From http://marc.theaimsgroup.com/?l=linux-netdev&m=98752847619477&w=2. /proc/sys/net/ipv6/conf/all/forwarding overrides device-specific forwarding controls. In effect, global forwarding must be enabled in order to be able to enable forwarding on a specific device (but disable it on the rest). This seems like a bug, but it's remotely possible that's there may be some logic behind that we're not getting (e.g. related to different address scoping). Please advise. --- I have a question regarding the use of the forwarding switches in the IPv6 part of /proc Scenario: Internal host --- native IPv6 --- (eth0)local tunnel server(sit0) --- tunneled IPv6 --- 6bone On my "local tunnel server" (2.2.19pre16) are currently following switches available: # find /proc/sys/net/ipv6 -name 'forward*' /proc/sys/net/ipv6/conf/sit1/forwarding /proc/sys/net/ipv6/conf/sit0/forwarding /proc/sys/net/ipv6/conf/eth1/forwarding /proc/sys/net/ipv6/conf/eth0/forwarding /proc/sys/net/ipv6/conf/lo/forwarding /proc/sys/net/ipv6/conf/default/forwarding /proc/sys/net/ipv6/conf/all/forwarding IPv6 routing from "internal host" to 6bone only works if following forwarding switches are set like /proc/sys/net/ipv6/conf/eth0/forwarding = 1 /proc/sys/net/ipv6/conf/sit0/forwarding = 1 /proc/sys/net/ipv6/conf/all/forwarding = 1 But if I set "/proc/sys/net/ipv6/conf/all/forwarding" to "1", all dedicated device switches are also set to "1". This is the same behavior like in IPv4, but unlike in IPv4, if "/proc/sys/net/ipv6/conf/all/forwarding" = 0, IPv6 routing is generally disabled. Therefore /proc/sys/net/ipv6/conf/eth0/forwarding = 1 /proc/sys/net/ipv6/conf/sit0/forwarding = 1 /proc/sys/net/ipv6/conf/all/forwarding = 0 doesn't route anything. That's bad for security issues, because if someone will only enable dedicated devices for IPv6 routing, he must first globally enable IPv6 routing with /proc/sys/net/ipv6/conf/all/forwarding = 1 and then afterwards for each *do not IPv6 routing device* disable forwarding like /proc/sys/net/ipv6/conf/eth1/forwarding = 0 Therefore 2 questions: a) is this a bug or a feature b) why is it different to IPv4 where routing still works, if /proc/sys/net/ipv4/ip_forward = /proc/sys/net/ipv4/conf/all/forwarding = 0 /proc/sys/net/ipv4/conf/eth0/forwarding = 1 /proc/sys/net/ipv4/conf/ppp0/forwarding = 1 (Tested with masquerading, which take also use of such switches) My opinion is that IPv6 routing should only depends on the "per device" switches and "all" only toggles all "per device" switches in one direction, but do not switch routing capabilities - this is better for security issues. ---
The behavior is correct. Alexey posted a summary of why on netdev. Basically the global option controls if the machine as a whole is an ipv6 router or not, per-interface routing control simply does not exist in ipv6. The per-device ipv6 routing options control only the autoconfiguration and neighbour discovery routing-related aspects of that device.