Hello all, CC'ing Josh as he works with netword a lot and was rather interested in its integration into Debian.
upstream networkd (and in Debian up to now) defaults to IPForward=no (see man systemd.network), i. e. if you configure a network interface through networkd without explicitly setting IPForward=, the per-interface setting (/proc/sys/net/ipv{4,6}/conf/iface/forwarding) will be disabled. This has the effect that all packages which do something like "echo 1 > /proc/sys/net/ipv4/ip_forward" in their init scripts, postinst, etc. (and we have a lot: [1]) stop working, as the per-interface setting naturally overrides the global config. This is a rather major issue at least for Ubuntu users with LXC, so for now I applied a patch in Ubuntu [2] to change the default to "kernel". The kernel's default is also to disable forwarding, but with that packages or the admin retain the option to enable/disable forwarding globally. I must say I don't like patching networkd, but after discussing other possible alternatives [3] I don't see a better way. Is this something which we also want in Debian? My gut feeling says "yes", but that hasn't always been correct lately :-) The alternative is to document it something like If you install a package that tries to enable IP forwarding, please add "IPForward=yes" to the .network file that covers your default route (if you aren't sure, add it to all of them). Conversely, if you remove such a package, remove the IPForward setting again, or change it to "no". Aside from the fact that almost no user will actually look in /usr/share/doc/systemd/README.Debian when this happens, this is utterly complicated and not something which you could ever "sell" something as a solution. I experimented with something like /run/systemd/network/{00,zz}_enable_forwarding.network, but *.network files aren't additive in that way, you can only ever have one that applies to a particular interface. And changing all *.network files programmatically from various init scripts is of course a big no-go. So there doesn't seem to be a better way to do this right now. Ideas muchly appreciated of course! Opinions? Thanks, Martin [1] http://codesearch.debian.net/perpackage-results/proc.*net.*ip_forward [2] http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=ubuntu&id=2c83d8ed8e50c [3] https://github.com/systemd/systemd/issues/1411 -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
_______________________________________________ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers