Page MenuHomeVyOS Platform
Create Task
Maniphest T5552

Commands 'set system ipv6 disable-forwarding' and 'set system option performance throughput' are mutually exclusive
Open, NormalPublicBUG
Actions

Description

Commands 'set system ipv6 disable-forwarding' and 'set system option performance throughput' are mutually exclusive

At first

set system ipv6 disable-forwarding

Result from sysctl

net.ipv6.conf.all.forwarding = 0

Next

set system option performance throughput

Result from sysctl

net.ipv6.conf.all.forwarding = 1

From my investigation command 'set system option performance throughput' runs 'tuned-adm profile network-throughput'. It enables ipv6 forwarding.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202309040919
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

a.apostoliuk created this task.Sep 6 2023, 7:54 AM
Viacheslav added a subscriber: Viacheslav.Sep 6 2023, 8:09 AM

Related task T2133
I guess we should drop this option ipv6 disable-forwarding

Apachez added a subscriber: Apachez.Sep 6 2023, 9:08 AM

I think that would be a bad idea comparing to other vendors where you can select if you want to do IPv4 routing and/or IPv6 routing. If both are disabled the device will only do switching/bridging.

For example in a IPv4 only environment you want to disable IPv6 forwarding (aka routing) to block any devices who by default (today) have both IPv4 and IPv6 enabled.

A workaround is of course to add firewall rules to block one or the other but the kernel setting net.ipv4.conf.all.forwarding and net.ipv6.conf.all.forwarding enable/disable this at the kernel level.

Question is rather why tuned-adm profile network-throughput is enabling IPv6 routing?

That is what should be dropped instead.

Viacheslav triaged this task as Normal priority.Jan 20 2024, 1:18 PM