From: ssahani <ssahani@gmail.com>
Date: Fri, 27 Mar 2026 03:49:49 +0000 (+0530)
Subject: networkd: Add docs and tests for IPv4SrcValidMark=
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f69c8e712a31f9b99019b602bebe0c7dc82c41b;p=thirdparty%2Fsystemd.git

networkd: Add docs and tests for IPv4SrcValidMark=
Document the new setting in systemd.network(5) man page
and add coverage in the networkd integration tests.

Co-developed-by: Claude Opus 4.6 <noreply@anthropic.com>
---

diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index 4c777ef4e08..554d8da8ef6 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -1086,6 +1086,19 @@ DuplicateAddressDetection=none</programlisting></para>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>IPv4SrcValidMark=</varname></term>
+        <listitem>
+          <para>Takes a boolean. When enabled, the packet's firewall mark (fwmark) is included in the
+          reverse path filter route lookup for source address validation on this interface. This is
+          particularly useful for policy routing setups where packets may arrive with source addresses
+          that are only valid in routing tables selected by their fwmark. When unset, the kernel's
+          default will be used.</para>
+
+          <xi:include href="version-info.xml" xpointer="v261"/>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>IPv4ProxyARP=</varname></term>
         <listitem>
diff --git a/src/network/networkd-sysctl.c b/src/network/networkd-sysctl.c
index 8946f369607..e5f5c07ff16 100644
--- a/src/network/networkd-sysctl.c
+++ b/src/network/networkd-sysctl.c
@@ -665,6 +665,7 @@ static int link_set_ipv4_route_localnet(Link *link) {
 static int link_set_ipv4_src_valid_mark(Link *link) {
         assert(link);
         assert(link->manager);
+        assert(link->network);
 
         if (!link_is_configured_for_family(link, AF_INET))
                 return 0;
diff --git a/test/test-network/conf/25-sysctl.network b/test/test-network/conf/25-sysctl.network
index dcc4f0d293a..c0c709c32ce 100644
--- a/test/test-network/conf/25-sysctl.network
+++ b/test/test-network/conf/25-sysctl.network
@@ -12,5 +12,6 @@ IPv4ProxyARPPrivateVLAN=yes
 IPv6ProxyNDP=yes
 IPv6AcceptRA=no
 IPv4AcceptLocal=yes
+IPv4SrcValidMark=yes
 IPv4ReversePathFilter=no
 MulticastIGMPVersion=v1
diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
index bab725bd239..38443315e6d 100755
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@@ -4972,6 +4972,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities):
         self.check_ipv4_sysctl_attr('dummy98', 'proxy_arp', '1')
         self.check_ipv4_sysctl_attr('dummy98', 'proxy_arp_pvlan', '1')
         self.check_ipv4_sysctl_attr('dummy98', 'accept_local', '1')
+        self.check_ipv4_sysctl_attr('dummy98', 'src_valid_mark', '1')
         self.check_ipv4_sysctl_attr('dummy98', 'rp_filter', '0')
         self.check_ipv4_sysctl_attr('dummy98', 'force_igmp_version', '1')