sysctl.conf, net.ipv4.conf.default.forwarding, race condition?

Bug #84537 reported by JS on 2007-02-11
52
This bug affects 5 people
Affects Status Importance Assigned to Milestone
procps (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: procps

/etc/sysctl.conf contains the following lines by default:

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.conf.default.forwarding=1

In my system, uncommenting the line _usually_ does the trick: IPv4 forwarding is enabled on all network interfaces. Unfortunately, this was not the case every time. Sometimes, once in 10 reboots or so, this did not work. IPv4 forwarding was not enabled on some network interfaces.

I am not 100 % sure why this happens, but I think it might be caused if sometimes a network interface gets initialised before sysctl sets the above setting. Thus, I tried to define the following _two_ settings in /etc/sysctl.conf:

net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1

(I think the first setting tells what happens to the new interfaces that are created after setting the sysctl, and the second setting tells what happens to the interfaces that have already been created?)

Now everything has worked fine for months. Every time IPv4 forwarding gets enabled properly.

I have two physical network interfaces, "eth0" and "eth1", both of which use the "e100" driver.

lspci:
02:02.0 Ethernet controller: Intel Corporation 82557/8/9 [Ethernet Pro 100] (rev 08)
02:08.0 Ethernet controller: Intel Corporation 82801DB PRO/100 VE (LOM) Ethernet Controller (rev 82)

JS (j5) on 2007-02-11
description: updated
Yves Junqueira (yves.junqueira) wrote :

Hi.

Thank you for your report.

Do you still use this system where you were having problems? If so, can you check if you're using upstart or sysvinit?

try running /sbin/init --version and see if it's upstart or else.

Also, was that interface using DHCP or static addresses?

Usually, at least for upstart, rcS is run before networking scripts, but this needs further testing I guess. I'll see if I can reproduce it myself.

Changed in procps:
assignee: nobody → yves.junqueira
status: Unconfirmed → Needs Info

Hello,

On 5/8/07, Yves Junqueira <email address hidden> wrote:
> Do you still use this system where you were having problems? If so, can
> you check if you're using upstart or sysvinit?

I have upgraded the system to the latest Ubuntu, but I can try to
check these details from the backups.

> try running /sbin/init --version and see if it's upstart or else.

At the time I was experiencing the problems, the system was an
up-to-date Ubuntu edgy, and /sbin/init --version displayed the
following: init (upstart 0.2.7)

> Also, was that interface using DHCP or static addresses?

eth0 uses DHCP, eth1 uses static addresses.

I do not know if the bug has been fixed in the latest version of
Ubuntu; I am still using the workaround that I mentioned in the
original bug report.

Kind regards,
Jukka Suomela

GadAbraham (gad-abraham) wrote :

I have a similar situation:

Running feisty, setting net.ipv4.conf.default.forwarding=1 in /etc/sysctl.conf consistently does not enable IP forwarding in /proc/sys/net/ipv4/ip_forward (always zero).

If I add net.ipv4.conf.all.forwarding=1, then it works ok.

I have the same problem as well, running feisty latest updates,

init: init (upstart 0.3.8)
kernel: 2.6.18-ovz-028stab045.1 (OPENVZ kernel)

if I put the following line
"net.ipv4.conf.all.forwarding=1"
in the "/etc/sysctl.conf" file and run "sysctl -p", forwarding is enabled

regards, Eelko van Breda

Edmunds Kalniņš (edmunc) wrote :

I can also confirm this problem with the default gutsy server install + OpenVZ kernel (2.6.18-ovz-028stab048.1)

Kir Kolyshkin (kolyshkin) wrote :

To Edmunds Kalniņš, Eelko van Breda:

What happens if you just set

 net.ipv4.ip_forward = 1

in /etc/sysctl.conf, and run sysctl -p?

To me, the bug looks like a mistype in default /etc/sysctl.conf (i.e. wrong setting).

Say, here's the relevant section from Fedora 8:
 # Controls IP packet forwarding
 net.ipv4.ip_forward = 0

And this is from Gentoo 2007.0:
 # Disables packet forwarding
 #net.ipv4.ip_forward = 0

Edmunds Kalniņš (edmunc) wrote :

@Kir Kolyshkin

Adding
net.ipv4.conf.all.forwarding=1
to sysctl.conf solves the problem.

The problem is though that in /ets/sysctl.conf it says :

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.conf.default.forwarding=1

however uncommenting that line does not enable packet forwarding for IPv4

Estêvão (estevaovix) wrote :

How is it possible? I can't understand why Canonical (and Debian too) released an OS with this configuration error... very strange...

Eros Zanchetta (eros) wrote :

Hi there,

same problem here on Feisty server using a single network interface with static IP address.

When I reboot if forwarding is not enabled and I have to enable it manually using:

echo "1" > /proc/sys/net/ipv4/ip_forward

Do you think upgrading to gutsy will solve the problem? I plan on doing it soon anyway...

steve.horsley (steve-horsley) wrote :

This bug report (marked as a duplicate) fixes it for me:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/156017

agent 8131 (agent-8131) wrote :

I have always found that one needs to set both the "all" and the "default" in order to guarantee the changes affect all interfaces regardless of when those interfaces are created. In the latest hardy version here are the options which only specify "all" and not "default" and "all":

# Do not accept ICMP redirects (prevent MITM attacks)
#net/ipv4/conf/all/accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net/ipv4/conf/all/secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net/ipv4/conf/all/send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net/ipv4/conf/all/accept_source_route = 0
#
# Log Martian Packets
#net/ipv4/conf/all/log_martians = 1

My suggestions:
* these options should have both "all" and "default" specified
* clarify "we are not a router" - I have found that these settings can be turned on without issue on NAT "routers"
* it might be wise to select either "." or "/" as a separator and not use both

Lucas Cardoso (lcardoso) wrote :

I can confirm this bug in Gutsy. I'm using my Ubuntu box as a home internet gateway, and uncommenting that line did not set /proc/sys/net/ipv4/ip_forward to 0 on reboot.

Jacob Emcken (jacob-emcken) wrote :

I'm using Hardy Heron and I don't believe I've been tinkering with /etc/sysctl.conf.

Found this in the file so I believe this is fixed now?:

# Comment the next two lines to disable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

Jacob Emcken (jacob-emcken) wrote :

Sorry was abit quick at clicking "Save Changes".

This is how it looks in /etc/sysctl.conf now:

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

removing the # and running sysctl enables forwarding for me:

root@rohan:~# cat /proc/sys/net/ipv4/ip_forward
0
root@rohan:~# vi /etc/sysctl.conf
root@rohan:~# sysctl -p
kernel.printk = 4 4 1 7
kernel.maps_protect = 1
fs.inotify.max_user_watches = 524288
vm.mmap_min_addr = 65536
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.ip_forward = 1
root@rohan:~# cat /proc/sys/net/ipv4/ip_forward
1

Stas Sușcov (sushkov) wrote :

Does this bug affects hardy?
Is it fixed in hardy?

I couldn't find any infos about it's status in 8.04, thats why I'm asking...

Shahar Or (mightyiam) wrote :

Dear friends,

FYI, this bug is mentioned in https://help.ubuntu.com/community/Internet/ConnectionSharing .

Many blessings.

Hew McLachlan (hew) wrote :

This is still an issue on Ubuntu Server 10.04

Changed in procps (Ubuntu):
assignee: Yves Junqueira (yves.junqueira) → nobody
status: Incomplete → Confirmed
Walter Cheuk (wwycheuk) wrote :

In Ubuntu 10.10 the entry in sysctl.conf was changed to 'net.ipv4.ip_forward=1', uncommenting it alone DO enable the ip routing, and no need to add extra lines.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers