image: use all of cilium's sysctl overrides (#2532)

2024-10-01 01:36:09 -04:00 · 2023-10-30 11:19:58 +01:00 · 2023-10-30 11:19:58 +01:00 · 618da92c7f
commit 618da92c7f
parent 21cfb40e98
2 changed files with 8 additions and 3 deletions
--- a/image/base/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf
+++ b/image/base/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf
@ -1,3 +0,0 @@
-# See https://github.com/cilium/cilium/issues/10645
-net.ipv4.conf.lxc*.rp_filter = 0
-net.ipv4.conf.cilium_*.rp_filter = 0
--- a/image/base/mkosi.skeleton/usr/lib/sysctl.d/99-zzz-override_cilium.conf
+++ b/image/base/mkosi.skeleton/usr/lib/sysctl.d/99-zzz-override_cilium.conf
@ -0,0 +1,8 @@
+# See https://github.com/cilium/cilium/issues/10645
+# and https://github.com/cilium/cilium/blame/898a632e3c3b64eaa0f23ebde5a069e87373c59b/tools/sysctlfix/main.go#L41
+# Disable rp_filter on Cilium interfaces since it may cause mangled packets to be dropped
+-net.ipv4.conf.lxc*.rp_filter = 0
+-net.ipv4.conf.cilium_*.rp_filter = 0
+# The kernel uses max(conf.all, conf.{dev}) as its value, so we need to set .all. to 0 as well.
+# Otherwise it will overrule the device specific settings.
+net.ipv4.conf.all.rp_filter = 0