Containers (both unprivileged/privileged) start default with the same ip_forward variable value ‘1’. /proc/sys/net/ipv4/ip_forward doesn’t reset from ‘1’ even if I remove the network (default network lxdbr0) or change the network.
I don’t understand the file /proc/sys/net/ipv4/conf/default/forwarding. seems I don’t understand either either why veth devices need to read default forwarding value from that and not from kernel sysctl settings. If I have used qemu virtual machines on the same host I have used to “echo 1 > /proc/sys/net/ipv4/ip_forward” but I used to write it only when I need to use qemu virtual machines .
I couldn’t yet find what is setting /proc/sys/net/ipv4/conf/default/forwarding on my host. (it’s set on every time I boot the host)
The topic is still about new containers when they launch, but do you know is the host /proc/sys/net/ipv4/conf/default/forwarding setting a kernel issue or something else? I’m not too expert here but would expect lxc, libvirt and other projects to set the /proc/sys/net/ipv4/ip_forward only
grep forw /etc/sysctl.d/*
/etc/sysctl.d/99-sysctl.conf:# Uncomment the next line to enable packet forwarding for IPv4
/etc/sysctl.d/99-sysctl.conf:#net.ipv4.ip_forward=1
/etc/sysctl.d/99-sysctl.conf:# Uncomment the next line to enable packet forwarding for IPv6
/etc/sysctl.d/99-sysctl.conf:#net.ipv6.conf.all.forwarding=1
grep forw /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6 #net.ipv6.conf.all.forwarding=1
ip_forward - BOOLEAN
0 - disabled (default)
not 0 - enabled
Forward Packets between interfaces.
This variable is special, its change resets all configuration
parameters to their default state (RFC1122 for hosts, RFC1812
for routers)
LXD enables ip_forward=1 on startup of a managed bridge network (e.g. lxdbr0) if it has the ipv4.routing setting enabled (it defaults to on), so that the host also behaves as a router.
You may be finding that LXD setting ip_forward=1 is what is resetting the default “forwarding” settings at start up.
LXD does something similar for IPv6 when ipv6.routing is enabled (defaults to on too), by iterating all of the entries in /proc/sys/net/ipv6/conf and setting their associated forwarding entry to enabled.
I believe the LXD doesn’t disable “forwarding” on a per-NIC basis due to historical reasons (i.e users expecting to be able to run routers inside their instances), and some of the newer NIC types (such as routed do indeed disable the host-side interface “forwarding” by default).
@stgraber may have some insight as to why we don’t disable “forwarding” on the host-side veth interface for “bridged” NICs.