System sysctl error

Boris · April 10, 2026, 6:08am

Description:

On my VyOS system, I configured the following sysctl parameter to disable martian source logging:

set system sysctl parameter net.ipv4.conf.all.log_martians value '0'

After applying the configuration, the martian source log messages stopped as expected.

However, later the messages started appearing again. When I checked the live sysctl value, it had reverted to:

sysctl net.ipv4.conf.all.log_martians
net.ipv4.conf.all.log_martians = 1

But in the VyOS configuration, the parameter was still present and set to 0:

show configuration commands
set system sysctl parameter net.ipv4.conf.all.log_martians value '0'

conf
set system sysctl parameter net.ipv4.conf.all.log_martians value '0'
Configuration path: [system sysctl parameter net.ipv4.conf.all.log_martians value 0] already exists

Then I tried to delete it and commit:

del system sysctl parameter net.ipv4.conf.all.log_martians value '0'
commit

The commit failed with the following error:

[ system sysctl ]
Traceback (most recent call last):
  File "/usr/libexec/vyos/services/vyos-configd", line 157, in run_script
    script.apply(c)
  File "/usr/libexec/vyos/conf_mode/system_sysctl.py", line 62, in apply
    cmd(f'sysctl -f {config_file}')
  File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 209, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: None sysctl -f /run/sysctl/99-vyos-sysctl.conf
returned: net.core.netdev_budget = 600
net.core.netdev_budget_usecs = 8000
net.core.netdev_max_backlog = 10000
net.core.rmem_default = 16777216
net.core.rmem_max = 134217728
net.core.wmem_default = 16777216
net.core.wmem_max = 33554432
net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 4096
net.ipv4.neigh.default.gc_thresh3 = 8192
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.tcp_wmem = 4096 65536 33554432
exit code: 1

[[system sysctl]] failed
Commit failed

Expected behavior:

The configuration should consistently keep net.ipv4.conf.all.log_martians = 0, or at least allow the setting to be removed cleanly without a commit failure.

Actual behavior:

The runtime sysctl value reverted to 1 even though the VyOS configuration still contained 0, and later removing the config caused commit to fail in system_sysctl.

Impact:

This causes unexpected martian logging to return, and the configuration cannot be safely cleaned up because the commit fails.

Version: VyOS 2026.04.01-0034-rolling

Boris · April 10, 2026, 6:26am

Additional information:

The issue started occurring after I applied the following configuration changes:

delete firewall ipv4 prerouting raw rule 5
delete nat source rule 100
commit

It seems that after these changes, the net.ipv4.conf.all.log_martians behavior became inconsistent, and the sysctl value began reverting to 1 despite being configured as 0 in VyOS.

roedie · April 10, 2026, 6:54am

Hi Boris,

It’s probably because this setting can be done from the firewall itself overwriting your ‘custom’ setting when a firewall change is done. You can use set firewall global-options log martians disable . Please see Global Options Firewall Configuration — VyOS rolling release (current) for more options.

Regards,

Sander