Bug 38533 - IPv6: global forwarding overrides device-specific forwarding
IPv6: global forwarding overrides device-specific forwarding
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: David Miller
Brock Organ
Depends On:
  Show dependency treegraph
Reported: 2001-05-01 04:19 EDT by Pekka Savola
Modified: 2007-04-18 12:32 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-05-01 04:20:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Pekka Savola 2001-05-01 04:19:48 EDT
From http://marc.theaimsgroup.com/?l=linux-netdev&m=98752847619477&w=2.

/proc/sys/net/ipv6/conf/all/forwarding overrides device-specific forwarding controls.  In effect,
global forwarding must be enabled in order to be able to enable forwarding on a specific device (but disable
it on the rest).

This seems like a bug, but it's remotely possible that's there may be some logic behind that we're
not getting (e.g. related to different address scoping).

Please advise.

I have a question regarding the use of the forwarding switches in the IPv6 
part of /proc

Internal host --- native IPv6 --- (eth0)local tunnel server(sit0) --- 
tunneled IPv6 --- 6bone

On my "local tunnel server" (2.2.19pre16) are currently following switches 
# find /proc/sys/net/ipv6 -name 'forward*'

IPv6 routing from "internal host" to 6bone only works if following 
forwarding switches are set like
/proc/sys/net/ipv6/conf/eth0/forwarding = 1
/proc/sys/net/ipv6/conf/sit0/forwarding = 1
/proc/sys/net/ipv6/conf/all/forwarding  = 1

But if I set "/proc/sys/net/ipv6/conf/all/forwarding" to "1", all dedicated 
device switches are also set to "1". This is the same behavior like in 
IPv4, but unlike in IPv4, if "/proc/sys/net/ipv6/conf/all/forwarding" = 0, 
IPv6 routing is generally disabled.

/proc/sys/net/ipv6/conf/eth0/forwarding = 1
/proc/sys/net/ipv6/conf/sit0/forwarding = 1
/proc/sys/net/ipv6/conf/all/forwarding  = 0
doesn't route anything.

That's bad for security issues, because if someone will only enable 
dedicated devices for IPv6 routing, he must first globally enable IPv6 
routing with
/proc/sys/net/ipv6/conf/all/forwarding  = 1

and then afterwards for each *do not IPv6 routing device* disable 
forwarding like
/proc/sys/net/ipv6/conf/eth1/forwarding = 0

Therefore 2 questions:
a) is this a bug or a feature
b) why is it different to IPv4 where routing still works, if
/proc/sys/net/ipv4/ip_forward = /proc/sys/net/ipv4/conf/all/forwarding = 0
/proc/sys/net/ipv4/conf/eth0/forwarding = 1
/proc/sys/net/ipv4/conf/ppp0/forwarding = 1
(Tested with masquerading, which take also use of such switches)

My opinion is that IPv6 routing should only depends on the "per device" 
switches and "all" only toggles all "per device" switches in one direction, 
but do not switch routing capabilities - this is better for security issues.
Comment 1 David Miller 2001-05-01 18:41:36 EDT
The behavior is correct.  Alexey posted a summary of why on netdev.
Basically the global option controls if the machine as a whole is
an ipv6 router or not, per-interface routing control simply does not
exist in ipv6.  The per-device ipv6 routing options control only
the autoconfiguration and neighbour discovery routing-related aspects of that

Note You need to log in before you can comment on or make changes to this bug.