network: introduce per-interface IP forwarding settings

This deprecates IPForward= setting, which unconditionally controled the global setting, even though it is a setting in .network file. Instead, this introduces new IPv4Forwarding= and IPv6Forwarding= settings both in .network and networkd.conf. If these settings are specified in a .network file, then the per-interface forwarding setting will be configured. If specified in networkd.conf, then the global IP forwarding setting will be configured. Closes #30648.
author: Yu Watanabe <watanabe.yu+github@gmail.com> 2024-02-20 22:20:45 +0100
committer: Luca Boccassi <luca.boccassi@gmail.com> 2024-02-22 20:24:12 +0100
commit: 3976c430927e1bfefa0413f80ebac84ab9a64350 (patch)
tree: 74dc60f375f8858f04c23cc62174ff9311b844c4 /man
parent: README: mention fq_codel (diff)
download: systemd-3976c430927e1bfefa0413f80ebac84ab9a64350.tar.xz
systemd-3976c430927e1bfefa0413f80ebac84ab9a64350.zip
2 files changed, 61 insertions, 18 deletions
diff --git a/man/networkd.conf.xml b/man/networkd.conf.xml
index 9477bfe5af..2ab5cf1d79 100644
--- a/man/networkd.conf.xml
+++ b/man/networkd.conf.xml
@@ -117,6 +117,34 @@
       </varlistentry>
 
       <varlistentry>
+        <term><varname>IPv4Forwarding=</varname></term>
+        <listitem>
+          <para>Configures IPv4 packet forwarding for the system. Takes a boolean value. This controls the
+          <filename>net.ipv4.conf.default.forwarding</filename> and
+          <filename>net.ipv4.conf.all.forwarding</filename>sysctl options. See
+          <ulink url="https://docs.kernel.org/networking/ip-sysctl.html">IP Sysctl</ulink>
+          for more details about the sysctl options. Defaults to unset and the sysctl options will not be
+          changed.</para>
+
+          <xi:include href="version-info.xml" xpointer="v256"/>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>IPv6Forwarding=</varname></term>
+        <listitem>
+          <para>Configures IPv6 packet forwarding for the system. Takes a boolean value. This controls the
+          <filename>net.ipv6.conf.default.forwarding</filename> and
+          <filename>net.ipv6.conf.all.forwarding</filename> sysctl options. See
+          <ulink url="https://docs.kernel.org/networking/ip-sysctl.html">IP Sysctl</ulink>
+          for more details about the sysctl options. Defaults to unset and the sysctl options will not be
+          changed.</para>
+
+          <xi:include href="version-info.xml" xpointer="v256"/>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><varname>IPv6PrivacyExtensions=</varname></term>
         <listitem>
           <para>Specifies the default value for per-network <varname>IPv6PrivacyExtensions=</varname>.
diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index adff23d1fe..96228fc198 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -803,26 +803,43 @@ Table=1234</programlisting></para>
       </varlistentry>
 
       <varlistentry>
-        <term><varname>IPForward=</varname></term>
-        <listitem>
-          <para>Configures IP packet forwarding for the system. If enabled, incoming packets on any
-          network interface will be forwarded to any other interfaces according to the routing table.
-          Takes a boolean, or the values <literal>ipv4</literal> or <literal>ipv6</literal>, which only
-          enable IP packet forwarding for the specified address family. This controls the
-          <filename>net.ipv4.ip_forward</filename> and <filename>net.ipv6.conf.all.forwarding</filename>
-          sysctl options of the network interface (see
+        <term><varname>IPv4Forwarding=</varname></term>
+        <listitem>
+          <para>Configures IPv4 packet forwarding for the interface. Takes a boolean value. This controls the
+          <filename>net.ipv4.conf.<replaceable>INTERFACE</replaceable>.forwarding</filename> sysctl option of
+          the network interface. See
           <ulink url="https://docs.kernel.org/networking/ip-sysctl.html">IP Sysctl</ulink>
-          for details about sysctl options). Defaults to <literal>no</literal>.</para>
+          for more details about the sysctl option. Defaults to true if <varname>IPMasquerade=</varname> is
+          enabled for IPv4, otherwise the value specified to the same setting in
+          <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+          will be used. If none of them are specified, the sysctl option will not be changed.</para>
+
+          <para>To control the global setting, use the same setting in
+          <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+          </para>
+
+          <xi:include href="version-info.xml" xpointer="v256"/>
+        </listitem>
+      </varlistentry>
 
-          <para>Note: this setting controls a global kernel option, and does so one way only: if a
-          network that has this setting enabled is set up the global setting is turned on. However,
-          it is never turned off again, even after all networks with this setting enabled are shut
-          down again.</para>
+      <varlistentry>
+        <term><varname>IPv6Forwarding=</varname></term>
+        <listitem>
+          <para>Configures IPv6 packet forwarding for the interface. Takes a boolean value. This controls the
+          <filename>net.ipv6.conf.<replaceable>INTERFACE</replaceable>.forwarding</filename> sysctl option of
+          the network interface. See
+          <ulink url="https://docs.kernel.org/networking/ip-sysctl.html">IP Sysctl</ulink>
+          for more details about the sysctl option. Defaults to true if <varname>IPMasquerade=</varname> is
+          enabled for IPv6 or <varname>IPv6SendRA=</varname> is enabled, otherwise the value specified to the
+          same setting in
+          <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+          will be used. If none of them are specified, the sysctl option will not be changed.</para>
 
-          <para>To allow IP packet forwarding only between specific network interfaces use a firewall.
+          <para>To control the global setting, use the same setting in
+          <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
           </para>
 
-          <xi:include href="version-info.xml" xpointer="v219"/>
+          <xi:include href="version-info.xml" xpointer="v256"/>
         </listitem>
       </varlistentry>
 
@@ -832,9 +849,7 @@ Table=1234</programlisting></para>
           <para>Configures IP masquerading for the network interface. If enabled, packets forwarded
           from the network interface will be appear as coming from the local host. Takes one of
           <literal>ipv4</literal>, <literal>ipv6</literal>, <literal>both</literal>, or
-          <literal>no</literal>. Defaults to <literal>no</literal>. If enabled, this automatically sets
-          <varname>IPForward=</varname> to one of <literal>ipv4</literal>, <literal>ipv6</literal> or
-          <literal>yes</literal>.</para>
+          <literal>no</literal>. Defaults to <literal>no</literal>.</para>
           <para>Note. Any positive boolean values such as <literal>yes</literal> or
           <literal>true</literal> are now deprecated. Please use one of the values in the above.</para>
author	Yu Watanabe <watanabe.yu+github@gmail.com>	2024-02-20 22:20:45 +0100
committer	Luca Boccassi <luca.boccassi@gmail.com>	2024-02-22 20:24:12 +0100
commit	3976c430927e1bfefa0413f80ebac84ab9a64350 (patch)
tree	74dc60f375f8858f04c23cc62174ff9311b844c4 /man
parent	README: mention fq_codel (diff)
download	systemd-3976c430927e1bfefa0413f80ebac84ab9a64350.tar.xz systemd-3976c430927e1bfefa0413f80ebac84ab9a64350.zip