Nixpkgs: networking.interfaces.<name?>.proxyARP doesn't enable IPv4 forwarding

Created on 1 Jun 2019 · 5Comments · Source: NixOS/nixpkgs

Issue description

When setting proxy_ARP currently ip-routing is only set for ipv6, but not for ipv4.

Steps to reproduce

Set proxy_ARP on an interface and check wether /proc/sys/net/ipv4/ip_forward is set to 1.

Technical details

system: "x86_64-linux"
- host os: Linux 4.19.36, NixOS, 19.09pre177086.0620e0fdbf4 (Loris)
- multi-user?: yes
- sandbox: yes
- version: nix-env (Nix) 2.2.2
- channels(root): "nixos-19.09pre177086.0620e0fdbf4"
- channels(louis): ""
- nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

bug regression sprintable nixos

Source

kfiz

Most helpful comment

Feel free to make a PR to fix this (i.e. enabling IPv4 forwarding and proxy_ndp for IPv6, instead of proxy_arp), if you have time (if you don't have time for it I can probably do this in a few days, but unfortunately I cannot test this probably at the moment).

Ok. This shouldn't take to long, so I think I can send something later.

kfiz on 3 Jun 2019

❤2

All 5 comments

The description states the following:

          WARNING: turns on ip-routing, so if you have multiple interfaces, you
          should think of the consequence and setup firewall rules to limit this.

and also:

(and proxy_ndp for ipv6)

But the implementation seems to neither enable forwarding for IPv6 nor proxy_ndp for IPv6 (form nixos/modules/tasks/network-interfaces.nix):

boot.kernel.sysctl = {
      "net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces);
    } // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces)
        (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true)));

proxy_ndp is missing since 59f512ef7d2137586330f2cabffc41a70f4f0346 which also broke IPv4 forwarding (completely removed since b250ac929075d4ea2b186046bf28e5519ca9faae).

primeos on 1 Jun 2019

It would be interesting to know the reason behind removing this in the first place. b250ac9 seems to state that the intention of this commit seems to have been to remove non-existent sysctl options, but net.ipv4.conf.all_forwarding clearly exists as sysctl option, so maybe something is going on here, that I'm not seeing at the moment.

kfiz on 2 Jun 2019

It would be interesting to know the reason behind removing this in the first place.

I'm pretty sure that it was removed accidentally (59f512ef7d2137586330f2cabffc41a70f4f0346 was a pretty big change, which can be difficult to review properly).

b250ac9 seems to state that the intention of this commit seems to have been to remove non-existent sysctl options, but net.ipv4.conf.all_forwarding clearly exists as sysctl option, so maybe something is going on here, that I'm not seeing at the moment.

There was a minor typo in there that is unfortunately pretty easy to miss but very important. The correct kernel parameter is net.ipv4.conf.all.forwarding (vs. net.ipv4.conf.all_forwarding with an underscore instead of a dot).

Feel free to make a PR to fix this (i.e. enabling IPv4 forwarding and proxy_ndp for IPv6, instead of proxy_arp), if you have time (if you don't have time for it I can probably do this in a few days, but unfortunately I cannot test this probably at the moment).

primeos on 2 Jun 2019

Feel free to make a PR to fix this (i.e. enabling IPv4 forwarding and proxy_ndp for IPv6, instead of proxy_arp), if you have time (if you don't have time for it I can probably do this in a few days, but unfortunately I cannot test this probably at the moment).

Ok. This shouldn't take to long, so I think I can send something later.

kfiz on 3 Jun 2019

❤2

I assume net.ipv4.conf.all_forwarding was a typo, and should have been renamed to net.ipv4.conf.all.forwarding in b250ac929075d4ea2b186046bf28e5519ca9faae.