Artix Linux Forum

Hello, I try to diasble packet forwarding using .conf file located in the /etc/sysctl.d/*.conf file:
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv6.conf.all.forwarding = 0
but for some reason it does not load it (sysctl -a | grep forward) and I have to do it manually after every reboot. Any ideas why and how to fix it?

Is the sysctl service enabled ?

Yeah, I have enabled it and it is running. I have read that sysctl have this (https://bugs.launchpad.net/ubuntu/+source/procps/+bug/50093) bug but I have no idea whether it is connected to my problem.

#!/usr/bin/openrc-run
# Copyright (c) 2007-2015 The OpenRC Authors.
# See the Authors file at the top-level directory of this distribution and
# https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS
#
# This file is part of OpenRC. It is subject to the license terms in
# the LICENSE file found in the top-level directory of this
# distribution and at https://github.com/OpenRC/openrc/blob/HEAD/LICENSE
# This file may not be copied, modified, propagated, or distributed
# except according to the terms contained in the LICENSE file.

depend()
{
        after clock
        #after net
        before bootmisc logger
        keyword -prefix -systemd-nspawn -vserver
}

BSD_sysctl()
{
        [ -e /etc/sysctl.conf ] || return 0
        local retval=0 var= comments= conf=
        eindent
        for conf in /etc/sysctl.conf /etc/sysctl.d/*.conf; do
                if [ -r "$conf" ]; then
                        vebegin "applying $conf"
                        while read var comments; do
                                case "$var" in
                                ""|"#"*) continue;;
                                esac
                                sysctl -w "$var" >/dev/null || retval=1
                        done < "$conf"
                        veend $retval
                fi
        done
        eoutdent
        return $retval
}

Linux_sysctl()
{
        local quiet
        yesno $rc_verbose || quiet=-q

        sysctl ${quiet} --system
}

start()
{
        local rc=0

        ebegin "Configuring kernel parameters"
        case "$RC_UNAME" in
        *BSD|GNU) BSD_sysctl; rc=$? ;;
        Linux) Linux_sysctl; rc=$? ;;
        esac
        eend $rc "Unable to configure some kernel parameters"
}

In /etc/rc.conf set.Reboot and have a look of the last instance (most recent) output in /var/log/rc.log after "* Configuring kernel parameters ..." and post it (up to where it's obviously the the next service).

sysctl               | * Configuring kernel parameters ...
sysctl               |* Applying /usr/lib/sysctl.d/10-artix.conf ...
 [ ok ]
sysctl               |* Applying /etc/sysctl.d/30-ipforward.conf ...
 [ ok ]
sysctl               |* Applying /usr/lib/sysctl.d/50-default.conf ...
sysctl               |* Applying /usr/lib/sysctl.d/60-libvirtd.conf ...
sysctl               |* Applying /usr/lib/sysctl.d/60-qemu-postcopy-migration.conf ...
sysctl               |* Applying /etc/sysctl.d/99_magic_sysrq.conf ...
sysctl               |fs.inotify.max_user_instances = 1024
sysctl               |fs.inotify.max_user_watches = 524288
sysctl               |vm.max_map_count = 1048576
sysctl               |net.ipv4.ip_forward = 0
sysctl               |net.ipv4.conf.all.forwarding = 0
sysctl               |net.ipv4.conf.all.rp_filter = 1
sysctl               |net.ipv4.conf.default.accept_source_route = 0
sysctl               |net.ipv4.conf.all.accept_source_route = 0
sysctl               |net.ipv4.conf.all.promote_secondaries = 1
sysctl               |net.ipv4.ping_group_range = 0 2147483647
sysctl               |net.core.default_qdisc = fq_codel
sysctl               |fs.protected_hardlinks = 1
sysctl               |fs.protected_symlinks = 1
sysctl               |fs.protected_regular = 1
sysctl               |fs.protected_fifos = 1
sysctl               |fs.aio-max-nr = 1048576
sysctl               |vm.unprivileged_userfaultfd = 1
sysctl               |kernel.sysrq = 1
 [ ok ]

I have disabled IPv6 so there is no entry in the log.

Something else is changing it and to fix it you need to work out what / why. That's my idea. Or possibly you are mistaken in your belief ?
You said before you run

sysctl -a | grep forward

but didn't show the output.

With "rc_verbose="YES" /etc/init.d/sysctl is running this command

sysctl --system

try that with sudo or as root and you'll get the same output as you have in rc.log.

No, I am not mistaken. You are probably right that something could change settings. However, I have no idea how to check it.
Log after logging in.
sysctl -a | grep forward

sysctl: permission denied on key 'kernel.cad_pid'
sysctl: permission denied on key 'kernel.usermodehelper.bset'
sysctl: permission denied on key 'kernel.usermodehelper.inheritable'
sysctl: permission denied on key 'net.core.bpf_jit_harden'
sysctl: permission denied on key 'net.core.bpf_jit_kallsyms'
sysctl: permission denied on key 'net.core.bpf_jit_limit'
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.dummy0.bc_forwarding = 0
net.ipv4.conf.dummy0.forwarding = 1
net.ipv4.conf.dummy0.mc_forwarding = 0
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.bc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.pvpnksintrf1.bc_forwarding = 0
net.ipv4.conf.pvpnksintrf1.forwarding = 1
net.ipv4.conf.pvpnksintrf1.mc_forwarding = 0
net.ipv4.conf.tun0.bc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.virbr0.bc_forwarding = 0
net.ipv4.conf.virbr0.forwarding = 1
net.ipv4.conf.virbr0.mc_forwarding = 0
net.ipv4.conf.wlan0.bc_forwarding = 0
net.ipv4.conf.wlan0.forwarding = 1
net.ipv4.conf.wlan0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
sysctl: permission denied on key 'net.ipv4.tcp_fastopen_key'
sysctl: permission denied on key 'vm.mmap_rnd_bits'
sysctl: permission denied on key 'vm.mmap_rnd_compat_bits'

Log after running
sysctl -e --system

* Applying /usr/lib/sysctl.d/10-artix.conf ...
* Applying /etc/sysctl.d/30-ipforward.conf ...
* Applying /usr/lib/sysctl.d/50-default.conf ...
* Applying /usr/lib/sysctl.d/60-libvirtd.conf ...
* Applying /usr/lib/sysctl.d/60-qemu-postcopy-migration.conf ...
* Applying /etc/sysctl.d/99_magic_sysrq.conf ...
fs.inotify.max_user_instances = 1024
fs.inotify.max_user_watches = 524288
vm.max_map_count = 1048576
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.promote_secondaries = 1
net.ipv4.ping_group_range = 0 2147483647
net.core.default_qdisc = fq_codel
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_regular = 1
fs.protected_fifos = 1
fs.aio-max-nr = 1048576
vm.unprivileged_userfaultfd = 1
kernel.sysrq = 1

sysctl -a | grep forward

sysctl: permission denied on key 'kernel.cad_pid'
sysctl: permission denied on key 'kernel.usermodehelper.bset'
sysctl: permission denied on key 'kernel.usermodehelper.inheritable'
sysctl: permission denied on key 'net.core.bpf_jit_harden'
sysctl: permission denied on key 'net.core.bpf_jit_kallsyms'
sysctl: permission denied on key 'net.core.bpf_jit_limit'
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.dummy0.bc_forwarding = 0
net.ipv4.conf.dummy0.forwarding = 0
net.ipv4.conf.dummy0.mc_forwarding = 0
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.bc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.pvpnksintrf1.bc_forwarding = 0
net.ipv4.conf.pvpnksintrf1.forwarding = 0
net.ipv4.conf.pvpnksintrf1.mc_forwarding = 0
net.ipv4.conf.tun0.bc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 0
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.virbr0.bc_forwarding = 0
net.ipv4.conf.virbr0.forwarding = 0
net.ipv4.conf.virbr0.mc_forwarding = 0
net.ipv4.conf.wlan0.bc_forwarding = 0
net.ipv4.conf.wlan0.forwarding = 0
net.ipv4.conf.wlan0.mc_forwarding = 0
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
sysctl: permission denied on key 'net.ipv4.tcp_fastopen_key'
sysctl: permission denied on key 'vm.mmap_rnd_bits'
sysctl: permission denied on key 'vm.mmap_rnd_compat_bits'

If you use any form of network manager that would be a likely candidate for what else could be changing it after sysctl. Other than that idk ?

I use NetworkManager (https://wiki.archlinux.org/title/NetworkManager) and Portmaster (https://safing.io/). I use also qemu (https://wiki.archlinux.org/title/QEMU#Graphical_front-ends_for_QEMU)/libvirt (https://wiki.archlinux.org/title/Libvirt).


EDIT:
I found the culprit - libvirt services were setting their own configuration.