image: use all of cilium's sysctl overrides

edgelesssys · Oct 27, 2023 · 5ac4137 · 5ac4137
1 parent cd93eb6
commit 5ac4137
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/image/base/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf b/image/base/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf
diff --git a/image/base/mkosi.skeleton/usr/lib/sysctl.d/99-zzz-override_cilium.conf b/image/base/mkosi.skeleton/usr/lib/sysctl.d/99-zzz-override_cilium.conf
@@ -0,0 +1,8 @@
+# See https://github.com/cilium/cilium/issues/10645
+# and https://github.com/cilium/cilium/blame/898a632e3c3b64eaa0f23ebde5a069e87373c59b/tools/sysctlfix/main.go#L41
+# Disable rp_filter on Cilium interfaces since it may cause mangled packets to be dropped
+-net.ipv4.conf.lxc*.rp_filter = 0
+-net.ipv4.conf.cilium_*.rp_filter = 0
+# The kernel uses max(conf.all, conf.{dev}) as its value, so we need to set .all. to 0 as well.
+# Otherwise it will overrule the device specific settings.
+net.ipv4.conf.all.rp_filter = 0