<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>IPv4Forwarding=</varname></term>
+ <listitem>
+ <para>Configures IPv4 packet forwarding for the system. Takes a boolean value. This controls the
+ <filename>net.ipv4.conf.default.forwarding</filename> and
+ <filename>net.ipv4.conf.all.forwarding</filename>sysctl options. See
+ <ulink url="https://docs.kernel.org/networking/ip-sysctl.html">IP Sysctl</ulink>
+ for more details about the sysctl options. Defaults to unset and the sysctl options will not be
+ changed.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv6Forwarding=</varname></term>
+ <listitem>
+ <para>Configures IPv6 packet forwarding for the system. Takes a boolean value. This controls the
+ <filename>net.ipv6.conf.default.forwarding</filename> and
+ <filename>net.ipv6.conf.all.forwarding</filename> sysctl options. See
+ <ulink url="https://docs.kernel.org/networking/ip-sysctl.html">IP Sysctl</ulink>
+ for more details about the sysctl options. Defaults to unset and the sysctl options will not be
+ changed.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>IPv6PrivacyExtensions=</varname></term>
<listitem>
</varlistentry>
<varlistentry>
- <term><varname>IPForward=</varname></term>
- <listitem>
- <para>Configures IP packet forwarding for the system. If enabled, incoming packets on any
- network interface will be forwarded to any other interfaces according to the routing table.
- Takes a boolean, or the values <literal>ipv4</literal> or <literal>ipv6</literal>, which only
- enable IP packet forwarding for the specified address family. This controls the
- <filename>net.ipv4.ip_forward</filename> and <filename>net.ipv6.conf.all.forwarding</filename>
- sysctl options of the network interface (see
+ <term><varname>IPv4Forwarding=</varname></term>
+ <listitem>
+ <para>Configures IPv4 packet forwarding for the interface. Takes a boolean value. This controls the
+ <filename>net.ipv4.conf.<replaceable>INTERFACE</replaceable>.forwarding</filename> sysctl option of
+ the network interface. See
<ulink url="https://docs.kernel.org/networking/ip-sysctl.html">IP Sysctl</ulink>
- for details about sysctl options). Defaults to <literal>no</literal>.</para>
+ for more details about the sysctl option. Defaults to true if <varname>IPMasquerade=</varname> is
+ enabled for IPv4, otherwise the value specified to the same setting in
+ <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ will be used. If none of them are specified, the sysctl option will not be changed.</para>
+
+ <para>To control the global setting, use the same setting in
+ <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
- <para>Note: this setting controls a global kernel option, and does so one way only: if a
- network that has this setting enabled is set up the global setting is turned on. However,
- it is never turned off again, even after all networks with this setting enabled are shut
- down again.</para>
+ <varlistentry>
+ <term><varname>IPv6Forwarding=</varname></term>
+ <listitem>
+ <para>Configures IPv6 packet forwarding for the interface. Takes a boolean value. This controls the
+ <filename>net.ipv6.conf.<replaceable>INTERFACE</replaceable>.forwarding</filename> sysctl option of
+ the network interface. See
+ <ulink url="https://docs.kernel.org/networking/ip-sysctl.html">IP Sysctl</ulink>
+ for more details about the sysctl option. Defaults to true if <varname>IPMasquerade=</varname> is
+ enabled for IPv6 or <varname>IPv6SendRA=</varname> is enabled, otherwise the value specified to the
+ same setting in
+ <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ will be used. If none of them are specified, the sysctl option will not be changed.</para>
- <para>To allow IP packet forwarding only between specific network interfaces use a firewall.
+ <para>To control the global setting, use the same setting in
+ <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
- <xi:include href="version-info.xml" xpointer="v219"/>
+ <xi:include href="version-info.xml" xpointer="v256"/>
</listitem>
</varlistentry>
<para>Configures IP masquerading for the network interface. If enabled, packets forwarded
from the network interface will be appear as coming from the local host. Takes one of
<literal>ipv4</literal>, <literal>ipv6</literal>, <literal>both</literal>, or
- <literal>no</literal>. Defaults to <literal>no</literal>. If enabled, this automatically sets
- <varname>IPForward=</varname> to one of <literal>ipv4</literal>, <literal>ipv6</literal> or
- <literal>yes</literal>.</para>
+ <literal>no</literal>. Defaults to <literal>no</literal>.</para>
<para>Note. Any positive boolean values such as <literal>yes</literal> or
<literal>true</literal> are now deprecated. Please use one of the values in the above.</para>
Network.ManageForeignRoutes, config_parse_bool, 0, offsetof(Manager, manage_foreign_routes)
Network.ManageForeignNextHops, config_parse_bool, 0, offsetof(Manager, manage_foreign_nexthops)
Network.RouteTable, config_parse_route_table_names, 0, 0
+Network.IPv4Forwarding, config_parse_tristate, 0, offsetof(Manager, ip_forwarding[0])
+Network.IPv6Forwarding, config_parse_tristate, 0, offsetof(Manager, ip_forwarding[1])
Network.IPv6PrivacyExtensions, config_parse_ipv6_privacy_extensions, 0, offsetof(Manager, ipv6_privacy_extensions)
DHCPv4.DUIDType, config_parse_duid_type, 0, offsetof(Manager, dhcp_duid)
DHCPv4.DUIDRawData, config_parse_duid_rawdata, 0, offsetof(Manager, dhcp_duid)
#include "networkd-link.h"
#include "networkd-lldp-tx.h"
#include "networkd-manager.h"
+#include "networkd-sysctl.h"
#include "parse-util.h"
#include "string-table.h"
#include "string-util.h"
SD_LLDP_SYSTEM_CAPABILITIES_STATION |
SD_LLDP_SYSTEM_CAPABILITIES_BRIDGE |
SD_LLDP_SYSTEM_CAPABILITIES_ROUTER,
- (link->network->ip_forward != ADDRESS_FAMILY_NO) ?
- SD_LLDP_SYSTEM_CAPABILITIES_ROUTER :
- SD_LLDP_SYSTEM_CAPABILITIES_STATION);
+ (link_get_ip_forwarding(link, AF_INET) > 0 || link_get_ip_forwarding(link, AF_INET6) > 0) ?
+ SD_LLDP_SYSTEM_CAPABILITIES_ROUTER : SD_LLDP_SYSTEM_CAPABILITIES_STATION);
if (r < 0)
return r;
.dhcp_duid.type = DUID_TYPE_EN,
.dhcp6_duid.type = DUID_TYPE_EN,
.duid_product_uuid.type = DUID_TYPE_UUID,
+ .ip_forwarding = { -1, -1, },
};
*ret = TAKE_PTR(m);
assert(m);
+ manager_set_sysctl(m);
+
r = manager_start_speed_meter(m);
if (r < 0)
return log_error_errno(r, "Failed to initialize speed meter: %m");
Hashmap *tuntap_fds_by_name;
unsigned reloading;
+
+ /* sysctl */
+ int ip_forwarding[2];
};
int manager_new(Manager **ret, bool test_mode);
#include "networkd-queue.h"
#include "networkd-route.h"
#include "networkd-state-file.h"
+#include "networkd-sysctl.h"
#include "string-table.h"
#include "string-util.h"
#include "strv.h"
if (!link_may_have_ipv6ll(link, /* check_multicast = */ true))
return false;
- assert(link->network->ipv6_accept_ra >= 0);
- return link->network->ipv6_accept_ra;
+ if (link->network->ipv6_accept_ra >= 0)
+ return link->network->ipv6_accept_ra;
+
+ /* Accept RAs if IPv6 forwarding is disabled, and ignore RAs if IPv6 forwarding is enabled. */
+ int t = link_get_ip_forwarding(link, AF_INET6);
+ if (t >= 0)
+ return !t;
+
+ /* Otherwise, defaults to true. */
+ return true;
}
void network_adjust_ipv6_accept_ra(Network *network) {
network->ipv6_accept_ra = false;
}
- if (network->ipv6_accept_ra < 0)
- /* default to accept RA if ip_forward is disabled and ignore RA if ip_forward is enabled */
- network->ipv6_accept_ra = !FLAGS_SET(network->ip_forward, ADDRESS_FAMILY_IPV6);
-
/* When RouterAllowList=, PrefixAllowList= or RouteAllowList= are specified, then
* RouterDenyList=, PrefixDenyList= or RouteDenyList= are ignored, respectively. */
if (!set_isempty(network->ndisc_allow_listed_router))
Network.DNSSEC, config_parse_dnssec_mode, 0, offsetof(Network, dnssec_mode)
Network.DNSSECNegativeTrustAnchors, config_parse_dnssec_negative_trust_anchors, 0, offsetof(Network, dnssec_negative_trust_anchors)
Network.NTP, config_parse_ntp, 0, offsetof(Network, ntp)
-Network.IPForward, config_parse_address_family_with_kernel, 0, offsetof(Network, ip_forward)
+Network.IPForward, config_parse_ip_forward_deprecated, 0, 0
+Network.IPv4Forwarding, config_parse_tristate, 0, offsetof(Network, ip_forwarding[0])
+Network.IPv6Forwarding, config_parse_tristate, 0, offsetof(Network, ip_forwarding[1])
Network.IPMasquerade, config_parse_ip_masquerade, 0, offsetof(Network, ip_masquerade)
Network.IPv6PrivacyExtensions, config_parse_ipv6_privacy_extensions, 0, offsetof(Network, ipv6_privacy_extensions)
Network.IPv6AcceptRA, config_parse_tristate, 0, offsetof(Network, ipv6_accept_ra)
network->ipv6ll_address_gen_mode < 0)
network->ipv6ll_address_gen_mode = IPV6_LINK_LOCAL_ADDRESSS_GEN_MODE_STABLE_PRIVACY;
- /* IPMasquerade implies IPForward */
- network->ip_forward |= network->ip_masquerade;
-
network_adjust_ipv6_proxy_ndp(network);
network_adjust_ipv6_accept_ra(network);
network_adjust_dhcp(network);
.link_local = _ADDRESS_FAMILY_INVALID,
.ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID,
+ .ip_forwarding = { -1, -1, },
.ipv4_accept_local = -1,
.ipv4_route_localnet = -1,
.ipv6_privacy_extensions = _IPV6_PRIVACY_EXTENSIONS_INVALID,
int ipoib_umcast;
/* sysctl settings */
- AddressFamily ip_forward;
+ int ip_forwarding[2];
int ipv4_accept_local;
int ipv4_route_localnet;
int ipv6_dad_transmits;
"Ignoring [Route] section from line %u.",
route->section->filename, route->section->line);
- if (route->nexthop.family == AF_INET6 && !route->network->ipv6_accept_ra)
+ if (route->nexthop.family == AF_INET6 && route->network->ipv6_accept_ra == 0)
return log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
"%s: Gateway=\"_ipv6ra\" is specified but IPv6AcceptRA= is disabled. "
"Ignoring [Route] section from line %u.",
#include <linux/if.h>
#include <linux/if_arp.h>
+#include "af-list.h"
#include "missing_network.h"
#include "networkd-link.h"
#include "networkd-manager.h"
#include "string-table.h"
#include "sysctl-util.h"
+static void manager_set_ip_forwarding(Manager *manager, int family) {
+ int r, t;
+
+ assert(manager);
+ assert(IN_SET(family, AF_INET, AF_INET6));
+
+ if (family == AF_INET6 && !socket_ipv6_is_supported())
+ return;
+
+ t = manager->ip_forwarding[family == AF_INET6];
+ if (t < 0)
+ return; /* keep */
+
+ /* First, set the default value. */
+ r = sysctl_write_ip_property_boolean(family, "default", "forwarding", t);
+ if (r < 0)
+ log_warning_errno(r, "Failed to %s the default %s forwarding: %m",
+ enable_disable(t), af_to_ipv4_ipv6(family));
+
+ /* Then, set the value to all interfaces. */
+ r = sysctl_write_ip_property_boolean(family, "all", "forwarding", t);
+ if (r < 0)
+ log_warning_errno(r, "Failed to %s %s forwarding for all interfaces: %m",
+ enable_disable(t), af_to_ipv4_ipv6(family));
+}
+
+void manager_set_sysctl(Manager *manager) {
+ assert(manager);
+ assert(!manager->test_mode);
+
+ manager_set_ip_forwarding(manager, AF_INET);
+ manager_set_ip_forwarding(manager, AF_INET6);
+}
+
static bool link_is_configured_for_family(Link *link, int family) {
assert(link);
return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "proxy_arp_pvlan", link->network->proxy_arp_pvlan > 0);
}
-static bool link_ip_forward_enabled(Link *link, int family) {
+int link_get_ip_forwarding(Link *link, int family) {
assert(link);
+ assert(link->manager);
+ assert(link->network);
assert(IN_SET(family, AF_INET, AF_INET6));
- if (!link_is_configured_for_family(link, family))
- return false;
-
- return link->network->ip_forward & (family == AF_INET ? ADDRESS_FAMILY_IPV4 : ADDRESS_FAMILY_IPV6);
-}
+ /* If it is explicitly specified, then honor the setting. */
+ int t = link->network->ip_forwarding[family == AF_INET6];
+ if (t >= 0)
+ return t;
-static int link_set_ipv4_forward(Link *link) {
- assert(link);
-
- if (!link_ip_forward_enabled(link, AF_INET))
- return 0;
+ /* If IPMasquerade= is enabled, also enable IP forwarding. */
+ if (family == AF_INET && FLAGS_SET(link->network->ip_masquerade, ADDRESS_FAMILY_IPV4))
+ return true;
+ if (family == AF_INET6 && FLAGS_SET(link->network->ip_masquerade, ADDRESS_FAMILY_IPV6))
+ return true;
- /* We propagate the forwarding flag from one interface to the
- * global setting one way. This means: as long as at least one
- * interface was configured at any time that had IP forwarding
- * enabled the setting will stay on for good. We do this
- * primarily to keep IPv4 and IPv6 packet forwarding behaviour
- * somewhat in sync (see below). */
+ /* If IPv6SendRA= is enabled, also enable IPv6 forwarding. */
+ if (family == AF_INET6 && link_radv_enabled(link))
+ return true;
- return sysctl_write_ip_property(AF_INET, NULL, "ip_forward", "1");
+ /* Otherwise, use the global setting. */
+ return link->manager->ip_forwarding[family == AF_INET6];
}
-static int link_set_ipv6_forward(Link *link) {
+static int link_set_ip_forwarding(Link *link, int family) {
+ int r, t;
+
assert(link);
+ assert(IN_SET(family, AF_INET, AF_INET6));
- if (!link_ip_forward_enabled(link, AF_INET6))
+ if (!link_is_configured_for_family(link, family))
return 0;
- /* On Linux, the IPv6 stack does not know a per-interface
- * packet forwarding setting: either packet forwarding is on
- * for all, or off for all. We hence don't bother with a
- * per-interface setting, but simply propagate the interface
- * flag, if it is set, to the global flag, one-way. Note that
- * while IPv4 would allow a per-interface flag, we expose the
- * same behaviour there and also propagate the setting from
- * one to all, to keep things simple (see above). */
+ t = link_get_ip_forwarding(link, family);
+ if (t < 0)
+ return 0; /* keep */
- return sysctl_write_ip_property(AF_INET6, "all", "forwarding", "1");
+ r = sysctl_write_ip_property_boolean(family, link->ifname, "forwarding", t);
+ if (r < 0)
+ return log_link_warning_errno(link, r, "Failed to %s %s forwarding, ignoring: %m",
+ enable_disable(t), af_to_ipv4_ipv6(family));
+
+ return 0;
}
static int link_set_ipv4_rp_filter(Link *link) {
if (r < 0)
log_link_warning_errno(link, r, "Cannot configure proxy ARP private VLAN for interface, ignoring: %m");
- r = link_set_ipv4_forward(link);
- if (r < 0)
- log_link_warning_errno(link, r, "Cannot turn on IPv4 packet forwarding, ignoring: %m");
-
- r = link_set_ipv6_forward(link);
- if (r < 0)
- log_link_warning_errno(link, r, "Cannot configure IPv6 packet forwarding, ignoring: %m");
+ (void) link_set_ip_forwarding(link, AF_INET);
+ (void) link_set_ip_forwarding(link, AF_INET6);
r = link_set_ipv6_privacy_extensions(link);
if (r < 0)
DEFINE_STRING_TABLE_LOOKUP(ip_reverse_path_filter, IPReversePathFilter);
DEFINE_CONFIG_PARSE_ENUM(config_parse_ip_reverse_path_filter, ip_reverse_path_filter, IPReversePathFilter,
"Failed to parse IP reverse path filter option");
+
+int config_parse_ip_forward_deprecated(
+ const char* unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ assert(filename);
+
+ log_syntax(unit, LOG_WARNING, filename, line, 0,
+ "IPForward= setting is deprecated. "
+ "Please use IPv4Forwarding= and/or IPv6Forwarding= in networkd.conf for global setting, "
+ "and the same settings in .network files for per-interface setting.");
+ return 0;
+}
#include "conf-parser.h"
typedef struct Link Link;
+typedef struct Manager Manager;
typedef enum IPv6PrivacyExtensions {
/* These values map to the kernel's /proc/sys/net/ipv6/conf/xxx/use_tempaddr values. Do not reorder! */
_IP_REVERSE_PATH_FILTER_INVALID = -EINVAL,
} IPReversePathFilter;
+void manager_set_sysctl(Manager *manager);
+
+int link_get_ip_forwarding(Link *link, int family);
int link_set_sysctl(Link *link);
int link_set_ipv6_mtu(Link *link);
CONFIG_PARSER_PROTOTYPE(config_parse_ipv6_privacy_extensions);
CONFIG_PARSER_PROTOTYPE(config_parse_ip_reverse_path_filter);
+CONFIG_PARSER_PROTOTYPE(config_parse_ip_forward_deprecated);
DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(ip_masquerade_address_family, AddressFamily);
DEFINE_STRING_TABLE_LOOKUP(dhcp_lease_server_type, sd_dhcp_lease_server_type_t);
-int config_parse_address_family_with_kernel(
- const char* unit,
- const char *filename,
- unsigned line,
- const char *section,
- unsigned section_line,
- const char *lvalue,
- int ltype,
- const char *rvalue,
- void *data,
- void *userdata) {
-
- AddressFamily *fwd = data, s;
-
- assert(filename);
- assert(lvalue);
- assert(rvalue);
- assert(data);
-
- /* This function is mostly obsolete now. It simply redirects
- * "kernel" to "no". In older networkd versions we used to
- * distinguish IPForward=off from IPForward=kernel, where the
- * former would explicitly turn off forwarding while the
- * latter would simply not touch the setting. But that logic
- * is gone, hence silently accept the old setting, but turn it
- * to "no". */
-
- s = address_family_from_string(rvalue);
- if (s < 0) {
- if (streq(rvalue, "kernel"))
- s = ADDRESS_FAMILY_NO;
- else {
- log_syntax(unit, LOG_WARNING, filename, line, 0, "Failed to parse IPForward= option, ignoring: %s", rvalue);
- return 0;
- }
- }
-
- *fwd = s;
-
- return 0;
-}
-
int config_parse_ip_masquerade(
const char *unit,
const char *filename,
}
CONFIG_PARSER_PROTOTYPE(config_parse_link_local_address_family);
-CONFIG_PARSER_PROTOTYPE(config_parse_address_family_with_kernel);
CONFIG_PARSER_PROTOTYPE(config_parse_ip_masquerade);
CONFIG_PARSER_PROTOTYPE(config_parse_mud_url);
[Network]
Address=192.168.6.2/24
DHCPServer=yes
-IPForward=ipv4
+IPv4Forwarding=yes
IPv6AcceptRA=no
[DHCPServer]
[Network]
DHCP=yes
-IPForward=ipv4
+IPv4Forwarding=yes
IPv6AcceptRA=no
[Network]
Address=192.168.5.2/24
-IPForward=ipv4
+IPv4Forwarding=yes
IPv6AcceptRA=no
[Network]
Address=192.168.5.1/24
-IPForward=ipv4
+IPv4Forwarding=yes
DHCPServer=yes
IPv6AcceptRA=no
IPv6ProxyNDPAddress=2607:5300:203:5215:2::1
IPv6ProxyNDPAddress=2607:5300:203:5215:1::1
IPv6AcceptRA=no
-IPForward=yes
Address=66.70.129.136/32
Address=66.70.129.142/32
Address=66.70.129.143/32
Name=dummy98
[Network]
-IPForward=yes
+IPv4Forwarding=yes
+IPv6Forwarding=yes
IPv6DuplicateAddressDetection=3
IPv6HopLimit=5
IPv4ProxyARP=yes
[Network]
VLAN=vlan99
-IPForward=yes
ConfigureWithoutCarrier=yes
LLDP=yes
IPv6AcceptRA=false
[Network]
IPv6AcceptRA=no
-IPForward=yes
Bridge=bridge99
LinkLocalAddressing=no
EmitLLDP=nearest-bridge
start_networkd()
self.wait_online('veth99:routable', 'veth-peer:degraded')
+ # IPv6SendRA=yes implies IPv6Forwarding.
+ self.check_ipv6_sysctl_attr('veth-peer', 'forwarding', '1')
+
output = resolvectl('dns', 'veth99')
print(output)
self.assertRegex(output, 'fe80::')
projects / thirdparty / systemd.git / commitdiff
