On Wed, Dec 04, 2019 at 01:16:27PM +1100, paul wrote: > I'm reworking my old VPN server, and will use the Debian 10 AMI in AWS. I've > noticed that predictable network interface names are enabled for t3 servers, > but not t2 - I have test setup on a t2.micro and a t3.micro, and only the t3 > has predictable interface names. I'm trying to write up some Ansible > templates for this new vpn setup.
Actually, predictable interface names are enabled everywhere. There are implementation differences between the t2 and t3 instance types that change udev's behavior with regard to how interface names are chosen. The ENA network device used on t3 instances appears on the PCI bus of the instance. So when udev inspects the device, it finds information that it uses to derive a consistent name for the device (see 'udevadm info /sys/class/net/ens5' for the information that it works from). T2 instances are based on Xen and use the Xen netfront (vif) interface. These interfaces aren't PCI devices, so udev can't generate a name based on the PCI bus ID. Compare the 'udevadm info' output for a t2 with that of a t3. Because Debian doesn't enable the MAC address based naming scheme, udev ends up leaving the kernel's interface name in place on t2. > I don't play around with iptables a lot (my netadmin-fu is weak), but what's > the best way to go about writing a set of firewall rules that will satisfy > both an eth0 and an ens5? Just simply duplicate the rule for each naming > type? Disable predictable names somehow (google is confusing on how, > exactly)? I'd like to end up with a template that 'just works' without > having to know about this t2/t3 difference issue. It's not the end of the > world if I can't, but I'd like to avoid surprising 'future me' down the > road. You can disable predictable interface naming by passing "net.ifnames=0" to the kernel command line (edit /etc/default/grub) if you want to disable interface renaming completely. But a better approach would be to update your firewall configuration to not hardcode a specific interface name. You probably can get what you want by identifying the interface associated with your default route, which you can get reliably by with "ip -o route show default" noah
