Bug 38533

Summary: IPv6: global forwarding overrides device-specific forwarding
Product: [Retired] Red Hat Linux Reporter: Pekka Savola <pekkas>
Component: kernelAssignee: David Miller <davem>
Status: CLOSED NOTABUG QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: pb
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-05-01 08:20:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pekka Savola 2001-05-01 08:19:48 UTC 
From http://marc.theaimsgroup.com/?l=linux-netdev&m=98752847619477&w=2.

/proc/sys/net/ipv6/conf/all/forwarding overrides device-specific forwarding controls.  In effect,
global forwarding must be enabled in order to be able to enable forwarding on a specific device (but disable
it on the rest).

This seems like a bug, but it's remotely possible that's there may be some logic behind that we're
not getting (e.g. related to different address scoping).

Please advise.

---
I have a question regarding the use of the forwarding switches in the IPv6 
part of /proc

Scenario:
Internal host --- native IPv6 --- (eth0)local tunnel server(sit0) --- 
tunneled IPv6 --- 6bone

On my "local tunnel server" (2.2.19pre16) are currently following switches 
available:
# find /proc/sys/net/ipv6 -name 'forward*'
/proc/sys/net/ipv6/conf/sit1/forwarding
/proc/sys/net/ipv6/conf/sit0/forwarding
/proc/sys/net/ipv6/conf/eth1/forwarding
/proc/sys/net/ipv6/conf/eth0/forwarding
/proc/sys/net/ipv6/conf/lo/forwarding
/proc/sys/net/ipv6/conf/default/forwarding
/proc/sys/net/ipv6/conf/all/forwarding


IPv6 routing from "internal host" to 6bone only works if following 
forwarding switches are set like
/proc/sys/net/ipv6/conf/eth0/forwarding = 1
/proc/sys/net/ipv6/conf/sit0/forwarding = 1
/proc/sys/net/ipv6/conf/all/forwarding  = 1

But if I set "/proc/sys/net/ipv6/conf/all/forwarding" to "1", all dedicated 
device switches are also set to "1". This is the same behavior like in 
IPv4, but unlike in IPv4, if "/proc/sys/net/ipv6/conf/all/forwarding" = 0, 
IPv6 routing is generally disabled.

Therefore
/proc/sys/net/ipv6/conf/eth0/forwarding = 1
/proc/sys/net/ipv6/conf/sit0/forwarding = 1
/proc/sys/net/ipv6/conf/all/forwarding  = 0
doesn't route anything.

That's bad for security issues, because if someone will only enable 
dedicated devices for IPv6 routing, he must first globally enable IPv6 
routing with
/proc/sys/net/ipv6/conf/all/forwarding  = 1

and then afterwards for each *do not IPv6 routing device* disable 
forwarding like
/proc/sys/net/ipv6/conf/eth1/forwarding = 0


Therefore 2 questions:
a) is this a bug or a feature
b) why is it different to IPv4 where routing still works, if
/proc/sys/net/ipv4/ip_forward = /proc/sys/net/ipv4/conf/all/forwarding = 0
/proc/sys/net/ipv4/conf/eth0/forwarding = 1
/proc/sys/net/ipv4/conf/ppp0/forwarding = 1
(Tested with masquerading, which take also use of such switches)

My opinion is that IPv6 routing should only depends on the "per device" 
switches and "all" only toggles all "per device" switches in one direction, 
but do not switch routing capabilities - this is better for security issues.
---
Comment 1 David Miller 2001-05-01 22:41:36 UTC 
The behavior is correct.  Alexey posted a summary of why on netdev.
Basically the global option controls if the machine as a whole is
an ipv6 router or not, per-interface routing control simply does not
exist in ipv6.  The per-device ipv6 routing options control only
the autoconfiguration and neighbour discovery routing-related aspects of that
device.