Netplan

Replacement for ifconfig scripts to abstract network configuration to yaml files.

General Usage

Usage is typically done by generating a plan and applying it. The old moniker of ifup/ifdown no longer applies. bridge-utils should not be used independently with Netplan. Netplan should take care of all network configuration.

Make changes in /etc/netplan/01-netcfg.yaml by default. See reference for configuration options.

Generate new configurations from the plan.
netplan generate --debug
Apply the network plan to the system.
netplan --debug apply
Check the status of generated devices.
networkctl list
Show all interfaces.
ip a

Bridging

This is useful for providing a network interface to be used for VM’s / Docker containers. The bridged network can be assigned an IP address directly and used as well; however there seems to be an issue with using a bridge network with KVM as well as the host network. See reference and general bridging help.

In most cases for advanced configuration the base adapter should not be configured for an IP address, the resulting bonded or bridged device should.

Two nics bridged together, using dhcp, ipv4, a specific MAC address with spanning tree and forward delay disabled. Original bridged networks reference.
 1# This file describes the network interfaces available on your system
 2# For more information, see netplan(5).
 3network:
 4  version: 2
 5  renderer: networkd
 6  ethernets:
 7    eno1:
 8      dhcp4: false
 9    eno2:
10      dhcp4: false
11
12  bridges:
13    br0:
14      interfaces:
15        - eno1
16        - eno2
17      dhcp4: true
18      macaddress: a1:b2:c3:d4:e5:f6
19      parameters:
20        stp: false
21        forward-delay: 0
Two nics bonded together in the default configuration, with a bridge created on top of the bonded interface. Original bonded bridged networks reference.
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    eno1:
      dhcp4: false
      dhcp6: false
    eno2:
      dhcp4: false
      dhcp6: false

  bonds:
    bond0:
      dhcp4: false
      dhcp6: false
      interfaces:
        - eno1
        - eno2

  bridges:
    br0:
      interfaces:
        - bond0
      dhcp4: true
      parameters:
        stp: false
        forward-delay: 0
Three nics, two bonded together with a custom mode and primary set. The bridged network is a single card with spanning tree and forward delay disabled.
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    eno1:
      dhcp4: false
      dhcp6: false
    eno2:
      dhcp4: false
      dhcp6: false
    enp7s0:
      dhcp4: false
      dhcp6: false

  bonds:
    bond0:
      interfaces:
        - enp7s0
        - eno2
      dhcp4: true
      parameters:
        mode: active-backup
        primary: enp7s0

  bridges:
    br0:
      interfaces:
        - eno1
      dhcp4: true
      parameters:
        stp: false
        forward-delay: 0

Default Route Issues

Netplan does not currently allow route or metric configuration for DHCP enabled device. This creates issues when there are multiple adapters all connected at the same time – the default route is last network brought up. This works around the issue by manually setting networkd after netplan is run.

  • Configure netplan as normal and note interface designations.

  • Apply config.

Copy desired default route adapter setting to /etc.
netplan --debug apply
cp /run/systemd/network/10-netplan-{ADAPTER}.network /etc/systemd/network
0644 root root /etc/systemd/network/10-netplan-{ADAPTER}.network
 1[Match]
 2Name=bond0
 3
 4[Network]
 5DHCP=ipv4
 6LinkLocalAddressing=ipv6
 7ConfigureWithoutCarrier=yes
 8
 9[DHCP]
10RouteMetric=100
11UseMTU=true

Note

RouteMetric higher number is lower priority. Default is 100. Whenever a new netplan configuration is applied ensure this this is still set.

KVM Specific Issues

There seems to be an issue with Netplan bridging, KVM, and using the same bridged for host networking traffic as well as VM traffic. The workaround is to have a separate bridged adapter. This is a longstanding bug with KVM and can be fixed by modifying sysctl settings.

Important

By default Docker will add -P FORWARD DROP rule to iptables to prevent specific exploitation vectors for containers. Unfortunately, this is applied to all interfaces, regardless of whatever interface docker uses; this rule is re-applied everytime the docker service is started. Iptables by default filters bridged interfaces.

This will result in KVM virtual machines on a system with Docker to not be able to use a Bridge for network communication. As a bridge is a layer 2 device, it really shouldn’t be filtering IP packets anyways. You can just disable bridged adapters from applying the iptables. If you still use the bridge adapter for system traffic, consider munging the filter instead.

Test Fix

Disable IP filtering on bridged interfaces.
echo "0" /proc/sys/net/bridge/bridge-nf-call-iptables
echo "0" /proc/sys/net/bridge/bridge-nf-call-ip6tables
echo "0" /proc/sys/net/bridge/bridge-nf-call-arptables

Note

This will not persist across reboots, verify everything now works.

Permenant Fix

Make the fix permenant by updating settings for sysctl as well as UFW sysctl settings.

0644 root root /etc/sysctl.conf
79net.bridge.bridge-nf-call-ip6tables = 0
80net.bridge.bridge-nf-call-iptables = 0
81net.bridge.bridge-nf-call-arptables = 0
0644 root root /etc/ufw/sysctl.conf
43net.bridge.bridge-nf-call-ip6tables = 0
44net.bridge.bridge-nf-call-iptables = 0
45net.bridge.bridge-nf-call-arptables = 0

There is a longstanding bug with sysctl in debian based systems not applying sysctl.conf properly with network settings. This can be resolved using a root cronjob:

crontab -e
@reboot sleep 15; /sbin/sysctl -p
Ensure settings are applied by rebooting and verifying.
reboot
sysctl -a | grep bridge

References

  1. Bridging under Ubuntu 18.04 and Netplan