Bug 38533 - IPv6: global forwarding overrides device-specific forwarding
Summary: IPv6: global forwarding overrides device-specific forwarding
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: kernel
Version: 7.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Miller
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-05-01 08:19 UTC by Pekka Savola
Modified: 2007-04-18 16:32 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2001-05-01 08:20:55 UTC
Embargoed:


Attachments (Terms of Use)

Description Pekka Savola 2001-05-01 08:19:48 UTC
From http://marc.theaimsgroup.com/?l=linux-netdev&m=98752847619477&w=2.

/proc/sys/net/ipv6/conf/all/forwarding overrides device-specific forwarding controls.  In effect,
global forwarding must be enabled in order to be able to enable forwarding on a specific device (but disable
it on the rest).

This seems like a bug, but it's remotely possible that's there may be some logic behind that we're
not getting (e.g. related to different address scoping).

Please advise.

---
I have a question regarding the use of the forwarding switches in the IPv6 
part of /proc

Scenario:
Internal host --- native IPv6 --- (eth0)local tunnel server(sit0) --- 
tunneled IPv6 --- 6bone

On my "local tunnel server" (2.2.19pre16) are currently following switches 
available:
# find /proc/sys/net/ipv6 -name 'forward*'
/proc/sys/net/ipv6/conf/sit1/forwarding
/proc/sys/net/ipv6/conf/sit0/forwarding
/proc/sys/net/ipv6/conf/eth1/forwarding
/proc/sys/net/ipv6/conf/eth0/forwarding
/proc/sys/net/ipv6/conf/lo/forwarding
/proc/sys/net/ipv6/conf/default/forwarding
/proc/sys/net/ipv6/conf/all/forwarding


IPv6 routing from "internal host" to 6bone only works if following 
forwarding switches are set like
/proc/sys/net/ipv6/conf/eth0/forwarding = 1
/proc/sys/net/ipv6/conf/sit0/forwarding = 1
/proc/sys/net/ipv6/conf/all/forwarding  = 1

But if I set "/proc/sys/net/ipv6/conf/all/forwarding" to "1", all dedicated 
device switches are also set to "1". This is the same behavior like in 
IPv4, but unlike in IPv4, if "/proc/sys/net/ipv6/conf/all/forwarding" = 0, 
IPv6 routing is generally disabled.

Therefore
/proc/sys/net/ipv6/conf/eth0/forwarding = 1
/proc/sys/net/ipv6/conf/sit0/forwarding = 1
/proc/sys/net/ipv6/conf/all/forwarding  = 0
doesn't route anything.

That's bad for security issues, because if someone will only enable 
dedicated devices for IPv6 routing, he must first globally enable IPv6 
routing with
/proc/sys/net/ipv6/conf/all/forwarding  = 1

and then afterwards for each *do not IPv6 routing device* disable 
forwarding like
/proc/sys/net/ipv6/conf/eth1/forwarding = 0


Therefore 2 questions:
a) is this a bug or a feature
b) why is it different to IPv4 where routing still works, if
/proc/sys/net/ipv4/ip_forward = /proc/sys/net/ipv4/conf/all/forwarding = 0
/proc/sys/net/ipv4/conf/eth0/forwarding = 1
/proc/sys/net/ipv4/conf/ppp0/forwarding = 1
(Tested with masquerading, which take also use of such switches)

My opinion is that IPv6 routing should only depends on the "per device" 
switches and "all" only toggles all "per device" switches in one direction, 
but do not switch routing capabilities - this is better for security issues.
---

Comment 1 David Miller 2001-05-01 22:41:36 UTC
The behavior is correct.  Alexey posted a summary of why on netdev.
Basically the global option controls if the machine as a whole is
an ipv6 router or not, per-interface routing control simply does not
exist in ipv6.  The per-device ipv6 routing options control only
the autoconfiguration and neighbour discovery routing-related aspects of that
device.


Note You need to log in before you can comment on or make changes to this bug.