[pve-devel] [PATCH access-control/cluster/docs/gui-tests/manager/network/proxmox{, -firewall, -ve-rs, -perl-rs, -widget-toolkit} v4 00/76] Add SDN Fabrics

Gabriel Goller g.goller at proxmox.com
Wed Jul 16 15:09:56 CEST 2025 

On 09.07.2025 13:27, Gabriel Goller wrote:
>We've been thinking more about the ipv6 forwarding issue and still
>aren't sure about the best approach, so we'd like to hear other
>opinions.
>
>
>Problem
>=======
>
>As explained in the commit "frr: add global ipv6 forwarding" we enabled
>*global* ipv6 forwarding for two reasons:
>
>    1) So that non-fullmesh setups work.
>    2) Because there is no per-interface forwarding like in ipv4.
>
>This fixes non-fullmesh setups, but it forces ipv6 forwarding on every
>interface the user configures, now and in the future.
>
>Another problem is that we can't realistically disable global forwarding
>once we enable it. That would be a breaking change that's hard to
>mitigate/handle. So enabling global ipv6 forwarding is a one-way
>decision.
>
>
>Solutions
>=========
>
>The simplest solution would be to prompt the user to enable ipv6
>forwarding manually. We could display a popup when creating an
>ipv6 fabric, instructing them to add `ipv6 forwarding` to
>`/etc/frr/frr.conf.local`. This approach leaves the decision with the
>user and treats global ipv6 forwarding as a user-configuration rather
>than a pve-configuration setting.
>
>The second solution we prepared would be to add a new sysctl option to the
>kernel which allows us to do per-interface ipv6 forwarding.
>The patch isn't applied yet but is available here:
>https://lore.kernel.org/netdev/20250707094307.223975-1-g.goller@proxmox.com/T/#u
>We would apply this patch to our kernel and then modify ifupdown2 so
>that `ip6-forward` enables the `force_forwarding` sysctl (from the
>patch) along with the regular `forwarding` one. This wouldn't really be
>a breaking change since the `ip6-forward` option doesn't actually enable
>forwarding right now. The option is also pretty obscure and
>undocumented, so we think it would be safe.
>
>We'd appreciate your feedback!

We decided to not enable IPv6 forwarding, but prompt the user to enable
it themselves.

More information about the pve-devel mailing list