[systemd-devel] [PATCH v2] networkd: do not change kernel forwarding parameters when IPForwarding is unset

Lennart Poettering lennart at poettering.net
Fri May 15 13:02:51 PDT 2015


On Fri, 15.05.15 12:56, Michael Marineau (michael.marineau at coreos.com) wrote:

> (build time option to ./configure that is)

I guess I'd be OK with that...
> 
> On Fri, May 15, 2015 at 12:55 PM, Michael Marineau
> <michael.marineau at coreos.com> wrote:
> > On Fri, May 15, 2015 at 12:52 PM, Lennart Poettering
> > <lennart at poettering.net> wrote:
> >> On Fri, 15.05.15 12:42, Michael Marineau (michael.marineau at coreos.com) wrote:
> >>
> >>> On Fri, May 15, 2015 at 12:18 PM, Lennart Poettering
> >>> <lennart at poettering.net> wrote:
> >>> > On Fri, 15.05.15 12:08, Nick Owens (nick.owens at coreos.com) wrote:
> >>> >
> >>> >> In 5a8bcb674f71a20e95df55319b34c556638378ce, IPForwarding was introduced
> >>> >> to set forwarding flags on interfaces in .network files. networkd sets
> >>> >> forwarding options regardless of the previous setting, even if it was
> >>> >> set by e.g. sysctl. This commit makes IPForwarding not change forwarding
> >>> >> settings, so that systems using sysctl continue to work even if
> >>> >> IPForwarding is unset in their .network files.
> >>> >>
> >>> >> See https://bugs.freedesktop.org/show_bug.cgi?id=89509 for the initial
> >>> >> bug report.
> >>> >
> >>> > I think there should be an explicit way to enable the "kernel default
> >>> > mode", i.e. the parser for this one option should consider a special
> >>> > value "kernel" or so to explicitly ask for the kernel default.
> >>> >
> >>> > I'd still prefer if we'd default to ip forwarding off, rather than ip
> >>> > forwarding as kernel default, for security reasons.
> >>>
> >>> Well, in CoreOS we *have* to use the kernel default if the value is
> >>> unset, there simply is no way to safely upgrade existing systems to
> >>> the new configuration scheme from the old sysctl one. The semantics of
> >>> the two are too different. Even if there was a reasonable translation
> >>> we are not in the business of modifying user configs.
> >>
> >> Well, but I think I would prefer if upstream would default to "off",
> >> even if coreos then deviates from that and defaults to "kernel"...
> >
> > Fair enough, should it be a option to configure then?
> 


Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list