bridge ipmasquaring fails with networkd (works with libvirt)

[xnox]

If i create a network bridge, with an IP address assigned and a dhcp server e.g. using libvirt net-* support, my kernel 4.1.1 boots fine, sets up the bridge / dsmasq server / masquarading and when tap interfaces are created and added to the bridge, they can gain ip address via DHCP and access internet (e.g. in a VM).

However, when i try to do similar setup with networkd I get:

Jul 15 13:31:31 clr systemd-networkd[644]: clrbr1: Could not enable IP masquerading: Operation not supported

The config for network is trivial:

[Match]
Name=clrbr0

[Network]
Address=0.0.0.0/28
DHCPServer=yes
IPMasquerade=yes

And there is a .netdev file to create this bridge as well.

Am I missing some kernel modules, config, or what not? Or is there a way to get more debug as to what libvirt did, what systemd-networkd tried to do, and what has failed?

[xnox]

i am such a minion. added iptables-dev build-dep to get libiptc and now it works.

[copyninja]

@xnox How did you resolve this?.. I've libiptcdata0 installed (I'm assuming libiptc above refers to that library) but I still see the message Could not enable IP masquerading: Operation not permitted in log.

[xnox]

@copyninja yes I have. If you are on ubuntu/debian -> rebuild your systemd with iptables-dev build-depenendy and actually enable ipmasquerading feature.

[copyninja]

@xnox Yes I use Debian. Eh why isn't this by default enabled in Debian?. I think we should raise a bug report on bts to make this enabled by default (if not already done).

[mbiebl]

This means yet another library dependency and bigger footprint of a base installation.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787480

[copyninja]

Thanks @mbiebl for the link. It makes sense now, I will wait for the change from iptables to nftables till then 👍