touch-packages team mailing list archive

Thread
Date

[Bug 1500992] Re: networkd: Don't reset forwarding unless told to do so in config

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Stéphane Graber <stgraber@xxxxxxxxxxxx>
Date: Tue, 29 Sep 2015 22:19:46 -0000
Reply-to: Bug 1500992 <1500992@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

To provide internet to VMs and containers, the interface behind which the default gateway sits, must have forwarding enabled.
The way this is typically done is that whichever tool sets up a bridge will also setup a NAT entry for IPv4 and will make sure /proc/sys/net/ipv4/ip_forward is set to 1.

This is the standard way of doing things because then you don't have to
know what interface packets will be heading out of, forwarding is just
enabled on all of them and if your NAT rule is properly written (and
ours are), they'll apply to all interfaces too.

Now this all breaks if the outgoing interface is using a non-default
config which disables forwarding at the interface level since that then
ignores the global /proc/sys/net/ipv4/ip_forward knob.

Having the bridge setup tool, modify the configuration of all potential
outgoing interface to allow forwarding seems completely wrong to me (why
would the script setting up lxcbr0 go and edit your eth0 and wlan0
interfaces?), not to mention, it's not actually possible to know for
sure what interfaces will be outgoing interfaces. You may have some that
don't exist yet (usb stick?).

Even if we somehow did change the bridge setup scripts to go and set
/forwarding to 1 on all interfaces which we guess may be used as
outgoing interfaces, this still wouldn't change the fact that networkd
would go ahead and reset them all to 0 on daemon restart (package update
for example).

--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1500992

Title:
networkd: Don't reset forwarding unless told to do so in config

Status in systemd package in Ubuntu:
Incomplete

Bug description:
It's been reported by several LXC users that systemd-networkd will
turn off per-interface forwarding for all network interfaces when it
starts.

Presumably upstream expects users to go and manually edit their config
to allow it when needed.

This breaks LXC, libvirt, ... anything which ships a bridge that then
NAT or route outgoing traffic. Requiring the user to do the config
change would be a massive regression in user friendliness and having
lxc, libvirt, ... do it for the user would be a policy violation.

As a result, I'd recommend we patch systemd to not interfere with
forwarding unless explicitly configured by the user. This will allow
all our existing scripts to keep setting things up themselves and have
it all run fine.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1500992/+subscriptions

References

[Bug 1500992] [NEW] networkd: Don't reset forwarding unless told to do so in config
From: Stéphane Graber, 2015-09-29