networkd: add minimal IP forwarding and masquerading support to .network files

This adds two new settings to networkd's .network files:
IPForwarding=yes and IPMasquerade=yes. The former controls the
"forwarding" sysctl setting of the interface, thus controlling whether
IP forwarding shall be enabled on the specific interface. The latter
controls whether a firewall rule shall be installed that exposes traffic
coming from the interface as coming from the local host to all other
interfaces.

This also enables both options by default for container network
interfaces, thus making "systemd-nspawn --network-veth" have network
connectivity out of the box.

1 files changed, 8 insertions, 4 deletions

diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
index 966b59b87..d6504cc17 100644
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
@@ -22,14 +22,14 @@
 #include <ctype.h>
 #include <net/if.h>
 
-#include "networkd.h"
-#include "networkd-netdev.h"
-#include "networkd-link.h"
-#include "network-internal.h"
 #include "path-util.h"
 #include "conf-files.h"
 #include "conf-parser.h"
 #include "util.h"
+#include "networkd.h"
+#include "networkd-netdev.h"
+#include "networkd-link.h"
+#include "network-internal.h"
 
 static int network_load_one(Manager *manager, const char *filename) {
         _cleanup_network_free_ Network *network = NULL;
@@ -109,6 +109,10 @@ static int network_load_one(Manager *manager, const char *filename) {
         if (r < 0)
                 return r;
 
+        /* IPMasquerade=yes implies IPForward=yes */
+        if (network->ip_masquerade)
+                network->ip_forward = true;
+
         LIST_PREPEND(networks, manager->networks, network);
 
         LIST_FOREACH(routes, route, network->static_routes) {