From Fedora Project Wiki

Firewalld IPv6_rpfilter default to loose on Workstations

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Default firewalld to using IPv6_rpfilter=loose for new Workstation installs.

Owner


Current status

  • Targeted release: Fedora Linux 42
  • Last updated: 2024-12-03
  • Announced
  • Discussion thread
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Fedora Workstation variants use connectivity checks by default. These checks can fail for multi-homed hosts where firewalld uses IPv6_rpfilter=strict. As such, for these variants we should instead default to IPv6_rpfilter=loose to allow connectivity checks to function as intended.

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2324434

For IPv4 the rpfilter setting is already set to loose by default on all editions starting with Fedora 30. See: https://github.com/systemd/systemd/commit/230450d4e4f1f5fc9fa4295ed9185eea5b6ea16e

Feedback

Benefit to Fedora

The benefit is that connectivity checks will work properly on multi-homed, e.g. wifi + LAN, workstations. This helps avoid certain scenarios that can degrade user experience when switching between modes of connectivity.

Scope

  • Proposal owners: The change is a small patch in the RPM spec file. The only affected file will be /etc/firewalld/firewalld.conf.
  • Other developers: N/A
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with the Fedora Strategy:

Upgrade/compatibility impact

For systems upgrading to f42, the new value of IPv6_rpfilter depends on whether the user has customized /etc/firewalld/firewalld.conf. If no, then the RPM upgrade process will update the configuration to IPv6_rpfilter=loose. If yes, then the user configuration will be retained.

It's important to note that this change is a deviation from firewalld upstream. Firewalld upstream will still default to IPv6_rpfilter=strict.


Early Testing (Optional)

Do you require 'QA Blueprint' support? N

How To Test

No special hardware is required. A default Workstation should be sufficient.

Testing requires multiple network interfaces with internet access. Connectivity checks must be enabled (default). Tester must verify that the connectivity checks pass for both links.


User Experience

Connectivity checks work properly for multiple interfaces.

There is one specific scenario in which a non-functioning connectivity check can lead to a degraded user experience: A user with a laptop that is connected to their home WiFi connects said laptop to their home network using Ethernet, for example to transfer a larger file to a network drive. The user's home network provides internet access using both IPv4 and IPv6 addressing. The user expects the Ethernet connection to take precedence over the already established WiFi connection. However, due to the IPv6_rpfilter=strict setting the IPv6 connectivity check fails and the Ethernet connection is deemed not connected to the internet. NetworkManager thus adds a penalty to the Ethernet interface's routing metric resulting in traffic to the local network and the internet preferring the WiFi interface over the Ethernet interface. If the WiFi connection is slower than the Ethernet connection this will lead to a degraded performance when transferring that large file.

Dependencies

No dependencies.

Contingency Plan

  • Contingency mechanism: Keep existing default of IPv6_rpfilter=strict.
  • Contingency deadline: beta freeze
  • Blocks release? No

Documentation

https://bugzilla.redhat.com/show_bug.cgi?id=2324434


Release Notes

Connectivity checks now work properly for multi-homed Workstations.