summaryrefslogtreecommitdiff
path: root/man/systemd.network.xml
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-11-13 12:49:15 +0100
committerLennart Poettering <lennart@poettering.net>2015-11-13 13:02:50 +0100
commit765afd5c4dbc71940d6dd6007ecc3eaa5a0b2aa1 (patch)
treef3572c54479d2c8cfa15b1fdded1b48225b12f13 /man/systemd.network.xml
parentd68e2e59b3103a2dd197401357dc619efa6e26db (diff)
networkd: stop managing per-interface IP forwarding settings
As it turns out the kernel does not support per-interface IPv6 packet forwarding controls (unlike as it does for IPv4), but only supports a global option (#1597). Also, the current per-interface management of the setting isn't really useful, as you want it to propagate to at least one more interface than the one you configure it on. This created much grief (#1411, #1808). Hence, let's roll this logic back and simplify this again, so that we can expose the same behaviour on IPv4 and IPv6 and things start to work automatically again for most folks: if a network with this setting set is set up we propagate the setting into the global setting, but this is strictly one-way: we never reset it again, and we do nothing for network interfaces where this setting is not enabled. Fixes: #1808, #1597.
Diffstat (limited to 'man/systemd.network.xml')
-rw-r--r--man/systemd.network.xml37
1 files changed, 18 insertions, 19 deletions
diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index 5994869d97..e6dedb027d 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -363,29 +363,28 @@
</varlistentry>
<varlistentry>
<term><varname>IPForward=</varname></term>
- <listitem><para>Configures IP forwarding for the network
- interface. If enabled, incoming packets on the network
- interface will be forwarded to other interfaces according to
- the routing table. Takes either a boolean argument, or the
- values <literal>ipv4</literal> or <literal>ipv6</literal>,
- which only enables IP forwarding for the specified address
- family, or <literal>kernel</literal>, which preserves existing sysctl settings.
- This controls the
- <filename>net.ipv4.conf.&lt;interface&gt;.forwarding</filename>
- and
- <filename>net.ipv6.conf.&lt;interface&gt;.forwarding</filename>
- sysctl options of the network interface (see <ulink
+ <listitem><para>Configures IP packet forwarding for the
+ system. If enabled, incoming packets on any network
+ interface will be forwarded to any other interfaces
+ according to the routing table. Takes either a boolean
+ argument, or the values <literal>ipv4</literal> or
+ <literal>ipv6</literal>, which only enable IP packet
+ forwarding for the specified address family. This controls
+ the <filename>net.ipv4.ip_forward</filename> and
+ <filename>net.ipv6.conf.all.forwarding</filename> sysctl
+ options of the network interface (see <ulink
url="https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt">ip-sysctl.txt</ulink>
for details about sysctl options). Defaults to
<literal>no</literal>.</para>
- <para>Note: unless this option is turned on, or set to <literal>kernel</literal>,
- no IP forwarding is done on this interface, even if this is
- globally turned on in the kernel, with the
- <filename>net.ipv4.ip_forward</filename>,
- <filename>net.ipv4.conf.all.forwarding</filename>, and
- <filename>net.ipv6.conf.all.forwarding</filename> sysctl
- options.</para>
+ <para>Note: this setting controls a global kernel option,
+ and does so one way only: if a network that has this setting
+ enabled is set up the global setting is turned on. However,
+ it is never turned off again, even after all networks with
+ this setting enabled are shut down again.</para>
+
+ <para>To allow IP packet forwarding only between specific
+ network interfaces use a firewall.</para>
</listitem>
</varlistentry>
<varlistentry>