[systemd-bugs] [Bug 89269] New: systemd-networkd: could not enable IP masquerading untill iptables is touched

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sat Feb 21 11:37:48 PST 2015 

https://bugs.freedesktop.org/show_bug.cgi?id=89269

            Bug ID: 89269
           Summary: systemd-networkd: could not enable IP masquerading
                    untill iptables is touched
           Product: systemd
           Version: unspecified
          Hardware: x86-64 (AMD64)
                OS: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: general
          Assignee: systemd-bugs at lists.freedesktop.org
          Reporter: wolf.ramovsky at gmail.com
        QA Contact: systemd-bugs at lists.freedesktop.org

Description:
I was playing around systemd-nspawn containers and new systemd-219 feature:
default masquerading veth'ed (started with --network-veth) containers, and
faced a weird systemd-networkd behaviour.
systemd-networkd could not enable or disable IP masquerading (and do any other
firewall related things like forwarding, I suppose) if iptables haven't been
touched anyhow since boot time.


How to reproduce:

The most important prerequisite here is that iptables haven't been touched
since boot time. iptables shouldn't be touched either by iptables-load from
iptables.service or manually from console.
Run
# iptables-save
and its output should be completely empty. Not tables with empty rules; just no
output at all.

1. Then prepare some distro in some directory to use with nspawn.
2. Start systemd-networkd on host.
3. Boot container with -n (--network-veth) option:
# systemd-nspawn -n -b -D $path_to_container
4. Try to ping from container: ping won't be able to reach anything.
5. See systemd-networkd status on host:
# systemctl status systemd-networkd
It will report:
systemd-networkd: ve-%containername% : Could not enable IP masquerading:
Protocol not avaliable
6. Turn off container.
7. Touch iptables, e. g.:
# iptables -t nat --list
After you have touched iptables in such way, iptables-save will output tables
with empty set of rules.
8. Now boot container and try to ping: voilĂ , it pings!
9. Check systemd-networkd status: there is no any complains now.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20150221/f4a79865/attachment-0001.html>

More information about the systemd-bugs mailing list