Default device net config enables ip forwarding

The Linux kernel is inconsistent about how devconf is configured for new
network namespaces between ipv4 and ipv6. The behavior can also be
controlled via net.core.devconf_inherit_init_net in Linux 5.1+ so make
sure to enable forwarding on all and default for both ipv6 and ipv4.

This issue first came up testing on a yocto kernel that had this patch:
 ipv4: net namespace does not inherit network configurations

[0] https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html#devconf-inherit-init-net
[1] https://lkml.org/lkml/2014/7/29/119

Signed-off-by: Brennan Ashton <brennana@jfrog.com>
This commit is contained in:
Brennan Ashton 2019-12-10 16:13:19 -08:00
parent 2cf88ae2c4
commit a952d5c32a

View File

@ -30,8 +30,13 @@ func Configure() {
loadKernelModule("nf_conntrack") loadKernelModule("nf_conntrack")
loadKernelModule("br_netfilter") loadKernelModule("br_netfilter")
enableSystemControl("/proc/sys/net/ipv4/ip_forward") // Kernel is inconsistent about how devconf is configured for
// new network namespaces between ipv4 and ipv6. Make sure to
// enable forwarding on all and default for both ipv4 and ipv8.
enableSystemControl("/proc/sys/net/ipv4/conf/all/forwarding")
enableSystemControl("/proc/sys/net/ipv4/conf/default/forwarding")
enableSystemControl("/proc/sys/net/ipv6/conf/all/forwarding") enableSystemControl("/proc/sys/net/ipv6/conf/all/forwarding")
enableSystemControl("/proc/sys/net/ipv6/conf/default/forwarding")
enableSystemControl("/proc/sys/net/bridge/bridge-nf-call-iptables") enableSystemControl("/proc/sys/net/bridge/bridge-nf-call-iptables")
enableSystemControl("/proc/sys/net/bridge/bridge-nf-call-ip6tables") enableSystemControl("/proc/sys/net/bridge/bridge-nf-call-ip6tables")
} }