rc/network
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

firewall: disable forwarding for mgmt interfaces in if-pre-up

Browse source 
Should be more robust and more importantly works when interfaces are
not renamed by mdev as is the situation now.
This commit is contained in:
Timotej Lazar 2024-01-30 12:58:58 +01:00
parent 25289dd82f
commit f54b23f49a
2 changed files with 2 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
roles/firewall/templates/mgmt.intf.j2
View file

@ -11,6 +11,8 @@ iface {{ iface.name }}
requires {{ iface.vrf.name }} requires {{ iface.vrf.name }}
pre-up ip link set $IFACE master {{ iface.vrf.name }} pre-up ip link set $IFACE master {{ iface.vrf.name }}
{% endif %} {% endif %}
pre-up sysctl -w net.ipv4.conf.$IFACE.forwarding=0
pre-up sysctl -w net.ipv6.conf.$IFACE.forwarding=0
{% if iface.mtu %} {% if iface.mtu %}
mtu {{ iface.mtu }} mtu {{ iface.mtu }}
{% endif %} {% endif %}

6
roles/firewall/templates/sysctl.conf.j2
View file

@ -2,12 +2,6 @@
net.ipv4.ip_forward = 1 net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.all.forwarding = 1
# But not for management interfaces.
{% for iface in interfaces | selectattr('name', 'match', '^mgmt') %}
net.ipv4.conf.{{ iface.name }}.forwarding = 0
net.ipv6.conf.{{ iface.name }}.forwarding = 0
{% endfor %}
# Zebra docs recommend these. # Zebra docs recommend these.
net.ipv6.conf.all.keep_addr_on_down = 1 net.ipv6.conf.all.keep_addr_on_down = 1
net.ipv6.route.skip_notify_on_dev_down = 1 net.ipv6.route.skip_notify_on_dev_down = 1