firewall: disable forwarding for mgmt interfaces in if-pre-up

Should be more robust and more importantly works when interfaces are not renamed by mdev as is the situation now.
2024-01-30 12:58:58 +01:00 · 2024-01-30 12:58:58 +01:00 · f54b23f49a
commit f54b23f49a
parent 25289dd82f
2 changed files with 2 additions and 6 deletions
--- a/roles/firewall/templates/mgmt.intf.j2
+++ b/roles/firewall/templates/mgmt.intf.j2
@ -11,6 +11,8 @@ iface {{ iface.name }}
    requires {{ iface.vrf.name }}
    pre-up ip link set $IFACE master {{ iface.vrf.name }}
 {% endif %}
+    pre-up sysctl -w net.ipv4.conf.$IFACE.forwarding=0
+    pre-up sysctl -w net.ipv6.conf.$IFACE.forwarding=0
 {% if iface.mtu %}
    mtu {{ iface.mtu }}
 {% endif %}
--- a/roles/firewall/templates/sysctl.conf.j2
+++ b/roles/firewall/templates/sysctl.conf.j2
@ -2,12 +2,6 @@
 net.ipv4.ip_forward = 1
 net.ipv6.conf.all.forwarding = 1

-# But not for management interfaces.
-{% for iface in interfaces | selectattr('name', 'match', '^mgmt') %}
-net.ipv4.conf.{{ iface.name }}.forwarding = 0
-net.ipv6.conf.{{ iface.name }}.forwarding = 0
-{% endfor %}
-
 # Zebra docs recommend these.
 net.ipv6.conf.all.keep_addr_on_down = 1
 net.ipv6.route.skip_notify_on_dev_down = 1