networkd from systemd-222 (don't know about older versions) breaks NAT-ed libvirt networking. Tested with libvirt-1.2.15-r1 and libvirt-1.2.17. When libvirtd is started, systemd-networkd brings *all* interfaces up (even those interfaces that normally are down: ip6tnl0, sit0, tunl0, virbr*-nic, etc) and somehow breaks packet forwarding. I spent some time investigating this issue, but didn't find how it breaks forwarding. All sysctl values are fine, iptables rules are fine, etc, etc. And everything works fine if systemd-networkd.socket is disabled. Note that network on this host is managed by NetworkManager. $ qlist systemd | grep '/etc.*networkd' /etc/systemd/system/sockets.target.wants/systemd-networkd.socket Comparison of "ip a l" output without and with systemd-netword.socket enabled: @@ -4,12 +4,16 @@ valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever -2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default +2: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default link/ipip 0.0.0.0 brd 0.0.0.0 -3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default +3: sit0@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default link/sit 0.0.0.0 brd 0.0.0.0 -4: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default + inet6 ::127.0.0.1/96 scope host + valid_lft forever preferred_lft forever +4: ip6tnl0@NONE: <NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue state UNKNOWN group default link/tunnel6 :: brd :: + inet6 fe80::3c74:5fff:feae:fc91/64 scope link + valid_lft forever preferred_lft forever 5: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:25:90:7f:5e:06 brd ff:ff:ff:ff:ff:ff inet 192.168.1.5/24 brd 192.168.1.255 scope global enp3s0 @@ -17,7 +21,7 @@ inet6 fdf9:805:1b68::a57/128 scope global valid_lft forever preferred_lft forever inet6 fdf9:805:1b68:0:225:90ff:fe7f:5e06/64 scope global noprefixroute dynamic - valid_lft 7161sec preferred_lft 1761sec + valid_lft 7095sec preferred_lft 1695sec inet6 fe80::225:90ff:fe7f:5e06/64 scope link valid_lft forever preferred_lft forever 6: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 @@ -26,11 +30,11 @@ link/ether 52:54:00:dd:79:ef brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever -8: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 500 +8: virbr0-nic: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 500 link/ether 52:54:00:dd:79:ef brd ff:ff:ff:ff:ff:ff 9: virbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 52:54:00:7e:12:3a brd ff:ff:ff:ff:ff:ff inet 192.168.100.1/24 brd 192.168.100.255 scope global virbr1 valid_lft forever preferred_lft forever -10: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr1 state DOWN group default qlen 500 +10: virbr1-nic: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel master virbr1 state DOWN group default qlen 500 link/ether 52:54:00:7e:12:3a brd ff:ff:ff:ff:ff:ff
I really don't want to just go and disable this by default because I'm not sure what else that will break.
Actually, I see that systemd-networkd.service now has this: [Install] WantedBy=multi-user.target Also=systemd-networkd.socket So, I guess removing the /etc/systemd/system/sockets.target.wants/systemd-networkd.socket symlink should be fine. I guess I might need to add a postinst message telling people to run systemctl reenable systemd-networkd.
BTW, systemd-networkd.service is socket-activated now, so the following line from ebuild is useless: rm "${D}"/etc/systemd/system/multi-user.target.wants/systemd-networkd.service || die
I mean: you either need to remove both service and socket, or leave them as is.
Heh.. From systemd-220 changelog: * Note that systemd-networkd manages the sysctl variable /proc/sys/net/ipv[46]/conf/*/forwarding for each interface it is configured for since v219. The variable controls IP forwarding, and is a per-interface alternative to the global /proc/sys/net/ipv[46]/ip_forward. This setting is configurable in the IPForward= option, which defaults to "no". This means if networkd is used for an interface it is no longer sufficient to set the global sysctl option to turn on IP forwarding! Instead, the .network file option IPForward= needs to be turned on! Note that the implementation of this behaviour was broken in v219 and has been fixed in v220. If I recall correctly I already tried to change these values. I'll try again.
+ 24 Jul 2015; Mike Gilbert <floppym@gentoo.org> systemd-9999.ebuild: + Remove /etc/systemd/systemd/sockets.target.wants, bug 555814. systemd-223 is due soon, so I will wait for that instead of revbumping.
I figured out my original problem. All network interfaces was managed by systemd-networkd which disabled forwarding for them: $ sudo networkctl --all IDX LINK TYPE OPERATIONAL SETUP 1 lo loopback carrier configured 2 tunl0 tunnel carrier configured 3 sit0 sit routable configured 4 ip6tnl0 tunnel6 degraded configured 5 enp3s0 ether routable configured 6 enp4s0 ether no-carrier configured 7 virbr1 ether no-carrier configured 8 virbr1-nic ether no-carrier configured 9 virbr0 ether no-carrier configured 10 virbr0-nic ether no-carrier configured 10 links listed. And this was caused by a commented out network config (!). I renamed it and this fixed the problem: $ cat /etc/systemd/network/enp3s0.network.disable #[Match] #Name=enp3s0 #[Network] #Address=192.168.1.5/24 #Gateway=192.168.1.1 #DNS=192.168.1.1 $ sudo networkctl --all Пароль: IDX LINK TYPE OPERATIONAL SETUP 1 lo loopback carrier unmanaged 2 tunl0 tunnel off unmanaged 3 sit0 sit off unmanaged 4 ip6tnl0 tunnel6 off unmanaged 5 enp3s0 ether routable unmanaged 6 enp4s0 ether no-carrier unmanaged 7 virbr0 ether no-carrier unmanaged 8 virbr0-nic ether off unmanaged 9 virbr1 ether no-carrier unmanaged 10 virbr1-nic ether off unmanaged 10 links listed. I'll report this upstream.
(In reply to Mike Gilbert from comment #6) > + 24 Jul 2015; Mike Gilbert <floppym@gentoo.org> systemd-9999.ebuild: > + Remove /etc/systemd/systemd/sockets.target.wants, bug 555814. > > systemd-223 is due soon, so I will wait for that instead of revbumping. This is done in 225 finally