Changing networkd's IPForward= default from "no" to "kernel"?

Mon Oct 5 14:53:04 BST 2015

Hello all,

CC'ing Josh as he works with netword a lot and was rather interested
in its integration into Debian.

upstream networkd (and in Debian up to now) defaults to IPForward=no
(see man systemd.network), i. e. if you configure a network interface
through networkd without explicitly setting IPForward=, the
per-interface setting (/proc/sys/net/ipv{4,6}/conf/iface/forwarding)
will be disabled.

This has the effect that all packages which do something like "echo 1
> /proc/sys/net/ipv4/ip_forward" in their init scripts, postinst, etc.
(and we have a lot: [1]) stop working, as the per-interface setting
naturally overrides the global config.

This is a rather major issue at least for Ubuntu users with LXC, so
for now I applied a patch in Ubuntu [2] to change the default to
"kernel".  The kernel's default is also to disable forwarding, but
with that packages or the admin retain the option to enable/disable
forwarding globally. I must say I don't like patching networkd, but
after discussing other possible alternatives [3] I don't see a better
way.

Is this something which we also want in Debian? My gut feeling says
"yes", but that hasn't always been correct lately :-) The alternative
is to document it something like

  If you install a package that tries to enable IP forwarding, please
  add "IPForward=yes" to the .network file that covers your default
  route (if you aren't sure, add it to all of them). Conversely, if
  you remove such a package, remove the IPForward setting again, or
  change it to "no".

Aside from the fact that almost no user will actually look in
/usr/share/doc/systemd/README.Debian when this happens, this is
utterly complicated and not something which you could ever "sell"
something as a solution. I experimented with something like
/run/systemd/network/{00,zz}_enable_forwarding.network, but *.network
files aren't additive in that way, you can only ever have one that
applies to a particular interface. And changing all *.network files
programmatically from various init scripts is of course a big no-go.

So there doesn't seem to be a better way to do this right now. Ideas
muchly appreciated of course!

Opinions?

Thanks,

Martin

[1] http://codesearch.debian.net/perpackage-results/proc.*net.*ip_forward
[2] http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=ubuntu&id=2c83d8ed8e50c
[3] https://github.com/systemd/systemd/issues/1411
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/attachments/20151005/33f8250f/attachment.sig>