[systemd-devel] ip forwarding

Peter Paule systemd-devel at fedux.org
Thu Nov 5 22:32:43 PST 2015 

Hi Johannes,

I had the same problem, I even wrote an article about that
(https://www.fedux.org/articles/2015/09/09/having-no-fun-with-rubygems-systemd-docker-and-networking.html).

I think, you use `systemd-networkd`. Correct? The behaviour is documented
in "systemd.network-manual".

  Note: unless this option is turned on, or set to “kernel”, no IP
  forwarding is done on this interface, even if this is globally turned on
  in the kernel, with the net.ipv4.ip_forward,
  net.ipv4.conf.all.forwarding, and net.ipv6.conf.all.forwarding sysctl
  options.

I took me by surprise, too. But a new tool needs some learning.
Unfortunately. Though I would suggest to add some example to the manual
`systemd.network` or at least add a comment like that.

~~~
Example 2. /etc/systemd/network/80-dhcp.network

[Match]
Name=en*

[Network]
DHCP=yes
# enable ip forwarding for that interface, defaults to "no"
# IPForward=yes
~~~

Cheers,
Dennis

Excerpts from Johannes Ernst's message of 2015-11-05 16:08:26 -0800:
> TL;DR: I propose to have IPForward default to “no change”, rather than 0, as 0 has unexpected consequences for non-expert users.
> 
> Details: A few months ago there where some threads about ip_forwarding needing a toggle from 1 to 0 and back to 1 before it would work. [1][2][3]
> 
> It appears I found the reason for this. With "net.ipv4.ip_forward = 1” in sysctl.d, after a fresh boot:
> 
>     > for i in /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/conf/*/forwarding; do echo -n $i: ; cat $i; done
>     /proc/sys/net/ipv4/ip_forward:1
>     /proc/sys/net/ipv4/conf/all/forwarding:1
>     /proc/sys/net/ipv4/conf/default/forwarding:1
>     /proc/sys/net/ipv4/conf/enp0s3/forwarding:0    <= Why?
>     /proc/sys/net/ipv4/conf/lo/forwarding:1
> 
> If I then do the toggle dance:
> 
>     > sysctl net.ipv4.ip_forward=0
>     > sysctl net.ipv4.ip_forward=1
> 
> I get what I expected in the first place:
> 
>     /proc/sys/net/ipv4/ip_forward:1
>     /proc/sys/net/ipv4/conf/all/forwarding:1
>     /proc/sys/net/ipv4/conf/default/forwarding:1
>     /proc/sys/net/ipv4/conf/enp0s3/forwarding:1
>     /proc/sys/net/ipv4/conf/lo/forwarding:1
> 
> Adding net.ipv4.conf.enp0s3.forwarding = 1 to sysctl.d does not have the desired effect.
> 
> Turns out my innocent-looking .network file is the culprit:
> 
>     [Match]
>     Name=en*
> 
>     [Network]
>     DHCP=ipv4
> 
> Without that file, after boot the enp0s3 flag remains 1 as expected.
> 
> The problem: I thought I created that file to say “get an IP address via DHCP” because that’s all it talks about. But due to the IPForward default, I also specified “and turn off ip forwarding”, which is non-obvious (e.g. I just found out, and I originally ran into this in June). So I suggest the default should be “don’t touch this setting” instead of 0.
> 
> Cheers,
> 
> 
> 
> Johannes.
> 
> 
> [1] http://lists.freedesktop.org/archives/systemd-devel/2015-June/033239.html
> [2] http://lists.freedesktop.org/archives/systemd-devel/2015-July/033738.html
> [3] https://github.com/systemd/systemd/issues/468
>

More information about the systemd-devel mailing list