Page MenuHomeVyOS Platform
Create Task
Maniphest T5552

'set system option performance throughput' enables IPv6 forwarding even if it's explicitly disabled with 'set system ipv6 disable-forwarding'
Closed, ResolvedPublicBUG
Actions

Description

Commands 'set system ipv6 disable-forwarding' and 'set system option performance throughput' are mutually exclusive

At first

set system ipv6 disable-forwarding

Result from sysctl

net.ipv6.conf.all.forwarding = 0

Next

set system option performance throughput

Result from sysctl

net.ipv6.conf.all.forwarding = 1

From my investigation command 'set system option performance throughput' runs 'tuned-adm profile network-throughput'. It enables ipv6 forwarding.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202309040919
Why the issue appeared?
Issues in third-party code
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

a.apostoliuk created this task.Sep 6 2023, 7:54 AM
Viacheslav subscribed.Sep 6 2023, 8:09 AM

Related task T2133
I guess we should drop this option ipv6 disable-forwarding

Apachez subscribed.Sep 6 2023, 9:08 AM

I think that would be a bad idea comparing to other vendors where you can select if you want to do IPv4 routing and/or IPv6 routing. If both are disabled the device will only do switching/bridging.

For example in a IPv4 only environment you want to disable IPv6 forwarding (aka routing) to block any devices who by default (today) have both IPv4 and IPv6 enabled.

A workaround is of course to add firewall rules to block one or the other but the kernel setting net.ipv4.conf.all.forwarding and net.ipv6.conf.all.forwarding enable/disable this at the kernel level.

Question is rather why tuned-adm profile network-throughput is enabling IPv6 routing?

That is what should be dropped instead.

Viacheslav triaged this task as Normal priority.Jan 20 2024, 1:18 PM
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.May 7 2024, 8:02 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.1); removed VyOS 1.4 Sagitta (1.4.0-GA).Jul 2 2024, 7:29 PM
dmbaturin subscribed.Jul 3 2024, 1:22 PM

I agree with @Apachez: people should be able to disable IPv4 or IPv6 forwarding if they feel like it. For example, a router used exclusively as a looking glass or a load balancer arguably shouldn't forward any packets on L3.

Can we fix tuned-adm profile without forking tuned?

dmbaturin renamed this task from Commands 'set system ipv6 disable-forwarding' and 'set system option performance throughput' are mutually exclusive to 'set system option performance throughput' enabled IPv6 forwarding even if it's explicitly disabled with 'set system ipv6 disable-forwarding'.Jul 3 2024, 6:15 PM
dmbaturin renamed this task from 'set system option performance throughput' enabled IPv6 forwarding even if it's explicitly disabled with 'set system ipv6 disable-forwarding' to 'set system option performance throughput' enables IPv6 forwarding even if it's explicitly disabled with 'set system ipv6 disable-forwarding'.
dmbaturin assigned this task to natali-rs1985.
dmbaturin changed Why the issue appeared? from Will be filled on close to Issues in third-party code.
natali-rs1985 changed the task status from Open to In progress.Jul 4 2024, 8:26 AM
natali-rs1985 added a comment.Jul 23 2024, 10:08 AM

https://github.com/vyos/vyos-1x/pull/3853

Restricted Repository Identity mentioned this in rVYOSONEX04b7006644df: Merge pull request #3853 from natali-rs1985/T5552-current.Jul 24 2024, 8:36 AM
natali-rs1985 mentioned this in rVYOSONEX7b82e4005724: system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls by….Jul 24 2024, 8:36 AM
Restricted Repository Identity mentioned this in rVYOSONEX02b275d1cb11: system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls by….Jul 24 2024, 8:37 AM
Restricted Repository Identity mentioned this in rVYOSONEX46eddf5ff910: system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls by….
c-po mentioned this in rVYOSONEXf3f38ed9c10f: system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls by….Jul 25 2024, 11:20 AM
c-po mentioned this in rVYOSONEX27641f07b28d: system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls by….
Restricted Repository Identity mentioned this in rVYOSONEX609f4b9c1bb7: system_option: T5552: Apply IPv4 and IPv6 options after reapplying sysctls by….Jul 25 2024, 4:07 PM
natali-rs1985 added a project: VyOS 1.5 Circinus.Jul 26 2024, 9:42 AM
natali-rs1985 moved this task from Open to In Progress on the VyOS 1.5 Circinus board.
natali-rs1985 moved this task from Backlog to In Progress on the VyOS 1.4 Sagitta (1.4.1) board.
Restricted Repository Identity mentioned this in rVYOSONEXcd56721e7a74: Merge pull request #3862 from vyos/mergify/bp/sagitta/pr-3853.Jul 28 2024, 11:09 PM
natali-rs1985 closed this task as Resolved.Jul 29 2024, 8:02 AM
natali-rs1985 moved this task from In Progress to Finished on the VyOS 1.4 Sagitta (1.4.1) board.
natali-rs1985 moved this task from In Progress to Finished on the VyOS 1.5 Circinus board.