Monitoring/check rp filter disabled

Check rp_filter disabled is an Icinga check running on LVS servers via NRPE.

It is defined in modules/profile/manifests/lvs.pp.

It checks if rp filter is disabled in sysctl. The plugin it uses is /usr/lib/nagios/plugins/check_sysctl.

LVS servers require this setting in order to do their primary job of asymmetrically forwarding traffic.

"rp_filter" stands for "Reverse path filtering".

"when a machine with reverse path filtering enabled recieves a packet, the machine will first check whether the source of the recived packet is reachable through the interface it came in.

If it is routable through the interface which it came, then the machine will accept the packet If it is not routable through the interface, which it came, then the machine will drop that packet."

[1]

The command is executed on the LVS hosts and you can find the full command line in /etc/nagios/nrpe.d# view check_check_rp_filter_disabled.cfg.

The reason this check has been added is described Incident_documentation/20140203-LVS, which it was a follow-up for.

• disable rp_filtering -> https://serverfault.com/questions/816393/disabling-rp-filter-on-one-interface
• also see: https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.rpf.html

• The check has been added in https://phabricator.wikimedia.org/rOPUP72bd9d36d75ef162223a378311e69cd3a7e8b3de and parameters have been tuned in https://phabricator.wikimedia.org/rOPUPbced02009ea59f7faf07c1608417024d6a5a693b