[pve-devel] [PATCH access-control/cluster/docs/gui-tests/manager/network/proxmox{, -firewall, -ve-rs, -perl-rs, -widget-toolkit} v4 00/76] Add SDN Fabrics

[Gabriel Goller]

We've been thinking more about the ipv6 forwarding issue and still
aren't sure about the best approach, so we'd like to hear other
opinions.


Problem
=======

As explained in the commit "frr: add global ipv6 forwarding" we enabled
*global* ipv6 forwarding for two reasons:

     1) So that non-fullmesh setups work.
     2) Because there is no per-interface forwarding like in ipv4.

This fixes non-fullmesh setups, but it forces ipv6 forwarding on every
interface the user configures, now and in the future.

Another problem is that we can't realistically disable global forwarding
once we enable it. That would be a breaking change that's hard to
mitigate/handle. So enabling global ipv6 forwarding is a one-way
decision.


Solutions
=========

The simplest solution would be to prompt the user to enable ipv6
forwarding manually. We could display a popup when creating an
ipv6 fabric, instructing them to add `ipv6 forwarding` to
`/etc/frr/frr.conf.local`. This approach leaves the decision with the
user and treats global ipv6 forwarding as a user-configuration rather
than a pve-configuration setting.

The second solution we prepared would be to add a new sysctl option to the
kernel which allows us to do per-interface ipv6 forwarding.
The patch isn't applied yet but is available here:
https://lore.kernel.org/netdev/20250707094307.223975-1-g.goller@proxmox.com/T/#u
We would apply this patch to our kernel and then modify ifupdown2 so
that `ip6-forward` enables the `force_forwarding` sysctl (from the
patch) along with the regular `forwarding` one. This wouldn't really be
a breaking change since the `ip6-forward` option doesn't actually enable
forwarding right now. The option is also pretty obscure and
undocumented, so we think it would be safe.

We'd appreciate your feedback!