bridge ipmasquaring fails with networkd (works with libvirt) #596

Closed
xnox opened this Issue Jul 15, 2015 · 6 comments

Comments

Projects
None yet
4 participants
Contributor

xnox commented Jul 15, 2015

If i create a network bridge, with an IP address assigned and a dhcp server e.g. using libvirt net-* support, my kernel 4.1.1 boots fine, sets up the bridge / dsmasq server / masquarading and when tap interfaces are created and added to the bridge, they can gain ip address via DHCP and access internet (e.g. in a VM).

However, when i try to do similar setup with networkd I get:

Jul 15 13:31:31 clr systemd-networkd[644]: clrbr1: Could not enable IP masquerading: Operation not supported

The config for network is trivial:

[Match]
Name=clrbr0

[Network]
Address=0.0.0.0/28
DHCPServer=yes
IPMasquerade=yes

And there is a .netdev file to create this bridge as well.

Am I missing some kernel modules, config, or what not? Or is there a way to get more debug as to what libvirt did, what systemd-networkd tried to do, and what has failed?

@haraldh haraldh added the network label Jul 16, 2015

Contributor

xnox commented Jul 22, 2015

i am such a minion. added iptables-dev build-dep to get libiptc and now it works.

@xnox xnox closed this Jul 22, 2015

@xnox How did you resolve this?.. I've libiptcdata0 installed (I'm assuming libiptc above refers to that library) but I still see the message Could not enable IP masquerading: Operation not permitted in log.

Contributor

xnox commented Apr 8, 2016

@copyninja yes I have. If you are on ubuntu/debian -> rebuild your systemd with iptables-dev build-depenendy and actually enable ipmasquerading feature.

@xnox Yes I use Debian. Eh why isn't this by default enabled in Debian?. I think we should raise a bug report on bts to make this enabled by default (if not already done).

Contributor

mbiebl commented Apr 8, 2016

This means yet another library dependency and bigger footprint of a base installation.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787480

Thanks @mbiebl for the link. It makes sense now, I will wait for the change from iptables to nftables till then 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment