Bug#804832: systemd-networkd fails to configure IPv4 Bridge Network

Sat Nov 14 09:48:23 GMT 2015

Hello Felipe,

On Thu, 2015-11-12 at 10:02 -0300, Felipe Sateler wrote:
> rrs at chutzpah:~$ cat /etc/systemd/network/localBridge.network
> > [Match]
> > Name=sysbr0
> > 
> > [Network]
> > DHCPServer=yes
> > IPForward=yes
> 
> I believe this is the problem. Because we do not enable iptables
> support in networkd, then it cannot set this flag.
> 

I am not sure on how this works in systemd-networkd, but from the
manpage, it states that this switch is important. And that it is
important irrespective of the standard means through which we've all
been enabling IP Forwarding in Linux so far.

As I mentioned in the bug report, my intent is to replace my legacy
setup with systemd-networkd. So the current bridge setup (lxcbr0)
already has all the routing/forwarding setup in place. In fact, while
exploring systemd-n, I adapted the setup to also include sysbr0.

That said, it still does not work. And the odd part is, networking is
only broken for IPv4.

> I'd love to have iptables support enabled, but upstream wants to
> switch to nftables at some point. Switch costs are lower if there was
> never any support as there is nothing we can break.
> 
> However, I think networkd should emit a warning if a directive is not
> acted upon due to configure switches.
> 
> You could try enabling ip forwarding manually on the sysbr0 interface
> to see if that works.
> 

It is enabled in /proc for the host kernel already.

rrs at chutzpah:~$ cat /proc/sys/net/ipv4/conf/sysbr0/forwarding 
1
15:10 ♒♒♒   ☺    

> > Address=172.16.20.1
> > 12:12 ♒♒♒   ☺
> > 
> > 
> > In the container, the network does get an IPv4 DHCP address. But it
> > does not
> > work. Interestingly the IPv6 network is working fine.
> > 
> > rrs at chutzpah:~$ ssh fe80::c48a:3cff:feae:252%5
> > rrs at fe80::c48a:3cff:feae:252%5's password:
> > 
> > The programs included with the Debian GNU/Linux system are free
> > software;
> > the exact distribution terms for each program are described in the
> > individual files in /usr/share/doc/*/copyright.
> > 
> > Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> > permitted by applicable law.
> > Last login: Thu Nov 12 11:58:37 2015 from
> > fe80::b8c4:8aff:fe59:e054%host0
> > 

Given that the interface does get a DHCP lease, I am inclined to think
it may be a systemd bug, or a Debian specific change.

That was the reason why I thought of filing it with us first.

What do you guys think? Should I take it up with Lennart ?

> > I think this is a systemd specific problem. I think there are some
> > bug
> > reports related to similar symptoms. But before filing upstream, I
> > wanted to check with you guys first.
> 
> So, I think there are two bugs. One downstream (iptables support is
> disabled), and one upstream (networkd should complain loudly when
> ipforwarding/masquerading is set and iptables support is not
> enabled).
> 

We should still file the bug report as a Feature Request. iptables will
stay for some time. It would be good to have nftables by default, but
assuming that iptables is obsolete, is not going to happen any time
soon.

I think upstream had a similar view about /var/lib/machines/, where in
they chose btrfs only. Which led to users with ext4, with almost no
functionality. Please see: https://github.com/systemd/systemd/issues/13
08 for details. It is confirmed as a feature request.

-- 
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20151114/8df8de80/attachment-0002.sig>