[systemd-devel] Recommended way to enable IPForward for a system using networkd?
Lennart Poettering
lennart at poettering.net
Fri Aug 3 11:31:24 UTC 2018
On Do, 02.08.18 10:17, Filipe Brandenburger (filbranden at google.com) wrote:
> So, IPForward is a global setting and yet with networkd it needs to be
> attached to an interface...
>
> What's the best way to enable it on a system, that's general enough and
> won't really depend on the existing interface configurations (let's assume
> those will be managed separately through drop-ins somehow...)
>
> I tried creating an /etc/systemd/network/99-forwarding.network with the
> configuration and no match:
>
> [Network]
> IPForward=yes
>
> But that doesn't work since all the network interfaces get a match earlier
> on...
>
> Using an earlier file would risk clobbering the actual configuration of
> real interfaces...
>
> Since the setting is global anyways... Would it make sense to recognize it
> in networkd.conf?
>
> Or am I missing an obvious way to set this up that would work regardless of
> which *.network files are used to configure the interfaces?
So in the kernel the flag is a bit weird, as it exists twice: once
globally and once per-interface, and the relationship is just
strange. Moreover on Ipv6 only the per-interface flag exists.
networkd currently was written in a style that the global flag was a
mistake of history, and the per-interface one is the one that
matters and is what users should use. It will touch the global one
only in very limited ways: as soon as one interface wants forwarding
it will turn on the global one if it was off before. It will never
turn it off again. This simplistic logic is also implemented as
there's no clear ownership of the knob, and other network
configuration tools might want to change it too.
hence, if you want to enable it globally for all interfaces then
networkd won't really help you... for the interfaces networkd manages
it will ensure that the per-interface ip forwarding bool is excactly
on when the .network file says so and not otherwise. This means
turning on the global setting won't bother networkd much, forwarding
will remain off on specific interfaces if the individual .network
files didn't say otherwise.
If you want to turn on the flag for all interfaces managed by
networkd, you'd have to modify the .network file for each (or add a
.d/ dropin for them).
There's currently no concept in networkd for setting options on really
*all* interfaces at once.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list