Re: [systemd-devel] ip forwarding

[Reindl Harald]

Am 06.11.2015 um 08:11 schrieb Johannes Ernst:

This makes my point. The default = 0 is counter intuitive and costs much time 
for the lucky ones among us who can figure it out. The rest will just give up...


defaults should have security in mind, most setups don't need it enabled 
and the ones which will just give up don't understand what they are 
doing anyways and so bette don't mess with it


(no i am not a systemd developer but delevoper and sysadmin for many years)


On Nov 5, 2015, at 22:32, Peter Paule  wrote:

Hi Johannes,

I had the same problem, I even wrote an article about that
(https://www.fedux.org/articles/2015/09/09/having-no-fun-with-rubygems-systemd-docker-and-networking.html).

I think, you use `systemd-networkd`. Correct? The behaviour is documented
in "systemd.network-manual".

  Note: unless this option is turned on, or set to “kernel”, no IP
  forwarding is done on this interface, even if this is globally turned on
  in the kernel, with the net.ipv4.ip_forward,
  net.ipv4.conf.all.forwarding, and net.ipv6.conf.all.forwarding sysctl
  options.

I took me by surprise, too. But a new tool needs some learning.
Unfortunately. Though I would suggest to add some example to the manual
`systemd.network` or at least add a comment like that




signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] ip forwarding

[Reindl Harald]

Am 06.11.2015 um 10:20 schrieb Mantas Mikulėnas:

On Fri, Nov 6, 2015 at 11:09 AM, Reindl Harald > wrote:

Am 06.11.2015 um 08:11 schrieb Johannes Ernst:

This makes my point. The default = 0 is counter intuitive and
costs much time for the lucky ones among us who can figure it
out. The rest will just give up...

defaults should have security in mind, most setups don't need it
enabled and the ones which will just give up don't understand what
they are doing anyways and so bette don't mess with it


The _kernel_ default is also 0 anyway, for both global and per-interface
settings.

The problem is that now you cannot _enable_ it via the usual routes
(sysctl) anymore, because networkd mindlessly overrides that. As a
long-time sysadmin, surely you wouldn't like your explicit configuration
having been broken that way?


ok, *that* must not happen, the place for such settings is sysctl.conf 
or /etc/sysctl.d/




signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] ip forwarding

[Mantas Mikulėnas]

On Fri, Nov 6, 2015 at 11:09 AM, Reindl Harald 
wrote:

>
>
> Am 06.11.2015 um 08:11 schrieb Johannes Ernst:
>
>> This makes my point. The default = 0 is counter intuitive and costs much
>> time for the lucky ones among us who can figure it out. The rest will just
>> give up...
>>
>
> defaults should have security in mind, most setups don't need it enabled
> and the ones which will just give up don't understand what they are doing
> anyways and so bette don't mess with it
>

The _kernel_ default is also 0 anyway, for both global and per-interface
settings.

The problem is that now you cannot _enable_ it via the usual routes
(sysctl) anymore, because networkd mindlessly overrides that. As a
long-time sysadmin, surely you wouldn't like your explicit configuration
having been broken that way?

-- 
Mantas Mikulėnas 
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] systemd.network defaults (was: Re: ip forwarding)

[Michael Laß]

Am Donnerstag, den 05.11.2015, 16:08 -0800 schrieb Johannes Ernst:
> The problem: I thought I created that file to say “get an IP address
> via DHCP” because that’s all it talks about. But due to the IPForward
> default, I also specified “and turn off ip forwarding”, which is non-
> obvious (e.g. I just found out, and I originally ran into this in
> June). So I suggest the default should be “don’t touch this setting”
> instead of 0.

The same holds for other values I think. I once hit the same problem
with the IPv6PrivacyExtensions setting. I enabled it via sysctl and
wondered why it was disabled for one device, which I had configured
using systemd-networkd.

Although this is clearly documented in the man page I think it would be
less surprising behavior to generally default to kernel for such
configuration items. Is there a specific reason against that?

Cheers,
Michael
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] ip forwarding

[Johannes Ernst]

> On Nov 6, 2015, at 1:09, Reindl Harald  wrote:
> 
> defaults should have security in mind, …

IMHO the current behavior is actually less secure:

If I set net.ipv4.ip_forward=1, I intentionally set forwarding on all 
interfaces, as documented in countless tutorials, so it’s very unlikely I 
didn’t mean to do that.

But if I set net.ipv4.ip_forward=1 in /etc/sysctl.d, and it only works 
sometimes and on some interfaces, I do have a security problem because it may 
come on when I least expect it. For example, when I execute systemctl restart 
systemd-sysctl.

(Because networkd doesn’t actually “manage” the interface, it only sets certain 
attributes at certain times, which can still be changed outside of networkd any 
time. If net.ipv4.ip_forward were turned into a read-only setting, for example, 
that would be different.)

Cheers,



Johannes.

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] ip forwarding

[Reindl Harald]

Am 06.11.2015 um 16:43 schrieb Johannes Ernst:

On Nov 6, 2015, at 1:09, Reindl Harald > wrote:

defaults should have security in mind, …


IMHO the current behavior is actually less secure:


no, it maybe unpredictable by the desciptions below but for sure not 
less secure



If I set net.ipv4.ip_forward=1, I intentionally set forwarding on all
interfaces, as documented in countless tutorials, so it’s very unlikely
I didn’t mean to do that.


depends on the number of networks

NIC1: wan
NIC2: lan with forwarding / nat
NIC3: SIP phones

NIC3 shouldn't forward because SIP phones connected to a asterisk 
tyoically don#t need to touch the internet directly in no direction



But if I set net.ipv4.ip_forward=1 in /etc/sysctl.d, and it only works
sometimes and on some interfaces, I do have a security problem because
it may come on when I least expect it. For example, when I execute
systemctl restart systemd-sysctl.

(Because networkd doesn’t actually “manage” the interface, it only sets
certain attributes at certain times, which can still be changed outside
of networkd any time. If net.ipv4.ip_forward were turned into a
read-only setting, for example, that would be different.)


well, because the sysctl stuff was unpredictable years ago i solved that 
by simply call "sysctl -p" after the network is up and never touch 
"systemd-sysctl"


[root@srv-rhsoft:~]$ cat /etc/systemd/system/sysctl-post-network.service
[Unit]
Description=apply settings after network
After=network.service systemd-networkd.service network-online.target 
openvpn.service hostapd.service network-wlan-bridge.service


[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/sysctl -p
ExecStartPost=/usr/sbin/ifconfig wan -multicast -allmulti txqueuelen 100
StandardOutput=null

[Install]
WantedBy=multi-user.target



signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] systemctl switch-root /sysroot without deleting old_root

[Herbert Groll]

Hi,

is there an easy way in initrd mode to keep old root when switching to
new root? Switching root is done in initrd-switch-root.target with
/bin/systemctl --no-block --force switch-root /sysroot

The reason why is I want to use the ramdisk + a persistent overlay. The
 quick and dirty solution for me would be to patch src/shared/switch-
root.c not to delete the old_root but I'd rather keep systemd
unpatched. Thanks.

Regards,
Herbert


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd.network defaults (was: Re: ip forwarding)

[Tomasz Torcz]

On Fri, Nov 06, 2015 at 11:40:13AM +0100, Michael Laß wrote:
> 
> Although this is clearly documented in the man page I think it would be
> less surprising behavior to generally default to kernel for such
> configuration items. Is there a specific reason against that?

  I believe this is (was) being discussed here:
https://github.com/systemd/systemd/issues/1411

-- 
Tomasz Torcz   72->|   80->|
xmpp: zdzich...@chrome.pl  72->|   80->|

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] FreeBSD leader Jordan Hubbard comments on launchd port and systemd

[Chaiken, Alison]

 

http://www.bsdnow.tv/episodes/2015_10_28-Whats_next_for_BSD 

About 40 minutes into the interview.   Code is available via NextBSD at
github. 

-- Alison 

---
Alison Chaiken  ali...@she-devel.com, 650-279-5600 
http://{ she-devel.com, exerciseforthereader.org [1] }
"There is expressive potential in not being together." -- Mark Volkert,
Assistant Concertmaster, San Francisco Symphony 

Links:
--
[1] http://{she-devel.com,exerciseforthereader.org
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Property 'MemoryLimit' is RO when using the D-Bus API

[Francis Moreau]

Hi,

I'm trying to change the MemoryLimit property of one the service unit
running on my system by using 'busctl set-property ...' but getting
the following error :

   Property 'MemoryLimit' is not writable.

However using 'systemctl set-property' works as expected.

I thought that 'systemctl set-property' was basically doing the same
D-Bus thing like my former test did but apparently not.

Could anybody enlight me why I can't use busctl to set the MemoryLimit
property  and why 'systemctl set-property' gives a different result ?

Thanks
-- 
Francis
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] ip forwarding

[Martin Pitt]

Johannes Ernst [2015-11-05 23:11 -0800]:
> This makes my point. The default = 0 is counter intuitive and costs much time 
> for the lucky ones among us who can figure it out. The rest will just give 
> up...

It's less counter-intuitive, but the problem is that it breaks a lot
of existing tools that expect that the global kernel settings actually
work.

Note that this was discussed recently already here, but rejected:
https://github.com/systemd/systemd/issues/1411

Thus at least CoreOS and Ubuntu now change the default to "kernel",
which pretty much DTRT. (I'm still pondering doing that in Debian
too). If you don't explicitly configure it in your .network then the
global setting is applied, and as that defaults to 0 the "secure by
default" aspect is also satisfied.

Martin
-- 
Martin Pitt| http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] DHCPC Events?

[J Decker]

I have Arch Linux setup as my router.
It's on a connection that can change the IP that I'm given, when that
happens I need to rerun firewall rules and rebuild my ipv6 tunnel.
How do I run some script or something when the address changes (or
when it's initially given in the case of boot?)

Also there seems to be no way to specify default ipv6 route for next
hop... ie 'ip -6 route replace ::/0 dev he-ipv6'
It's been a couple months I've been limping along so I forget; I
vaguely remember that this should have been setup in the configuration
scripts; but it didn't work unless I did it this way.  The iniital
method I think was 'add' instead of 'replace' which no longer works (I
think something changed in the kernel that affected that; but I don't
know).
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel