sysctl.conf, net.ipv4.conf.default.forwarding, race condition?

Hi.

Thank you for your report.

Do you still use this system where you were having problems? If so, can you check if you're using upstart or sysvinit?

try running /sbin/init --version and see if it's upstart or else.

Also, was that interface using DHCP or static addresses?

Usually, at least for upstart, rcS is run before networking scripts, but this needs further testing I guess. I'll see if I can reproduce it myself.

Hello,

On 5/8/07, Yves Junqueira <email address hidden> wrote:
> Do you still use this system where you were having problems? If so, can
> you check if you're using upstart or sysvinit?

I have upgraded the system to the latest Ubuntu, but I can try to
check these details from the backups.

> try running /sbin/init --version and see if it's upstart or else.

At the time I was experiencing the problems, the system was an
up-to-date Ubuntu edgy, and /sbin/init --version displayed the
following: init (upstart 0.2.7)

> Also, was that interface using DHCP or static addresses?

eth0 uses DHCP, eth1 uses static addresses.

I do not know if the bug has been fixed in the latest version of
Ubuntu; I am still using the workaround that I mentioned in the
original bug report.

Kind regards,
Jukka Suomela

I have a similar situation:

Running feisty, setting net.ipv4.conf.default.forwarding=1 in /etc/sysctl.conf consistently does not enable IP forwarding in /proc/sys/net/ipv4/ip_forward (always zero).

If I add net.ipv4.conf.all.forwarding=1, then it works ok.

I have the same problem as well, running feisty latest updates,

init: init (upstart 0.3.8)
kernel: 2.6.18-ovz-028stab045.1 (OPENVZ kernel)

if I put the following line
"net.ipv4.conf.all.forwarding=1"
in the "/etc/sysctl.conf" file and run "sysctl -p", forwarding is enabled

regards, Eelko van Breda

I can also confirm this problem with the default gutsy server install + OpenVZ kernel (2.6.18-ovz-028stab048.1)

To Edmunds Kalniņš, Eelko van Breda:

What happens if you just set

 net.ipv4.ip_forward = 1

in /etc/sysctl.conf, and run sysctl -p?

To me, the bug looks like a mistype in default /etc/sysctl.conf (i.e. wrong setting).

Say, here's the relevant section from Fedora 8:
 # Controls IP packet forwarding
 net.ipv4.ip_forward = 0

And this is from Gentoo 2007.0:
 # Disables packet forwarding
 #net.ipv4.ip_forward = 0

@Kir Kolyshkin

Adding
net.ipv4.conf.all.forwarding=1
to sysctl.conf solves the problem.

The problem is though that in /ets/sysctl.conf it says :

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.conf.default.forwarding=1

however uncommenting that line does not enable packet forwarding for IPv4

How is it possible? I can't understand why Canonical (and Debian too) released an OS with this configuration error... very strange...

Hi there,

same problem here on Feisty server using a single network interface with static IP address.

When I reboot if forwarding is not enabled and I have to enable it manually using:

echo "1" > /proc/sys/net/ipv4/ip_forward

Do you think upgrading to gutsy will solve the problem? I plan on doing it soon anyway...

This bug report (marked as a duplicate) fixes it for me:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/156017

I have always found that one needs to set both the "all" and the "default" in order to guarantee the changes affect all interfaces regardless of when those interfaces are created. In the latest hardy version here are the options which only specify "all" and not "default" and "all":

# Do not accept ICMP redirects (prevent MITM attacks)
#net/ipv4/conf/all/accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net/ipv4/conf/all/secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net/ipv4/conf/all/send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net/ipv4/conf/all/accept_source_route = 0
#
# Log Martian Packets
#net/ipv4/conf/all/log_martians = 1

My suggestions:
* these options should have both "all" and "default" specified
* clarify "we are not a router" - I have found that these settings can be turned on without issue on NAT "routers"
* it might be wise to select either "." or "/" as a separator and not use both

I can confirm this bug in Gutsy. I'm using my Ubuntu box as a home internet gateway, and uncommenting that line did not set /proc/sys/net/ipv4/ip_forward to 0 on reboot.

I'm using Hardy Heron and I don't believe I've been tinkering with /etc/sysctl.conf.

Found this in the file so I believe this is fixed now?:

# Comment the next two lines to disable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

Sorry was abit quick at clicking "Save Changes".

This is how it looks in /etc/sysctl.conf now:

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

removing the # and running sysctl enables forwarding for me:

root@rohan:~# cat /proc/sys/net/ipv4/ip_forward
0
root@rohan:~# vi /etc/sysctl.conf
root@rohan:~# sysctl -p
kernel.printk = 4 4 1 7
kernel.maps_protect = 1
fs.inotify.max_user_watches = 524288
vm.mmap_min_addr = 65536
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.ip_forward = 1
root@rohan:~# cat /proc/sys/net/ipv4/ip_forward
1

Does this bug affects hardy?
Is it fixed in hardy?

I couldn't find any infos about it's status in 8.04, thats why I'm asking...

Dear friends,

FYI, this bug is mentioned in https://help.ubuntu.com/community/Internet/ConnectionSharing .

Many blessings.

This is still an issue on Ubuntu Server 10.04

In Ubuntu 10.10 the entry in sysctl.conf was changed to 'net.ipv4.ip_forward=1', uncommenting it alone DO enable the ip routing, and no need to add extra lines.