From f54b23f49ac49e2bd93959283290d335ed11c181 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Tue, 30 Jan 2024 12:58:58 +0100 Subject: [PATCH] firewall: disable forwarding for mgmt interfaces in if-pre-up Should be more robust and more importantly works when interfaces are not renamed by mdev as is the situation now. --- roles/firewall/templates/mgmt.intf.j2 | 2 ++ roles/firewall/templates/sysctl.conf.j2 | 6 ------ 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/roles/firewall/templates/mgmt.intf.j2 b/roles/firewall/templates/mgmt.intf.j2 index 04f99b4..3a94fe9 100644 --- a/roles/firewall/templates/mgmt.intf.j2 +++ b/roles/firewall/templates/mgmt.intf.j2 @@ -11,6 +11,8 @@ iface {{ iface.name }} requires {{ iface.vrf.name }} pre-up ip link set $IFACE master {{ iface.vrf.name }} {% endif %} + pre-up sysctl -w net.ipv4.conf.$IFACE.forwarding=0 + pre-up sysctl -w net.ipv6.conf.$IFACE.forwarding=0 {% if iface.mtu %} mtu {{ iface.mtu }} {% endif %} diff --git a/roles/firewall/templates/sysctl.conf.j2 b/roles/firewall/templates/sysctl.conf.j2 index 65ad5a7..6bc0545 100644 --- a/roles/firewall/templates/sysctl.conf.j2 +++ b/roles/firewall/templates/sysctl.conf.j2 @@ -2,12 +2,6 @@ net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 -# But not for management interfaces. -{% for iface in interfaces | selectattr('name', 'match', '^mgmt') %} -net.ipv4.conf.{{ iface.name }}.forwarding = 0 -net.ipv6.conf.{{ iface.name }}.forwarding = 0 -{% endfor %} - # Zebra docs recommend these. net.ipv6.conf.all.keep_addr_on_down = 1 net.ipv6.route.skip_notify_on_dev_down = 1