Gate IPv6 forwarding on overlay v6 capability and preserve host RA acceptance

client/internal/debug/debug_linux.go

@@ -844,6 +844,10 @@ func collectSysctls() string {
 		[]string{"net.ipv4.conf.all.src_valid_mark", "net.ipv4.conf.default.src_valid_mark"},
 		listInterfaceSysctls("ipv4", "src_valid_mark")...,
 	))
+	writeSysctlGroup(&builder, "accept_ra", append(
+		[]string{"net.ipv6.conf.all.accept_ra", "net.ipv6.conf.default.accept_ra"},
+		listInterfaceSysctls("ipv6", "accept_ra")...,
+	))
 	writeSysctlGroup(&builder, "conntrack", []string{
 		"net.netfilter.nf_conntrack_acct",
 		"net.netfilter.nf_conntrack_tcp_loose",

client/internal/routemanager/ipfwdstate/ipfwdstate.go

@@ -2,54 +2,106 @@ package ipfwdstate
 
 import (
 	"fmt"
+	"sync"
 
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )
 
-// IPForwardingState is a struct that keeps track of the IP forwarding state.
-// todo: read initial state of the IP forwarding from the system and reset the state based on it.
-// todo: separate v4/v6 forwarding state, since the sysctls are independent
-// (net.ipv4.ip_forward vs net.ipv6.conf.all.forwarding). Currently the nftables
-// manager shares one instance between both routers, which works only because
-// EnableIPForwarding enables both sysctls in a single call.
+// IPForwardingState tracks per-family IP-forwarding sysctl enables with a
+// refcount. v4 and v6 are independent so a v4-only routing setup doesn't flip
+// net.ipv6.conf.all.forwarding, which on Linux disables RA acceptance by
+// default and lets host RA-installed defaults silently expire.
 type IPForwardingState struct {
-	enabledCounter int
+	mu sync.Mutex
+
+	v4Count int
+	v6Count int
+
+	// wgIfaceName is excluded from the v6 accept_ra bump since the overlay
+	// interface doesn't carry upstream RAs.
+	wgIfaceName string
+	// v6Saved records the sysctl values captured when v6 forwarding was
+	// enabled (forwarding + per-interface accept_ra), restored on the last
+	// release.
+	v6Saved map[string]int
 }
 
-func NewIPForwardingState() *IPForwardingState {
-	return &IPForwardingState{}
+func NewIPForwardingState(wgIfaceName string) *IPForwardingState {
+	return &IPForwardingState{wgIfaceName: wgIfaceName}
 }
 
-func (f *IPForwardingState) RequestForwarding() error {
-	if f.enabledCounter != 0 {
-		f.enabledCounter++
-		return nil
-	}
+// RequestForwarding bumps the per-family counter, enabling the underlying
+// sysctl on the first request.
+func (f *IPForwardingState) RequestForwarding(v6 bool) error {
+	f.mu.Lock()
+	defer f.mu.Unlock()
 
-	if err := systemops.EnableIPForwarding(); err != nil {
-		return fmt.Errorf("failed to enable IP forwarding with sysctl: %w", err)
+	if v6 {
+		return f.requestV6()
 	}
-	f.enabledCounter = 1
-	log.Info("IP forwarding enabled")
+	return f.requestV4()
+}
 
+// ReleaseForwarding decrements the per-family counter. The last v6 release
+// also restores the sysctls v6 enable captured. v4 stays on: net.ipv4.ip_forward
+// is a global knob other tools (docker, k8s, libvirt) co-own.
+func (f *IPForwardingState) ReleaseForwarding(v6 bool) error {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+
+	if v6 {
+		return f.releaseV6()
+	}
+	f.releaseV4()
 	return nil
 }
 
-func (f *IPForwardingState) ReleaseForwarding() error {
-	if f.enabledCounter == 0 {
-		return nil
+func (f *IPForwardingState) requestV4() error {
+	if f.v4Count == 0 {
+		if err := systemops.EnableV4IPForwarding(); err != nil {
+			return fmt.Errorf("enable IPv4 forwarding: %w", err)
+		}
+		log.Info("IPv4 forwarding enabled")
 	}
-
-	if f.enabledCounter > 1 {
-		f.enabledCounter--
-		return nil
-	}
-
-	// if failed to disable IP forwarding we anyway decrement the counter
-	f.enabledCounter = 0
-
-	// todo call systemops.DisableIPForwarding()
+	f.v4Count++
+	return nil
+}
+
+func (f *IPForwardingState) releaseV4() {
+	if f.v4Count > 0 {
+		f.v4Count--
+	}
+}
+
+func (f *IPForwardingState) requestV6() error {
+	if f.v6Count == 0 {
+		saved, err := systemops.EnableV6IPForwarding(f.wgIfaceName)
+		f.v6Saved = saved
+		if err != nil {
+			return fmt.Errorf("enable IPv6 forwarding: %w", err)
+		}
+		log.Info("IPv6 forwarding enabled")
+	}
+	f.v6Count++
+	return nil
+}
+
+func (f *IPForwardingState) releaseV6() error {
+	if f.v6Count == 0 {
+		return nil
+	}
+	f.v6Count--
+	if f.v6Count > 0 {
+		return nil
+	}
+
+	saved := f.v6Saved
+	f.v6Saved = nil
+	if err := systemops.DisableV6IPForwarding(saved); err != nil {
+		return fmt.Errorf("disable IPv6 forwarding: %w", err)
+	}
+	log.Info("IPv6 forwarding disabled")
 	return nil
 }

client/internal/routemanager/systemops/systemops_android.go

@@ -32,8 +32,17 @@ func (r *SysOps) removeFromRouteTable(netip.Prefix, Nexthop) error {
 	return nil
 }
 
-func EnableIPForwarding() error {
-	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
+func EnableV4IPForwarding() error {
+	log.Infof("Enable IPv4 forwarding is not implemented on %s", runtime.GOOS)
+	return nil
+}
+
+func EnableV6IPForwarding(string) (map[string]int, error) {
+	log.Infof("Enable IPv6 forwarding is not implemented on %s", runtime.GOOS)
+	return nil, nil
+}
+
+func DisableV6IPForwarding(map[string]int) error {
 	return nil
 }
 

client/internal/routemanager/systemops/systemops_ios.go

@@ -58,8 +58,17 @@ func (r *SysOps) removeFromRouteTable(netip.Prefix, Nexthop) error {
 	return nil
 }
 
-func EnableIPForwarding() error {
-	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
+func EnableV4IPForwarding() error {
+	log.Infof("Enable IPv4 forwarding is not implemented on %s", runtime.GOOS)
+	return nil
+}
+
+func EnableV6IPForwarding(string) (map[string]int, error) {
+	log.Infof("Enable IPv6 forwarding is not implemented on %s", runtime.GOOS)
+	return nil, nil
+}
+
+func DisableV6IPForwarding(map[string]int) error {
 	return nil
 }
 

client/internal/routemanager/systemops/systemops_linux.go

@@ -9,6 +9,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"strings"
 	"syscall"
 
 	"github.com/hashicorp/go-multierror"
@@ -55,6 +56,11 @@ const (
 	ipv4ForwardingPath = "net.ipv4.ip_forward"
 	// ipv6ForwardingPath is the path to the file containing the IPv6 forwarding setting.
 	ipv6ForwardingPath = "net.ipv6.conf.all.forwarding"
+	// acceptRAInterfacePath toggles per-interface IPv6 RA acceptance.
+	// 1 (kernel default) accepts RAs only when forwarding is off; 2 keeps
+	// RA processing enabled even when forwarding is on, so RA-installed host
+	// defaults survive our v6 forwarding flip.
+	acceptRAInterfacePath = "net.ipv6.conf.%s.accept_ra"
 )
 
 var ErrTableIDExists = errors.New("ID exists with different name")
@@ -763,16 +769,81 @@ func flushRoutes(tableID, family int) error {
 	return nberrors.FormatErrorOrNil(result)
 }
 
-func EnableIPForwarding() error {
+func EnableV4IPForwarding() error {
 	if _, err := sysctl.Set(ipv4ForwardingPath, 1, false); err != nil {
 		return err
 	}
-	if _, err := sysctl.Set(ipv6ForwardingPath, 1, false); err != nil {
-		log.Warnf("failed to enable IPv6 forwarding: %v", err)
-	}
 	return nil
 }
 
+// EnableV6IPForwarding bumps accept_ra=2 on every non-loopback v6 interface
+// before flipping forwarding=1, so RA-installed host defaults survive the flip.
+// wgIfaceName is excluded since the overlay interface doesn't carry upstream RAs.
+//
+// The returned map records prior sysctl values for entries we actually changed
+// (forwarding + per-interface accept_ra); DisableV6IPForwarding restores from
+// it. Entries we found already at the target value are omitted so another
+// process's sysctls aren't reset by our cleanup.
+func EnableV6IPForwarding(wgIfaceName string) (map[string]int, error) {
+	saved := map[string]int{}
+	bumpAcceptRA(saved, wgIfaceName)
+
+	oldVal, err := sysctl.Set(ipv6ForwardingPath, 1, false)
+	if err != nil {
+		return saved, err
+	}
+	if oldVal != 1 {
+		saved[ipv6ForwardingPath] = oldVal
+	}
+	return saved, nil
+}
+
+// DisableV6IPForwarding restores every sysctl value EnableV6IPForwarding
+// captured. v4 is intentionally not disabled: net.ipv4.ip_forward is a global
+// knob other tools (docker, k8s, libvirt) co-own.
+func DisableV6IPForwarding(saved map[string]int) error {
+	var result *multierror.Error
+	for key, value := range saved {
+		if _, err := sysctl.Set(key, value, false); err != nil {
+			result = multierror.Append(result, fmt.Errorf("restore %s: %w", key, err))
+		}
+	}
+	return nberrors.FormatErrorOrNil(result)
+}
+
+func bumpAcceptRA(saved map[string]int, wgIfaceName string) {
+	interfaces, err := net.Interfaces()
+	if err != nil {
+		log.Warnf("list interfaces for accept_ra: %v", err)
+		return
+	}
+	for _, intf := range interfaces {
+		if intf.Name == "lo" || intf.Name == wgIfaceName {
+			continue
+		}
+		bumpAcceptRAForInterface(saved, intf.Name)
+	}
+}
+
+func bumpAcceptRAForInterface(saved map[string]int, name string) {
+	key := fmt.Sprintf(acceptRAInterfacePath, name)
+	procPath := "/proc/sys/" + strings.ReplaceAll(key, ".", "/")
+	if _, err := os.Stat(procPath); err != nil {
+		// No IPv6 stack on this interface.
+		return
+	}
+	// onlyIfOne=true: only bump from the kernel default; preserves admin
+	// overrides of 0 (don't accept RAs) or 2 (already what we want).
+	oldVal, err := sysctl.Set(key, 2, true)
+	if err != nil {
+		log.Warnf("bump %s: %v", key, err)
+		return
+	}
+	if oldVal != 2 {
+		saved[key] = oldVal
+	}
+}
+
 // entryExists checks if the specified ID or name already exists in the rt_tables file
 // and verifies if existing names start with "netbird_".
 func entryExists(file *os.File, id int) (bool, error) {

client/internal/routemanager/systemops/systemops_nonlinux.go

@@ -43,8 +43,17 @@ func (r *SysOps) RemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error
 	return r.genericRemoveVPNRoute(prefix, intf)
 }
 
-func EnableIPForwarding() error {
-	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
+func EnableV4IPForwarding() error {
+	log.Infof("Enable IPv4 forwarding is not implemented on %s", runtime.GOOS)
+	return nil
+}
+
+func EnableV6IPForwarding(string) (map[string]int, error) {
+	log.Infof("Enable IPv6 forwarding is not implemented on %s", runtime.GOOS)
+	return nil, nil
+}
+
+func DisableV6IPForwarding(map[string]int) error {
 	return nil
 }