systemd network config blocks nebula from assigning IP address to TUN interface

[SleepyLeslie]

Description

nebula is a supported sysext. When it starts, it creates a TUN interface and assigns an IP address to it. The rule in /usr/lib/systemd/network/zz-default.network matches this TUN interface, breaking IP assignment and leaving the interface without a proper address.

The rule uses the following matcher:

[Match]
Name=eth*
Type=!loopback bridge tunnel vxlan wireguard
Driver=!veth dummy

The Type of nebula's TUN interface is none according to networkctl list. Adding none to the Type list is confirmed to fix the issue.

Impact

nebula does not work because of this bug.

Additional information

While there is a simple workaround (copy the file to /etc/systemd/network/zz-default.network then add none to Type), I think the blacklist approach used in this config file may cause similar issues in the future. I recommend using a whitelist instead, and only match Type=ether wlan wwan.

[pothos]

Thanks for the detailed report. The allow-list approach is also interesting. One more thing to consider is Kind=!* or if not all then some of "bond", "bridge", "gre", "tun", "veth".

[pothos]

I guess it would be nice to have a recommended "default" example upstream. Currently there is only 89-ethernet.network.example (but I think it should be ok to also apply for a bond device as default).

[pothos]

I've used Kind and Driver now to exclude TUN/TAP devices and think we can backport this: flatcar/init#136

The alternative of only allowing certain things is also good but probably only in addition because TAP devices also are type ether. I suggest we test your idea in a new PR (switching Type= from negative to positive matching but leaving the Kind and Driver settings negative as is) and when merged that would progress from the Alpha channel to Stable to catch any other Type values we also could need.

[pothos]

Backported to Stable and will be part of the next release