From a952d5c32a4d233df23b5ed10753be8c33c45255 Mon Sep 17 00:00:00 2001 From: Brennan Ashton Date: Tue, 10 Dec 2019 16:13:19 -0800 Subject: [PATCH] Default device net config enables ip forwarding The Linux kernel is inconsistent about how devconf is configured for new network namespaces between ipv4 and ipv6. The behavior can also be controlled via net.core.devconf_inherit_init_net in Linux 5.1+ so make sure to enable forwarding on all and default for both ipv6 and ipv4. This issue first came up testing on a yocto kernel that had this patch: ipv4: net namespace does not inherit network configurations [0] https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html#devconf-inherit-init-net [1] https://lkml.org/lkml/2014/7/29/119 Signed-off-by: Brennan Ashton --- pkg/agent/syssetup/setup.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkg/agent/syssetup/setup.go b/pkg/agent/syssetup/setup.go index b66593f70c..d2955a9a87 100644 --- a/pkg/agent/syssetup/setup.go +++ b/pkg/agent/syssetup/setup.go @@ -30,8 +30,13 @@ func Configure() { loadKernelModule("nf_conntrack") loadKernelModule("br_netfilter") - enableSystemControl("/proc/sys/net/ipv4/ip_forward") + // Kernel is inconsistent about how devconf is configured for + // new network namespaces between ipv4 and ipv6. Make sure to + // enable forwarding on all and default for both ipv4 and ipv8. + enableSystemControl("/proc/sys/net/ipv4/conf/all/forwarding") + enableSystemControl("/proc/sys/net/ipv4/conf/default/forwarding") enableSystemControl("/proc/sys/net/ipv6/conf/all/forwarding") + enableSystemControl("/proc/sys/net/ipv6/conf/default/forwarding") enableSystemControl("/proc/sys/net/bridge/bridge-nf-call-iptables") enableSystemControl("/proc/sys/net/bridge/bridge-nf-call-ip6tables") }