Comment 3 for bug 1500992

To provide internet to VMs and containers, the interface behind which the default gateway sits, must have forwarding enabled.
The way this is typically done is that whichever tool sets up a bridge will also setup a NAT entry for IPv4 and will make sure /proc/sys/net/ipv4/ip_forward is set to 1.

This is the standard way of doing things because then you don't have to know what interface packets will be heading out of, forwarding is just enabled on all of them and if your NAT rule is properly written (and ours are), they'll apply to all interfaces too.

Now this all breaks if the outgoing interface is using a non-default config which disables forwarding at the interface level since that then ignores the global /proc/sys/net/ipv4/ip_forward knob.

Having the bridge setup tool, modify the configuration of all potential outgoing interface to allow forwarding seems completely wrong to me (why would the script setting up lxcbr0 go and edit your eth0 and wlan0 interfaces?), not to mention, it's not actually possible to know for sure what interfaces will be outgoing interfaces. You may have some that don't exist yet (usb stick?).

Even if we somehow did change the bridge setup scripts to go and set /forwarding to 1 on all interfaces which we guess may be used as outgoing interfaces, this still wouldn't change the fact that networkd would go ahead and reset them all to 0 on daemon restart (package update for example).