[systemd-devel] ip forwarding

Johannes Ernst johannes.ernst at gmail.com
Thu Nov 5 23:11:51 PST 2015 

This makes my point. The default = 0 is counter intuitive and costs much time for the lucky ones among us who can figure it out. The rest will just give up...

Sent from my iPad.

> On Nov 5, 2015, at 22:32, Peter Paule <systemd-devel at fedux.org> wrote:
> 
> Hi Johannes,
> 
> I had the same problem, I even wrote an article about that
> (https://www.fedux.org/articles/2015/09/09/having-no-fun-with-rubygems-systemd-docker-and-networking.html).
> 
> I think, you use `systemd-networkd`. Correct? The behaviour is documented
> in "systemd.network-manual".
> 
>  Note: unless this option is turned on, or set to “kernel”, no IP
>  forwarding is done on this interface, even if this is globally turned on
>  in the kernel, with the net.ipv4.ip_forward,
>  net.ipv4.conf.all.forwarding, and net.ipv6.conf.all.forwarding sysctl
>  options.
> 
> I took me by surprise, too. But a new tool needs some learning.
> Unfortunately. Though I would suggest to add some example to the manual
> `systemd.network` or at least add a comment like that.
> 
> ~~~
> Example 2. /etc/systemd/network/80-dhcp.network
> 
> [Match]
> Name=en*
> 
> [Network]
> DHCP=yes
> # enable ip forwarding for that interface, defaults to "no"
> # IPForward=yes
> ~~~
> 
> Cheers,
> Dennis
> 
> Excerpts from Johannes Ernst's message of 2015-11-05 16:08:26 -0800:
>> TL;DR: I propose to have IPForward default to “no change”, rather than 0, as 0 has unexpected consequences for non-expert users.
>> 
>> Details: A few months ago there where some threads about ip_forwarding needing a toggle from 1 to 0 and back to 1 before it would work. [1][2][3]
>> 
>> It appears I found the reason for this. With "net.ipv4.ip_forward = 1” in sysctl.d, after a fresh boot:
>> 
>>> for i in /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/conf/*/forwarding; do echo -n $i: ; cat $i; done
>>    /proc/sys/net/ipv4/ip_forward:1
>>    /proc/sys/net/ipv4/conf/all/forwarding:1
>>    /proc/sys/net/ipv4/conf/default/forwarding:1
>>    /proc/sys/net/ipv4/conf/enp0s3/forwarding:0    <= Why?
>>    /proc/sys/net/ipv4/conf/lo/forwarding:1
>> 
>> If I then do the toggle dance:
>> 
>>> sysctl net.ipv4.ip_forward=0
>>> sysctl net.ipv4.ip_forward=1
>> 
>> I get what I expected in the first place:
>> 
>>    /proc/sys/net/ipv4/ip_forward:1
>>    /proc/sys/net/ipv4/conf/all/forwarding:1
>>    /proc/sys/net/ipv4/conf/default/forwarding:1
>>    /proc/sys/net/ipv4/conf/enp0s3/forwarding:1
>>    /proc/sys/net/ipv4/conf/lo/forwarding:1
>> 
>> Adding net.ipv4.conf.enp0s3.forwarding = 1 to sysctl.d does not have the desired effect.
>> 
>> Turns out my innocent-looking .network file is the culprit:
>> 
>>    [Match]
>>    Name=en*
>> 
>>    [Network]
>>    DHCP=ipv4
>> 
>> Without that file, after boot the enp0s3 flag remains 1 as expected.
>> 
>> The problem: I thought I created that file to say “get an IP address via DHCP” because that’s all it talks about. But due to the IPForward default, I also specified “and turn off ip forwarding”, which is non-obvious (e.g. I just found out, and I originally ran into this in June). So I suggest the default should be “don’t touch this setting” instead of 0.
>> 
>> Cheers,
>> 
>> 
>> 
>> Johannes.
>> 
>> 
>> [1] http://lists.freedesktop.org/archives/systemd-devel/2015-June/033239.html
>> [2] http://lists.freedesktop.org/archives/systemd-devel/2015-July/033738.html
>> [3] https://github.com/systemd/systemd/issues/468
>> 
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel

More information about the systemd-devel mailing list