From 242b3c3fb4a3f8ebeba5c24cf8c7a510cba14143 Mon Sep 17 00:00:00 2001
From: Michael Vollman <michael.b.vollman@gmail.com>
Date: Fri, 8 Feb 2019 11:56:19 -0500
Subject: [PATCH] Add ipforward option to configure IPForward

Add ipforward bool optional setting to systemd_networks to enable
or disable forwarding for a given interface.  IPForward is disabled
by default.

Change-Id: Iaea33b1bdde1964f38612ab8c278fed4985d390b
---
 defaults/main.yml            |  4 ++++
 tasks/main.yml               | 15 +++++++++++++++
 templates/systemd-network.j2 |  3 +++
 tests/test.yml               | 14 ++++++++++++++
 4 files changed, 36 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 2ac47b2..92f50c0 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -95,6 +95,10 @@ systemd_netdevs: []
 #  `static_routes` -- (optional) list of routes to use for the network. This
 #                                option requires a gateway and cidr to be set
 #                                within the list item.
+#  `ipforward` -- (optional) When set to true forwarding will be enabled for
+#                            interface.  This setting will enable
+#                            net.ipv4.ip_forward, net.ipv4.conf.all.forwarding
+#                            and net.ipv4.conf.interface.forwarding
 
 # systemd_networks:
 #   - interface: "dummy0"
diff --git a/tasks/main.yml b/tasks/main.yml
index 7d4268f..7447dab 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -137,3 +137,18 @@
     - systemd_run_networkd | bool
   tags:
     - systemd-networkd
+
+- name: restart systemd_networkd prior to applying sysctl changes
+  meta: flush_handlers
+
+- name: Add IP Forward for interface
+  sysctl:
+    name: "net.ipv4.conf.{{ item.1.interface }}.forwarding"
+    value: 1
+    sysctl_set: yes
+    state: present
+    reload: yes
+  with_indexed_items: "{{ systemd_networks }}"
+  when:
+    - (ansible_os_family | lower) == 'redhat'
+    - item.1.ipforward | default(false) | bool
diff --git a/templates/systemd-network.j2 b/templates/systemd-network.j2
index 2a11519..1dd5290 100644
--- a/templates/systemd-network.j2
+++ b/templates/systemd-network.j2
@@ -55,3 +55,6 @@ MACVLAN={{ item.1.macvlan }}
 {% elif item.1.vxlan is defined %}
 VXLAN={{ item.1.vxlan }}
 {% endif %}
+{% if item.1.ipforward is defined %}
+IPForward={{ (item.1.ipforward | bool) | ternary('yes', 'no') }}
+{% endif %}
diff --git a/tests/test.yml b/tests/test.yml
index 53175f7..172ef2b 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -54,6 +54,9 @@
       - NetDev:
           Name: br-test
           Kind: bridge
+      - NetDev:
+          Name: br-test2
+          Kind: bridge
     systemd_networks:
       - interface: "dummy0"
         bond: "bond0"
@@ -83,6 +86,10 @@
       - interface: "br-test"
         address: "10.1.0.1"
         netmask: "255.255.255.0"
+      - interface: "br-test2"
+        address: 10.2.0.1
+        netmask: "255.255.255.0"
+        ipforward: true
 
 
 - name: Test networkd
@@ -131,6 +138,13 @@
       with_items:
         - MACAddressPolicy
         - NamePolicy
+    - name: Check forwarding is enabled
+      shell: 'grep -wo ^1$ /proc/sys/net/{{ item }}'
+      changed_when: false
+      with_items:
+        - "ipv4/ip_forward"
+        - "ipv4/conf/all/forwarding"
+        - "ipv4/conf/br-test2/forwarding"
 
 
 - name: Playbook for role testing with cleanup