Josh Triplett [2015-10-05 15:18 -0700]: > However, given the potential security implications, this needs some very > clear documentation, as well as some warnings. For instance, how about > making networkd emit a warning when when the global flag is set to "yes" > but a .network file doesn't have an *explicit* IPForward setting (either > yes or no)? That would help people very quickly notice why their > packets don't get forwarded, and point them directly at the setting they > need to change. With that change, I wonder if we really need to change > the default.
I'm not sure about the quickly notice" -- if you install libvirt or LXC and your guest can't talk to the network, I'd naïvely look in LXC/libvirt, but not into the host's networkd journal. People might eventually find it of course, but regressing the user experience (compared to ifupdown and NM) from "apt-get install, it works" to "need to find out what's wrong and then change my configuration files" isn't exactly a selling point. The worse thing is that this also breaks pretty much every firewall/network control project which tries to enable/disable global forwarding. These projects won't get/show any error message, it just silently doesn't actually work. > I'd also be tempted to make the kernel emit a warning when setting the > global ip_forward rather than the per-interface flag, but that would > affect non-networkd users as well, and I suspect people would complain. Perhaps only warn if you set the global flag after any per-interface flag has already been set? Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) _______________________________________________ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
