an unhandled state.