e58ae245ad
This patch disables martian packet logging and updates the documentation to reflect the new default. A release note is also included to make deployers aware of the change. Closes-bug: 1619039 Change-Id: I4b19aa1200298a92c85824e319bb919260e5a6d0
898 B
898 B
Exception
The STIG requires that all martian packets are logged by setting the
sysctl parameter net.ipv4.conf.all.log_martians to
1.
Although the logs can be valuable in some situations, the setting can generate a significant amount of logging in OpenStack environments, especially those that use neutron's Linux bridge networking. In some situations, the logging can flood the physical terminal and make troubleshooting at the console or via out of band (like iKVM, DRAC and iLO) extremely difficult.
The role will ensure that martian packet logging is disabled by default. Deployers that need this logging enabled will need to set the following Ansible variable:
security_sysctl_enable_martian_logging: yesWikpedia's article on martian packets provides additional information.