Support ipv6 for masquerade and dnat in nspawn and networkd #18007
Conversation
poettering
added
the
reviewed/needs-rework 🔨
fw-strlen
force-pushed
the
ipv6_masq_and_dnat
branch
from
5f1ccbf
to
21adc2c
Compare
bluca
added
needs-review
and removed
reviewed/needs-rework 🔨
|
semaphore CI has a package build failure in nss which looks like a transient issue, and mkosi as well looks like some transient repository metadata issue (kicked the latter, don't have permission/see a button to kick the former) |
src/network/networkd-util.c
Outdated
| @@ -53,6 +53,30 @@ DEFINE_CONFIG_PARSE_ENUM(config_parse_link_local_address_family, link_local_addr | |||
| AddressFamily, "Failed to parse option"); | |||
| DEFINE_STRING_TABLE_LOOKUP(dhcp_lease_server_type, sd_dhcp_lease_server_type); | |||
|
|
|||
| int config_parse_address_family ( | |||
There was a problem hiding this comment.
Please use DEFINE_CONFIG_PARSE_ENUM() macro.
There was a problem hiding this comment.
I will get rid of this completely, looks like folks don't want auto-masquerade for ipv6 after all.
yuwata
added
nspawn
reviewed/needs-rework 🔨
|
I am not sure defaulting to masquerade IPv6 traffic is a sensible choice when set to |
|
I agree that defaulting to IPv6 NAT when coming from older versions of systemd is highly undesirable. |
Hmm, I am not entirely sure I agree. ip masquerading isn't just about having too few addresses. It's also about hiding stuff behind a single IP address, i.e. abstracting the used backend routing from the frontend. I'd argue that's totally ok as a reason to have it.... That said, I see the compat problem: so far people assumed "yes" means only "ipv4" here. i.e. i figure i'd be fine if "yes" means "ipv4" here, and to get the behaviour on both ipv4 and ipv6 people should specify "both" here, or so? Requires special mentioning in the docs, since this is different from other cases of ipv4/ipv6 bools... |
I am not arguing that having the option to do so is bad. I also use S- & DNAT for some IPv6 setups. And while there are uses for this (e.g. in nspawn when you do not have a subnet available or would rather not use it) My point is that this is absolutely unexpected to see this happen as part of the IPMasquerade option after upgrading the system.
Why not rename |
well, we usually avoid having two settings if they control the same stuff just for the two protos. I think we should stick to that, even if we now say that in some very exceptional cases "yes" only means "ipv4" instead of "ipv4+ipv6" like it usually does |
fw-strlen
force-pushed
the
ipv6_masq_and_dnat
branch
from
21adc2c
to
159a35e
Compare
yuwata
added
needs-review
and removed
needs-rebase
reviewed/needs-rework 🔨
|
New version:
|
poettering
added
reviewed/needs-rework 🔨
closely mirrors the existing ipv4 ruleset:
table ip6 io.systemd.nat {
set masq_saddr {
type ipv6_addr
flags interval
}
map map_port_ipport {
type inet_proto . inet_service : ipv6_addr . inet_service
}
chain prerouting {
type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
}
chain output {
type nat hook output priority -99; policy accept;
ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
}
chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept;
ip6 saddr @masq_saddr masquerade
}
}
Only difference is the use of ipv6 addresses instead of ipv4 ones.
Currently has no effect: all in-tree callers pass AF_INET exclusively.
Followup patches will make nspawn expose ipv6 too and rework
IPMasquerade option to support both/v4/v6.
Extend nspawn so it can keep track of one ipv4 and one ipv6 address.
Extend IPMasquerade to also cover ipv6. For compatibility reasons with earlier releases IPMasquerade=yes is identical to IPMasquerade=ipv4. Use IPMasquerade=both to cover ipv6 as well as ipv4. IPForward will now also enable ipv6 forwarding if IPMasquerade for ipv6 is enabled.
In case external entity wiped the ruleset, we need to clear the 'previous' address -- its already gone. This prevents the transaction from succeeding: the delete operation fails.
The nft set backend doesn't support network masks, it works with ranges. Inputs like dead::/64 thus need to be translated to two 'start' and 'end' elements. The 'start' element is the first element in the range (i.e., dead::). The 'stop' element is the first element *past* the range, (dead:0:0100:: in the example). This adds a few test cases.
fw-strlen
force-pushed
the
ipv6_masq_and_dnat
branch
from
159a35e
to
79dd224
Compare
yuwata
added
needs-review
and removed
reviewed/needs-rework 🔨
|
lgtm |
|
@fw-strlen I am sorry that I forgot to review this. I created two follow-up PRs. PTAL. |
|
I know I'm late to the party, but I'm not convinced the decision to make "yes"=="ipv4" good long term. I understand backwards compat is important, but I'd expect most people want to do both if they want at least one. (Or at least in a majority of simple cases where you just turn on masquerading without any additional configuration.) I think we should start emitting a warning if "yes" is used, to move people off the option with surprising semantics. |
This extends the nft backend to also support IPv6.
networkd and nspawn are extended to expose/masquerade the ipv6 address as well.
Masquerade behavior can be returned to ipv4-only mode via "IPMasquerade=ipv4".
This changes the default behaviour; ipv6 addresses are masqueraded and
ipv6 forwarding is enabled.
In the nspawn case, there is currently no way to turn off the ipv6 dnat exposure;
ideas on syntax to do that welcome.
This would close issue #10254.