main/nftables: enable_forwarding=yes produces errors when IPv6 is disabled
Booting with kernel cmdline option ipv6.disable=1
makes all ipv6 related sysctl keys unavailable which causes errors when enable_forwarding=yes
is set in /etc/conf.d/nftables
:
seneca2:~$ doas rc-service nftables start
* Caching service dependencies ... [ ok ]
* Loading nftables state and starting firewall ... [ ok ]
* Enabling forwarding ...
sysctl: error: 'net.ipv6/conf/default/forwarding' is an unknown key
sysctl: error: 'net.ipv6/conf/all/forwarding' is an unknown key [ !! ]
* ERROR: nftables failed to start
This leaves the system in a bad state since /etc/init.d/nftables
loads the ruleset first and then attempts (and fails) to set the ipv6 forwarding sysctl keys. The nftables ruleset is applied but the openrc service status is stopped or crashed.
This may be another case of "don't do that", see: #14285 (closed) but a workaround is to not use the service script enable_forwarding
and instead only set net.ipv4.ip_forward=1
in /etc/sysctl.d/
.
Possible changes to the package might be:
- check for the keys before trying to set them
- continue to set without checking but tell sysctl not to warn about unknown keys by adding
-e
andreturn 0
from the forwarding function - split out
enable_forwarding
variable to two, eg.enable_ipv4_forwarding
andenable_ipv6_forwarding
and conditionally set the sysctls
Not disabling IPv6 is also an option but I'm not really informed enough to have that debate. If disabling IPv6 is considered "bad" (in this case the context is a small, simple home network) then perhaps the package is fine as-is and I will enable IPv4 forwarding separately.