Arch Linux

mushrewm

Member

Registered: 2015-04-29

Posts: 3

[SOLVED] NATing broken after update from systemd-218 to 219

I run a linode server (Linux pebble 3.19.1-x86_64-linode53 #1 SMP Tue Mar 10 15:30:28 EDT 2015 x86_64 GNU/Linux), which among other things runs a OpenVPN server.  After moving from systemd 218 to systemd 219, NATing stops working.   Here is what I see when a client pings 8.8.8.8 on systemd-218.

21:44:07.791046 IP pylon > google-public-dns-a.google.com: ICMP echo request, id 31815, seq 146, length 64
21:44:07.791065 IP xxx.members.linode.com > google-public-dns-a.google.com: ICMP echo request, id 31815, seq 146, length 64
21:44:07.792321 IP google-public-dns-a.google.com > xxx.members.linode.com: ICMP echo reply, id 31815, seq 146, length 64
21:44:07.792353 IP google-public-dns-a.google.com > pylon: ICMP echo reply, id 31815, seq 146, length 64

and here it is on 219

21:44:07.791046 IP pylon > google-public-dns-a.google.com: ICMP echo request, id 31815, seq 146, length 64
21:44:07.791065 IP xxx.members.linode.com > google-public-dns-a.google.com: ICMP echo request, id 31815, seq 146, length 64
21:44:07.792321 IP google-public-dns-a.google.com > xxx.members.linode.com: ICMP echo reply, id 31815, seq 146, length 64

Simply rolling back systemd to 218 resolves the issue.  My iptables configuration is more extensive, but the issue can be reproduced with only:

iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I did verify that ip_forward was set correctly before and after systemd 219.  Does anyone have an idea at what to look at to start diagnosing where the 219 based system is falling down?

Update: switched to the latest kernel available (Linux pebble 4.0.0-x86_64-linode54 #1 SMP Tue Apr 21 08:55:19 EDT 2015 x86_64 GNU/Linux).  No change in symptoms.

Update 2:  There is a clue here http://www.linuxquestions.org/questions … ges-36431/.  I don't have time to dig up the systemd changes right now, but it looks like I am missing some configuration in my .network files.

Update 3]: No luck configuring a .network file to make this work.  Added bug: https://bugs.archlinux.org/task/44803

Solution:

Add IPForward=yes to .network file for eth0. 

Note: in my case, linode was helping me by clobbering my network config on each boot, so that made debuging this a little challenging until I noticed what was happening.

Last edited by mushrewm (2015-05-01 19:24:25)

Lone_Wolf

Administrator

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 14,078

Re: [SOLVED] NATing broken after update from systemd-218 to 219

Maybe it has do with systemd-networkd and problems when ipv6 is not supported in the kernel ?

Check https://bbs.archlinux.org/viewtopic.php?id=196338

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

mushrewm

Member

Registered: 2015-04-29

Posts: 3

Re: [SOLVED] NATing broken after update from systemd-218 to 219

I saw that earlier and hoped that may be the problem.  This problem may be related but is not the same, as my kernel has IPv6 support.

sconnor@pebble ~ % zcat /proc/config.gz | grep -i ipv6
CONFIG_IPV6=y
CONFIG_IPV6_ROUTER_PREF=y
# CONFIG_IPV6_ROUTE_INFO is not set
# CONFIG_IPV6_OPTIMISTIC_DAD is not set
# CONFIG_IPV6_MIP6 is not set
CONFIG_IPV6_VTI=y
CONFIG_IPV6_SIT=y
# CONFIG_IPV6_SIT_6RD is not set
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=y
CONFIG_IPV6_GRE=y
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_IPV6_SUBTREES=y
# CONFIG_IPV6_MROUTE is not set
# IPv6: Netfilter Configuration
CONFIG_NF_DEFRAG_IPV6=y
CONFIG_NF_CONNTRACK_IPV6=y
CONFIG_NF_TABLES_IPV6=y
CONFIG_NFT_CHAIN_ROUTE_IPV6=y
CONFIG_NF_REJECT_IPV6=y
CONFIG_NFT_REJECT_IPV6=y
CONFIG_NF_LOG_IPV6=y
CONFIG_NF_NAT_IPV6=y
CONFIG_NFT_CHAIN_NAT_IPV6=y
CONFIG_NF_NAT_MASQUERADE_IPV6=y
CONFIG_NFT_MASQ_IPV6=y
CONFIG_NFT_REDIR_IPV6=y
CONFIG_IP6_NF_MATCH_IPV6HEADER=y

mushrewm

Member

Registered: 2015-04-29

Posts: 3

Re: [SOLVED] NATing broken after update from systemd-218 to 219

Still no luck.  According to http://cgit.freedesktop.org/systemd/sys … 56638378ce, there are two new settings in systemd-219 (IPForwarding, IPMasquerade), which I believe that I would need to set for my network interface.   I tried creating a .network file for tun0, to no effect.  Here it is anyway:

[Match]
Name=tun0
 
[Network]
IPForwarding=yes
IPMasquerade=yes

Running a 'networkctl list' shows that the interface is managed after the addition of the above network file.

So far still on systemd-218, and starting to become disillusioned with systemd as a whole.

konradsa

Member

Registered: 2015-04-30

Posts: 7

Re: [SOLVED] NATing broken after update from systemd-218 to 219

Still no luck.  According to http://cgit.freedesktop.org/systemd/sys … 56638378ce, there are two new settings in systemd-219 (IPForwarding, IPMasquerade), which I believe that I would need to set for my network interface.   I tried creating a .network file for tun0, to no effect.  Here it is anyway:

[Match]
Name=tun0
 
[Network]
IPForwarding=yes
IPMasquerade=yes

Running a 'networkctl list' shows that the interface is managed after the addition of the above network file.

So far still on systemd-218, and starting to become disillusioned with systemd as a whole.

I had the same issue and posted about it here: https://bbs.archlinux.org/viewtopic.php?id=196809

I don't know if I am disillusioned about systemd, but I think it's a pretty ridiculous change that breaks a lot of working setups without warning for no apparent reason.