networkd: be more defensive when writing to ipv4/ipv6 forwarding settings

1) never bother with setting the flag for loopback devices 2) if we fail to write the flag due to EROFS (which is likely to happen in containers where /proc/sys is read-only) or any other error, check if the flag already has the right value. If so, don't complain. Closes #469
2026-04-15 00:47:10 +09:00 · 2015-07-06 13:38:47 +02:00
parent 1361205099
commit 15dee3f07c
3 changed files with 39 additions and 6 deletions
--- a/src/basic/fileio.c
+++ b/src/basic/fileio.c
@@ -134,6 +134,17 @@ int read_one_line_file(const char *fn, char **line) {
        return 0;
 }

+int verify_one_line_file(const char *fn, const char *line) {
+        _cleanup_free_ char *value = NULL;
+        int r;
+
+        r = read_one_line_file(fn, &value);
+        if (r < 0)
+                return r;
+
+        return streq(value, line);
+}
+
 int read_full_stream(FILE *f, char **contents, size_t *size) {
        size_t n, l;
        _cleanup_free_ char *buf = NULL;
--- a/src/basic/fileio.h
+++ b/src/basic/fileio.h
@@ -34,6 +34,8 @@ int read_one_line_file(const char *fn, char **line);
 int read_full_file(const char *fn, char **contents, size_t *size);
 int read_full_stream(FILE *f, char **contents, size_t *size);

+int verify_one_line_file(const char *fn, const char *line);
+
 int parse_env_file(const char *fname, const char *separator, ...) _sentinel_;
 int load_env_file(FILE *f, const char *fname, const char *separator, char ***l);
 int load_env_file_pairs(FILE *f, const char *fname, const char *separator, char ***l);
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -1486,35 +1486,55 @@ static int link_enter_join_netdev(Link *link) {
 }

 static int link_set_ipv4_forward(Link *link) {
-        const char *p = NULL;
+        const char *p = NULL, *v;
        int r;

+        if (link->flags & IFF_LOOPBACK)
+                return 0;
+
        if (link->network->ip_forward == _ADDRESS_FAMILY_BOOLEAN_INVALID)
                return 0;

        p = strjoina("/proc/sys/net/ipv4/conf/", link->ifname, "/forwarding");
-        r = write_string_file_no_create(p, one_zero(link_ipv4_forward_enabled(link)));
-        if (r < 0)
+        v = one_zero(link_ipv4_forward_enabled(link));
+
+        r = write_string_file_no_create(p, v);
+        if (r < 0) {
+                /* If the right value is set anyway, don't complain */
+                if (verify_one_line_file(p, v) > 0)
+                        return 0;
+
                log_link_warning_errno(link, r, "Cannot configure IPv4 forwarding for interface %s: %m", link->ifname);
+        }

        return 0;
 }

 static int link_set_ipv6_forward(Link *link) {
-        const char *p = NULL;
+        const char *p = NULL, *v = NULL;
        int r;

        /* Make this a NOP if IPv6 is not available */
        if (!socket_ipv6_is_supported())
                return 0;

+        if (link->flags & IFF_LOOPBACK)
+                return 0;
+
        if (link->network->ip_forward == _ADDRESS_FAMILY_BOOLEAN_INVALID)
                return 0;

        p = strjoina("/proc/sys/net/ipv6/conf/", link->ifname, "/forwarding");
-        r = write_string_file_no_create(p, one_zero(link_ipv6_forward_enabled(link)));
-        if (r < 0)
+        v = one_zero(link_ipv6_forward_enabled(link));
+
+        r = write_string_file_no_create(p, v);
+        if (r < 0) {
+                /* If the right value is set anyway, don't complain */
+                if (verify_one_line_file(p, v) > 0)
+                        return 0;
+
                log_link_warning_errno(link, r, "Cannot configure IPv6 forwarding for interface: %m");
+        }

        return 0;
 }