New containers have ip_forward default '1'

LXD
1

Hi

Working from my laptop I have ip_forward enabled on LXD host, I use the default lxdbr0 network.

Are /proc/sys/net/ system configuration variables copied to container when it is launched or started?

I understand lxdbr0 set ipv4.nat but why any new containers get default the same value?

cat /proc/sys/net/ipv4/ip_forward
1

lxc network show lxdbr0
config:
ipv4.address: 10.151.59.1/24
ipv4.nat: “true”
ipv6.address: fd42:8219:b5cb:5f5c::1/64
ipv6.nat: “true”
description: “”
name: lxdbr0
type: bridge
used_by: []
managed: true
status: Created
locations:

  • none

Containers (both unprivileged/privileged) start default with the same ip_forward variable value ‘1’. /proc/sys/net/ipv4/ip_forward doesn’t reset from ‘1’ even if I remove the network (default network lxdbr0) or change the network.

2

The file /proc/sys/net/ipv4/conf/default/forwarding contains the value used for new interfaces.

So if you set that to 0, then any new veth interfaces created will inherit that value.

3

I don’t understand the file /proc/sys/net/ipv4/conf/default/forwarding. seems I don’t understand either either why veth devices need to read default forwarding value from that and not from kernel sysctl settings. If I have used qemu virtual machines on the same host I have used to “echo 1 > /proc/sys/net/ipv4/ip_forward” but I used to write it only when I need to use qemu virtual machines .

I couldn’t yet find what is setting /proc/sys/net/ipv4/conf/default/forwarding on my host. (it’s set on every time I boot the host)

The topic is still about new containers when they launch, but do you know is the host /proc/sys/net/ipv4/conf/default/forwarding setting a kernel issue or something else? I’m not too expert here but would expect lxc, libvirt and other projects to set the /proc/sys/net/ipv4/ip_forward only

grep forw /etc/sysctl.d/*
/etc/sysctl.d/99-sysctl.conf:# Uncomment the next line to enable packet forwarding for IPv4
/etc/sysctl.d/99-sysctl.conf:#net.ipv4.ip_forward=1
/etc/sysctl.d/99-sysctl.conf:# Uncomment the next line to enable packet forwarding for IPv6
/etc/sysctl.d/99-sysctl.conf:#net.ipv6.conf.all.forwarding=1

grep forw /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.all.forwarding=1

Thanks

4

The “forwarding” files are per-interface settings, and “ip_forward” resets the value for all interfaces.

See https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

ip_forward - BOOLEAN
	0 - disabled (default)
	not 0 - enabled

	Forward Packets between interfaces.

	This variable is special, its change resets all configuration
	parameters to their default state (RFC1122 for hosts, RFC1812
	for routers)

LXD enables ip_forward=1 on startup of a managed bridge network (e.g. lxdbr0) if it has the ipv4.routing setting enabled (it defaults to on), so that the host also behaves as a router.

You may be finding that LXD setting ip_forward=1 is what is resetting the default “forwarding” settings at start up.

LXD does something similar for IPv6 when ipv6.routing is enabled (defaults to on too), by iterating all of the entries in /proc/sys/net/ipv6/conf and setting their associated forwarding entry to enabled.

I believe the LXD doesn’t disable “forwarding” on a per-NIC basis due to historical reasons (i.e users expecting to be able to run routers inside their instances), and some of the newer NIC types (such as routed do indeed disable the host-side interface “forwarding” by default).

@stgraber may have some insight as to why we don’t disable “forwarding” on the host-side veth interface for “bridged” NICs.