Changing networkd's IPForward= default from "no" to "kernel"?

Mon Oct 5 23:18:23 BST 2015

On Mon, Oct 05, 2015 at 03:53:04PM +0200, Martin Pitt wrote:
> CC'ing Josh as he works with netword a lot and was rather interested
> in its integration into Debian.

Thanks, Martin.

> upstream networkd (and in Debian up to now) defaults to IPForward=no
> (see man systemd.network), i. e. if you configure a network interface
> through networkd without explicitly setting IPForward=, the
> per-interface setting (/proc/sys/net/ipv{4,6}/conf/iface/forwarding)
> will be disabled.
> 
> This has the effect that all packages which do something like "echo 1
> > /proc/sys/net/ipv4/ip_forward" in their init scripts, postinst, etc.
> (and we have a lot: [1]) stop working, as the per-interface setting
> naturally overrides the global config.
> 
> This is a rather major issue at least for Ubuntu users with LXC, so
> for now I applied a patch in Ubuntu [2] to change the default to
> "kernel".  The kernel's default is also to disable forwarding, but
> with that packages or the admin retain the option to enable/disable
> forwarding globally. I must say I don't like patching networkd, but
> after discussing other possible alternatives [3] I don't see a better
> way.
> 
> Is this something which we also want in Debian? My gut feeling says
> "yes", but that hasn't always been correct lately :-) The alternative
> is to document it something like
> 
>   If you install a package that tries to enable IP forwarding, please
>   add "IPForward=yes" to the .network file that covers your default
>   route (if you aren't sure, add it to all of them). Conversely, if
>   you remove such a package, remove the IPForward setting again, or
>   change it to "no".
> 
> Aside from the fact that almost no user will actually look in
> /usr/share/doc/systemd/README.Debian when this happens, this is
> utterly complicated and not something which you could ever "sell"
> something as a solution. I experimented with something like
> /run/systemd/network/{00,zz}_enable_forwarding.network, but *.network
> files aren't additive in that way, you can only ever have one that
> applies to a particular interface. And changing all *.network files
> programmatically from various init scripts is of course a big no-go.
> 
> So there doesn't seem to be a better way to do this right now. Ideas
> muchly appreciated of course!

As a temporary measure, while fixing the various packages doing so, this
doesn't seem too unreasonable.  (Note that many of the results of that
search are comments, rather than actual scripts; nevertheless enough
instances exist to make it necessary to cope with somehow.)

However, given the potential security implications, this needs some very
clear documentation, as well as some warnings.  For instance, how about
making networkd emit a warning when when the global flag is set to "yes"
but a .network file doesn't have an *explicit* IPForward setting (either
yes or no)?  That would help people very quickly notice why their
packets don't get forwarded, and point them directly at the setting they
need to change.  With that change, I wonder if we really need to change
the default.

I'd also be tempted to make the kernel emit a warning when setting the
global ip_forward rather than the per-interface flag, but that would
affect non-networkd users as well, and I suspect people would complain.

- Josh Triplett