[systemd-devel] [PATCH v2] networkd: do not change kernel forwarding parameters when IPForwarding is unset
Michael Marineau
michael.marineau at coreos.com
Fri May 15 12:42:06 PDT 2015
On Fri, May 15, 2015 at 12:18 PM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Fri, 15.05.15 12:08, Nick Owens (nick.owens at coreos.com) wrote:
>
>> In 5a8bcb674f71a20e95df55319b34c556638378ce, IPForwarding was introduced
>> to set forwarding flags on interfaces in .network files. networkd sets
>> forwarding options regardless of the previous setting, even if it was
>> set by e.g. sysctl. This commit makes IPForwarding not change forwarding
>> settings, so that systems using sysctl continue to work even if
>> IPForwarding is unset in their .network files.
>>
>> See https://bugs.freedesktop.org/show_bug.cgi?id=89509 for the initial
>> bug report.
>
> I think there should be an explicit way to enable the "kernel default
> mode", i.e. the parser for this one option should consider a special
> value "kernel" or so to explicitly ask for the kernel default.
>
> I'd still prefer if we'd default to ip forwarding off, rather than ip
> forwarding as kernel default, for security reasons.
Well, in CoreOS we *have* to use the kernel default if the value is
unset, there simply is no way to safely upgrade existing systems to
the new configuration scheme from the old sysctl one. The semantics of
the two are too different. Even if there was a reasonable translation
we are not in the business of modifying user configs.
More information about the systemd-devel
mailing list