mirror of
https://github.com/systemd/systemd.git
synced 2025-01-03 05:18:09 +03:00
network: make IPMasquerade= imply global IP forwarding settings again
After3976c43092
(#31423), IPMasquerade= implies only per-interface IP forwarding. That means, nspawn users need to manually enable IPv4/IPv6Forwarding= in networkd.conf when --network-veth or friend is used. Even the change was announced in NEWS, the change itself breaks backward compatibility and extremely reduces usability. Let's make the setting imply the global setting again. Fixes #34010. (cherry picked from commit0b695febb2
)
This commit is contained in:
parent
0372b780b1
commit
9ab5eba325
@ -131,6 +131,12 @@
|
||||
for more details about the sysctl options. Defaults to unset and the sysctl options will not be
|
||||
changed.</para>
|
||||
|
||||
<para>If an interface is configured with a .network file that enables <varname>IPMasquerade=</varname>
|
||||
for IPv4 (that is, <literal>ipv4</literal> or <literal>both</literal>), this setting is implied
|
||||
unless explicitly specified. See <varname>IPMasquerade=</varname> in
|
||||
<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for more details.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v256"/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -145,6 +151,12 @@
|
||||
for more details about the sysctl options. Defaults to unset and the sysctl options will not be
|
||||
changed.</para>
|
||||
|
||||
<para>If an interface is configured with a .network file that enables <varname>IPMasquerade=</varname>
|
||||
for IPv6 (that is, <literal>ipv6</literal> or <literal>both</literal>), this setting is implied
|
||||
unless explicitly specified. See <varname>IPMasquerade=</varname> in
|
||||
<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for more details.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v256"/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -888,15 +888,15 @@ DuplicateAddressDetection=none</programlisting></para>
|
||||
<literal>ipv6</literal>, <literal>both</literal>, or <literal>no</literal>. Defaults to
|
||||
<literal>no</literal>. Note. Any positive boolean values such as <literal>yes</literal> or
|
||||
<literal>true</literal> are now deprecated. Please use one of the values above. Specifying
|
||||
<literal>ipv4</literal> or <literal>both</literal> implies <varname>IPv4Forwarding=</varname>,
|
||||
unless it is explicitly specified. Similarly for <varname>IPv6Forwarding=</varname> when
|
||||
<literal>ipv6</literal> or <literal>both</literal> is specified. These implications are only on
|
||||
this interface. Hence, to make the IP packet forwarding works,
|
||||
<varname>IPv4Forwarding=</varname>/<varname>IPv6Forwarding=</varname> need to be enabled on an
|
||||
upstream interface, or globally enabled by specifying them in
|
||||
<citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||
See <varname>IPv4Forwarding=</varname>/<varname>IPv6Forwarding=</varname> in the above for more
|
||||
details.</para>
|
||||
<literal>ipv4</literal> or <literal>both</literal> implies <varname>IPv4Forwarding=</varname>
|
||||
settings in both .network file for this interface and the global
|
||||
<citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
unless they are explicitly specified. Similarly for <varname>IPv6Forwarding=</varname> when
|
||||
<literal>ipv6</literal> or <literal>both</literal> is specified. See
|
||||
<varname>IPv4Forwarding=</varname>/<varname>IPv6Forwarding=</varname> in the above for the per-link
|
||||
settings, and
|
||||
<citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for the global settings.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v219"/>
|
||||
</listitem>
|
||||
|
@ -7,7 +7,9 @@
|
||||
#include "af-list.h"
|
||||
#include "missing_network.h"
|
||||
#include "networkd-link.h"
|
||||
#include "networkd-lldp-tx.h"
|
||||
#include "networkd-manager.h"
|
||||
#include "networkd-ndisc.h"
|
||||
#include "networkd-network.h"
|
||||
#include "networkd-sysctl.h"
|
||||
#include "socket-util.h"
|
||||
@ -130,7 +132,7 @@ int link_get_ip_forwarding(Link *link, int family) {
|
||||
return link->manager->ip_forwarding[family == AF_INET6];
|
||||
}
|
||||
|
||||
static int link_set_ip_forwarding(Link *link, int family) {
|
||||
static int link_set_ip_forwarding_impl(Link *link, int family) {
|
||||
int r, t;
|
||||
|
||||
assert(link);
|
||||
@ -151,6 +153,65 @@ static int link_set_ip_forwarding(Link *link, int family) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int link_reapply_ip_forwarding(Link *link, int family) {
|
||||
int r, ret = 0;
|
||||
|
||||
assert(link);
|
||||
assert(IN_SET(family, AF_INET, AF_INET6));
|
||||
|
||||
if (!IN_SET(link->state, LINK_STATE_CONFIGURING, LINK_STATE_CONFIGURED))
|
||||
return 0;
|
||||
|
||||
(void) link_set_ip_forwarding_impl(link, family);
|
||||
|
||||
r = link_lldp_tx_update_capabilities(link);
|
||||
if (r < 0)
|
||||
RET_GATHER(ret, log_link_warning_errno(link, r, "Could not update LLDP capabilities, ignoring: %m"));
|
||||
|
||||
if (family == AF_INET6 && !link_ndisc_enabled(link)) {
|
||||
r = ndisc_stop(link);
|
||||
if (r < 0)
|
||||
RET_GATHER(ret, log_link_warning_errno(link, r, "Could not stop IPv6 Router Discovery, ignoring: %m"));
|
||||
|
||||
ndisc_flush(link);
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int link_set_ip_forwarding(Link *link, int family) {
|
||||
int r;
|
||||
|
||||
assert(link);
|
||||
assert(link->manager);
|
||||
assert(link->network);
|
||||
assert(IN_SET(family, AF_INET, AF_INET6));
|
||||
|
||||
if (!link_is_configured_for_family(link, family))
|
||||
return 0;
|
||||
|
||||
/* When IPMasquerade= is enabled and the global setting is unset, enable _global_ IP forwarding, and
|
||||
* re-apply per-link setting for all links. */
|
||||
if (FLAGS_SET(link->network->ip_masquerade, family == AF_INET ? ADDRESS_FAMILY_IPV4 : ADDRESS_FAMILY_IPV6) &&
|
||||
link->manager->ip_forwarding[family == AF_INET6] < 0) {
|
||||
|
||||
link->manager->ip_forwarding[family == AF_INET6] = true;
|
||||
manager_set_ip_forwarding(link->manager, family);
|
||||
|
||||
Link *other;
|
||||
HASHMAP_FOREACH(other, link->manager->links_by_index) {
|
||||
r = link_reapply_ip_forwarding(other, family);
|
||||
if (r < 0)
|
||||
link_enter_failed(other);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Otherwise, apply per-link setting for _this_ link. */
|
||||
return link_set_ip_forwarding_impl(link, family);
|
||||
}
|
||||
|
||||
static int link_set_ipv4_rp_filter(Link *link) {
|
||||
assert(link);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user