Default device net config enables ip forwarding

The Linux kernel is inconsistent about how devconf is configured for new network namespaces between ipv4 and ipv6. The behavior can also be controlled via net.core.devconf_inherit_init_net in Linux 5.1+ so make sure to enable forwarding on all and default for both ipv6 and ipv4. This issue first came up testing on a yocto kernel that had this patch: ipv4: net namespace does not inherit network configurations [0] https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html#devconf-inherit-init-net [1] https://lkml.org/lkml/2014/7/29/119 Signed-off-by: Brennan Ashton <brennana@jfrog.com>
2024-06-07 19:41:36 +00:00 · 2019-12-10 16:13:19 -08:00 · 2019-12-10 16:13:19 -08:00 · a952d5c32a
commit a952d5c32a
parent 2cf88ae2c4
1 changed files with 6 additions and 1 deletions
--- a/pkg/agent/syssetup/setup.go
+++ b/pkg/agent/syssetup/setup.go
@ -30,8 +30,13 @@ func Configure() {
 	loadKernelModule("nf_conntrack")
 	loadKernelModule("br_netfilter")

-	enableSystemControl("/proc/sys/net/ipv4/ip_forward")
+	// Kernel is inconsistent about how devconf is configured for
+	// new network namespaces between ipv4 and ipv6. Make sure to
+	// enable forwarding on all and default for both ipv4 and ipv8.
+	enableSystemControl("/proc/sys/net/ipv4/conf/all/forwarding")
+	enableSystemControl("/proc/sys/net/ipv4/conf/default/forwarding")
 	enableSystemControl("/proc/sys/net/ipv6/conf/all/forwarding")
+	enableSystemControl("/proc/sys/net/ipv6/conf/default/forwarding")
 	enableSystemControl("/proc/sys/net/bridge/bridge-nf-call-iptables")
 	enableSystemControl("/proc/sys/net/bridge/bridge-nf-call-ip6tables")
 }