Firewalld IPv6_rpfilter default to loose on Workstations
Summary
Default firewalld to using IPv6_rpfilter=loose
for new Workstation installs.
Owner
- Name: Eric Garver
- Email: egarver@redhat.com
Current status
- Targeted release: Fedora Linux 42
- Last updated: 2024-12-03
- Announced
- Discussion thread
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Fedora Workstation variants use connectivity checks by default. These checks can fail for multi-homed hosts where firewalld uses IPv6_rpfilter=strict
. As such, for these variants we should instead default to IPv6_rpfilter=loose
to allow connectivity checks to function as intended.
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2324434
For IPv4 the rpfilter setting is already set to loose by default on all editions starting with Fedora 30. See: https://github.com/systemd/systemd/commit/230450d4e4f1f5fc9fa4295ed9185eea5b6ea16e
Feedback
Benefit to Fedora
The benefit is that connectivity checks will work properly on multi-homed, e.g. wifi + LAN, workstations. This helps avoid certain scenarios that can degrade user experience when switching between modes of connectivity.
Scope
- Proposal owners: The change is a small patch in the RPM spec file. The only affected file will be
/etc/firewalld/firewalld.conf
.
- Other developers: N/A
- Release engineering: N/A #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy:
Upgrade/compatibility impact
For systems upgrading to f42, the new value of IPv6_rpfilter
depends on whether the user has customized /etc/firewalld/firewalld.conf
. If no, then the RPM upgrade process will update the configuration to IPv6_rpfilter=loose
. If yes, then the user configuration will be retained.
It's important to note that this change is a deviation from firewalld upstream. Firewalld upstream will still default to IPv6_rpfilter=strict
.
Early Testing (Optional)
Do you require 'QA Blueprint' support? N
How To Test
No special hardware is required. A default Workstation should be sufficient.
Testing requires multiple network interfaces with internet access. Connectivity checks must be enabled (default). Tester must verify that the connectivity checks pass for both links.
User Experience
Connectivity checks work properly for multiple interfaces.
There is one specific scenario in which a non-functioning connectivity check can lead to a degraded user experience:
A user with a laptop that is connected to their home WiFi connects said laptop to their home network using Ethernet, for example to transfer a larger file to a network drive. The user's home network provides internet access using both IPv4 and IPv6 addressing.
The user expects the Ethernet connection to take precedence over the already established WiFi connection. However, due to the IPv6_rpfilter=strict
setting the IPv6 connectivity check fails and the Ethernet connection is deemed not connected to the internet. NetworkManager thus adds a penalty to the Ethernet interface's routing metric resulting in traffic to the local network and the internet preferring the WiFi interface over the Ethernet interface. If the WiFi connection is slower than the Ethernet connection this will lead to a degraded performance when transferring that large file.
Dependencies
No dependencies.
Contingency Plan
- Contingency mechanism: Keep existing default of
IPv6_rpfilter=strict
. - Contingency deadline: beta freeze
- Blocks release? No
Documentation
https://bugzilla.redhat.com/show_bug.cgi?id=2324434
Release Notes
Connectivity checks now work properly for multi-homed Workstations.