[PATCH docs/network/perl-rs v3 0/5] sdn: enable force_forwarding for ipv6 forwarding

[PATCH docs/network/perl-rs v3 0/5] sdn: enable force_forwarding for ipv6 forwarding

[Lukas Sichert]

Gabriel's upstream kernel patch [1] added
net.ipv6.conf.<iface>.force_forwarding. This allows enabling IPv6
forwarding on selected interfaces without requiring
net.ipv6.conf.all.forwarding.

This is useful for SDN setups because all.forwarding has host-wide side
effects. In particular, it disables Router Advertisement processing by
default, which can break SLAAC on unrelated interfaces. SDN only needs
forwarding on the VNet, exit-node, or fabric interfaces that participate
in routed IPv6 traffic.

This series generates ifupdown post-up/post-down commands for those
interfaces so force_forwarding is enabled when the interface is brought
up and reset when it is brought down. /network/interfaces.d/sdn gets
regenerated on SDN Apply. This means that removing a VNet also removes
the corresponding 'post-down' commands configured to the interface of
the VNet. Therefore it cannot happen, that deleting one VNet in the GUI
removes force_forwarding on the outgoing interfaces, which might be used
by other VNets as well. The tests are adjusted for the generated
/etc/network/interfaces.d/sdn output. Also the series rewrites the
documentation to reflect the updated behaviour and removes the UI warning
to enable 'all.forwarding'.


[1] lkml.org/lkml/2025/7/7/577

changes from v2 to v3 (thanks @Gabriel):
-Move the IPv6 force_forwarding post-up/post-down commands out of the
subnet loop, so they are generated only once for the VNet instead of
once per subnet.
-Enable ip6-forward and force_forwarding on EVPN L3VNI VRF bridge
interfaces, fixing IPv6 forwarding when traffic exits through another
node.
-Drop the fabric edit GUI hint that told users to enable
net.ipv6.conf.all.forwarding


changes from v1 to v2 (thanks @Gabriel, @Hannes):
-add force_forwarding also to bgp fabrics
-explicitly mention the force_forwarding flag in the documentation
-add a reference link to the sysctl documentation
-mention bgp as a fabric with ipv6 support


network:

Lukas Sichert (2):
  sdn: evpn: enable force_forwarding for ipv6 forwarding to subnets
  sdn: simple: enable force_forwarding for ipv6 forwarding to subnets

 src/PVE/Network/SDN/Zones/EvpnPlugin.pm       | 28 +++++++++++++++++--
 src/PVE/Network/SDN/Zones/SimplePlugin.pm     | 16 +++++++++--
 .../expected_sdn_interfaces                   |  7 +++++
 .../exitnode_snat/expected_sdn_interfaces     |  4 +++
 .../exitnodenullroute/expected_sdn_interfaces |  7 +++++
 .../evpn/ipv4ipv6/expected_sdn_interfaces     |  7 +++++
 .../zones/evpn/ipv6/expected_sdn_interfaces   |  7 +++++
 .../evpn/ipv6underlay/expected_sdn_interfaces |  7 +++++
 .../simple/ipv4v6/expected_sdn_interfaces     |  4 +++
 .../simple/ipv6snat/expected_sdn_interfaces   |  4 +++
 10 files changed, 86 insertions(+), 5 deletions(-)


perl-rs:

Lukas Sichert (2):
  fabrics: openfabric: enable force_forwarding for ipv6 transit traffic
  fabrics: bgp: enable force_forwarding for ipv6 transit traffic

 pve-rs/src/bindings/sdn/fabrics.rs | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)


docs:

Lukas Sichert (1):
  sdn: drop global ipv6 forwarding workaround from OpenFabric docs

 pvesdn.adoc | 21 +++++----------------
 1 file changed, 5 insertions(+), 16 deletions(-)


Summary over all repositories:
  12 files changed, 109 insertions(+), 21 deletions(-)

-- 
Generated by murpp 0.12.0

[PATCH network v3 1/5] sdn: evpn: enable force_forwarding for ipv6 forwarding to subnets

[Lukas Sichert]

EVPN zones can route IPv6 subnet traffic through a VNet, an outgoing
interface, and, for L3VNI setups, a VRF bridge. Until now, this depended
on global IPv6 forwarding state, which also changes Router Advertisement
handling for the whole host.

Use the per-interface 'force_forwarding' setting instead. For IPv6
subnets that need forwarding, generate post-up/post-down commands for
the VNet interface, the outgoing interface, and the EVPN L3VNI VRF bridge
where applicable.
Update the expected SDN interface output in the zone tests accordingly

Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
---
 src/PVE/Network/SDN/Zones/EvpnPlugin.pm       | 28 +++++++++++++++++--
 .../expected_sdn_interfaces                   |  7 +++++
 .../exitnode_snat/expected_sdn_interfaces     |  4 +++
 .../exitnodenullroute/expected_sdn_interfaces |  7 +++++
 .../evpn/ipv4ipv6/expected_sdn_interfaces     |  7 +++++
 .../zones/evpn/ipv6/expected_sdn_interfaces   |  7 +++++
 .../evpn/ipv6underlay/expected_sdn_interfaces |  7 +++++
 7 files changed, 64 insertions(+), 3 deletions(-)

diff --git a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
index dfbd7e9..bdbb219 100644
--- a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -238,6 +238,7 @@ sub generate_sdn_config {
     my $ipv6 = undef;
     my $enable_forward_v4 = undef;
     my $enable_forward_v6 = undef;
+
     my $subnets = PVE::Network::SDN::Vnets::get_subnets($vnetid, 1);
     foreach my $subnetid (sort keys %{$subnets}) {
         my $subnet = $subnets->{$subnetid};
@@ -267,7 +268,6 @@ sub generate_sdn_config {
         }
 
         if ($subnet->{snat}) {
-
             #find outgoing interface
             my ($outip, $outiface) =
                 PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
@@ -293,7 +293,21 @@ sub generate_sdn_config {
     push @iface_config, "mtu $mtu" if $mtu;
     push @iface_config, "alias $alias" if $alias;
     push @iface_config, "ip-forward on" if $enable_forward_v4;
-    push @iface_config, "ip6-forward on" if $enable_forward_v6;
+
+    if ($enable_forward_v6) {
+        push @iface_config, "ip6-forward on";
+
+        #find outgoing ipv6 interface
+        my ($outip, $outiface) =
+            PVE::Network::SDN::Zones::Plugin::get_local_route_ip('2001:4860:4860::8888');
+
+        push @iface_config, "post-up echo 1 > /proc/sys/net/ipv6/conf/$outiface/force_forwarding";
+        push @iface_config, "post-down echo 0 > /proc/sys/net/ipv6/conf/$outiface/force_forwarding";
+
+        push @iface_config, "post-up echo 1 > /proc/sys/net/ipv6/conf/$vnetid/force_forwarding";
+        push @iface_config, "post-down echo 0 > /proc/sys/net/ipv6/conf/$vnetid/force_forwarding";
+    }
+
     push @iface_config, "arp-accept on" if $ipv4 || $ipv6;
     push @iface_config, "vrf $vrf_iface" if $vrf_iface;
     push(@{ $config->{$vnetid} }, @iface_config) if !$config->{$vnetid};
@@ -333,6 +347,15 @@ sub generate_sdn_config {
             push @iface_config, "bridge_fd 0";
             push @iface_config, "mtu $mtu" if $mtu;
             push @iface_config, "vrf $vrf_iface";
+
+            if ($enable_forward_v6) {
+                push @iface_config, 'ip6-forward on';
+
+                push @iface_config,
+                    "post-up echo 1 > /proc/sys/net/ipv6/conf/$brvrf/force_forwarding";
+                push @iface_config,
+                    "post-down echo 0 > /proc/sys/net/ipv6/conf/$brvrf/force_forwarding";
+            }
             push(@{ $config->{$brvrf} }, @iface_config) if !$config->{$brvrf};
         }
 
@@ -432,4 +455,3 @@ sub vnet_update_hook {
 }
 
 1;
-
diff --git a/src/test/zones/evpn/exitnode_local_routing_ipv6/expected_sdn_interfaces b/src/test/zones/evpn/exitnode_local_routing_ipv6/expected_sdn_interfaces
index b46d4e7..ea2ef9a 100644
--- a/src/test/zones/evpn/exitnode_local_routing_ipv6/expected_sdn_interfaces
+++ b/src/test/zones/evpn/exitnode_local_routing_ipv6/expected_sdn_interfaces
@@ -8,6 +8,10 @@ iface myvnet
 	bridge_fd 0
 	mtu 1450
 	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
 	arp-accept on
 	vrf vrf_myzone
 
@@ -23,6 +27,9 @@ iface vrfbr_myzone
 	bridge_fd 0
 	mtu 1450
 	vrf vrf_myzone
+	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vrfbr_myzone/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vrfbr_myzone/force_forwarding
 
 auto vrfvx_myzone
 iface vrfvx_myzone
diff --git a/src/test/zones/evpn/exitnode_snat/expected_sdn_interfaces b/src/test/zones/evpn/exitnode_snat/expected_sdn_interfaces
index 0d7d174..ee907bf 100644
--- a/src/test/zones/evpn/exitnode_snat/expected_sdn_interfaces
+++ b/src/test/zones/evpn/exitnode_snat/expected_sdn_interfaces
@@ -27,6 +27,10 @@ iface myvnet2
 	bridge_fd 0
 	mtu 1450
 	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet2/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet2/force_forwarding
 	arp-accept on
 	vrf vrf_myzone
 
diff --git a/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces b/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
index 4bf5ccf..5a378b4 100644
--- a/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
+++ b/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
@@ -14,6 +14,10 @@ iface myvnet
 	mtu 1450
 	ip-forward on
 	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
 	arp-accept on
 	vrf vrf_myzone
 
@@ -47,6 +51,9 @@ iface vrfbr_myzone
 	bridge_fd 0
 	mtu 1450
 	vrf vrf_myzone
+	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vrfbr_myzone/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vrfbr_myzone/force_forwarding
 
 auto vrfbr_myzone2
 iface vrfbr_myzone2
diff --git a/src/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces b/src/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces
index 7a5d741..d9e63ab 100644
--- a/src/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces
+++ b/src/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces
@@ -11,6 +11,10 @@ iface myvnet
 	mtu 1450
 	ip-forward on
 	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
 	arp-accept on
 	vrf vrf_myzone
 
@@ -26,6 +30,9 @@ iface vrfbr_myzone
 	bridge_fd 0
 	mtu 1450
 	vrf vrf_myzone
+	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vrfbr_myzone/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vrfbr_myzone/force_forwarding
 
 auto vrfvx_myzone
 iface vrfvx_myzone
diff --git a/src/test/zones/evpn/ipv6/expected_sdn_interfaces b/src/test/zones/evpn/ipv6/expected_sdn_interfaces
index b2bdbfe..39c07bf 100644
--- a/src/test/zones/evpn/ipv6/expected_sdn_interfaces
+++ b/src/test/zones/evpn/ipv6/expected_sdn_interfaces
@@ -9,6 +9,10 @@ iface myvnet
 	bridge_fd 0
 	mtu 1450
 	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
 	arp-accept on
 	vrf vrf_myzone
 
@@ -24,6 +28,9 @@ iface vrfbr_myzone
 	bridge_fd 0
 	mtu 1450
 	vrf vrf_myzone
+	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vrfbr_myzone/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vrfbr_myzone/force_forwarding
 
 auto vrfvx_myzone
 iface vrfvx_myzone
diff --git a/src/test/zones/evpn/ipv6underlay/expected_sdn_interfaces b/src/test/zones/evpn/ipv6underlay/expected_sdn_interfaces
index 3b91f75..13941f4 100644
--- a/src/test/zones/evpn/ipv6underlay/expected_sdn_interfaces
+++ b/src/test/zones/evpn/ipv6underlay/expected_sdn_interfaces
@@ -9,6 +9,10 @@ iface myvnet
 	bridge_fd 0
 	mtu 1450
 	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
 	arp-accept on
 	vrf vrf_myzone
 
@@ -24,6 +28,9 @@ iface vrfbr_myzone
 	bridge_fd 0
 	mtu 1450
 	vrf vrf_myzone
+	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vrfbr_myzone/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vrfbr_myzone/force_forwarding
 
 auto vrfvx_myzone
 iface vrfvx_myzone
-- 
2.47.3

[PATCH network v3 2/5] sdn: simple: enable force_forwarding for ipv6 forwarding to subnets

[Lukas Sichert]

Simple zones can route ipv6 subnet traffic through a VNet bridge. Until
now, this depended on global ipv6 forwarding state, which also changes
Router Advertisement handling for the whole host.

Use the per-interface 'force_forwarding' setting instead. For ipv6
subnets that need forwarding, generate post-up/post-down commands for
both the VNet interface and the outgoing interface. Track interfaces
that already received 'force_forwarding' commands to avoid duplicates
when multiple subnets share the same outgoing path.
Update the expected SDN interface output in the zone tests accordingly.

Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
---
 src/PVE/Network/SDN/Zones/SimplePlugin.pm        | 16 ++++++++++++++--
 .../zones/simple/ipv4v6/expected_sdn_interfaces  |  4 ++++
 .../simple/ipv6snat/expected_sdn_interfaces      |  4 ++++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Network/SDN/Zones/SimplePlugin.pm b/src/PVE/Network/SDN/Zones/SimplePlugin.pm
index f5cd18e..47ed170 100644
--- a/src/PVE/Network/SDN/Zones/SimplePlugin.pm
+++ b/src/PVE/Network/SDN/Zones/SimplePlugin.pm
@@ -140,7 +140,20 @@ sub generate_sdn_config {
     push @iface_config, "mtu $mtu" if $mtu;
     push @iface_config, "alias $alias" if $alias;
     push @iface_config, "ip-forward on" if $enable_forward_v4;
-    push @iface_config, "ip6-forward on" if $enable_forward_v6;
+
+    if ($enable_forward_v6) {
+        push @iface_config, "ip6-forward on";
+
+        #find outgoing ipv6 interface
+        my ($outip, $outiface) =
+            PVE::Network::SDN::Zones::Plugin::get_local_route_ip('2001:4860:4860::8888');
+
+        push @iface_config, "post-up echo 1 > /proc/sys/net/ipv6/conf/$outiface/force_forwarding";
+        push @iface_config, "post-down echo 0 > /proc/sys/net/ipv6/conf/$outiface/force_forwarding";
+
+        push @iface_config, "post-up echo 1 > /proc/sys/net/ipv6/conf/$vnetid/force_forwarding";
+        push @iface_config, "post-down echo 0 > /proc/sys/net/ipv6/conf/$vnetid/force_forwarding";
+    }
 
     push @{ $config->{$vnetid} }, @iface_config;
 
@@ -168,4 +181,3 @@ sub get_mtu {
 }
 
 1;
-
diff --git a/src/test/zones/simple/ipv4v6/expected_sdn_interfaces b/src/test/zones/simple/ipv4v6/expected_sdn_interfaces
index 34ed5db..54e5664 100644
--- a/src/test/zones/simple/ipv4v6/expected_sdn_interfaces
+++ b/src/test/zones/simple/ipv4v6/expected_sdn_interfaces
@@ -9,3 +9,7 @@ iface myvnet
 	bridge_fd 0
 	ip-forward on
 	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
diff --git a/src/test/zones/simple/ipv6snat/expected_sdn_interfaces b/src/test/zones/simple/ipv6snat/expected_sdn_interfaces
index 5f6d40b..46f2441 100644
--- a/src/test/zones/simple/ipv6snat/expected_sdn_interfaces
+++ b/src/test/zones/simple/ipv6snat/expected_sdn_interfaces
@@ -11,3 +11,7 @@ iface myvnet
 	bridge_stp off
 	bridge_fd 0
 	ip6-forward on
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
-- 
2.47.3

[PATCH perl-rs v3 3/5] fabrics: openfabric: enable force_forwarding for ipv6 transit traffic

[Lukas Sichert]

In a non-full-mesh OpenFabric setup, nodes may need to relay traffic
between peers that are not directly connected. This requires forwarding
ipv6 packets between fabric bridges. With the addition of
'force_forwarding' to the Linux kernel, this can be done without
enabling 'all.forwarding', which disables Router Advertisements.

Configure fabric bridges with the required 'post-up'/'post-down'
commands to enable 'force_forwarding'.

Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
---
 pve-rs/src/bindings/sdn/fabrics.rs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pve-rs/src/bindings/sdn/fabrics.rs b/pve-rs/src/bindings/sdn/fabrics.rs
index f96b6b1..785b537 100644
--- a/pve-rs/src/bindings/sdn/fabrics.rs
+++ b/pve-rs/src/bindings/sdn/fabrics.rs
@@ -596,6 +596,16 @@ pub mod pve_rs_sdn_fabrics {
             writeln!(interface, "\tlink-type {link_type}")?;
         }
         writeln!(interface, "\tip-forward 1")?;
+        if cidr.is_ipv6() {
+            writeln!(
+                interface,
+                "\tpost-up echo 1 > /proc/sys/net/ipv6/conf/{name}/force_forwarding"
+            )?;
+            writeln!(
+                interface,
+                "\tpost-down echo 0 > /proc/sys/net/ipv6/conf/{name}/force_forwarding"
+            )?;
+        }
 
         Ok(interface)
     }
-- 
2.47.3

[PATCH perl-rs v3 4/5] fabrics: bgp: enable force_forwarding for ipv6 transit traffic

[Lukas Sichert]

In a non-full-mesh BGP-fabric setup, nodes may need to relay traffic
between peers that are not directly connected. This requires forwarding
ipv6 packets between fabric bridges. With the addition of
'force_forwarding' to the Linux kernel, this can be done without
enabling 'all.forwarding', which disables Router Advertisements.

Configure fabric bridges with the required 'post-up'/'post-down'
commands to enable 'force_forwarding'.

Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
---
 pve-rs/src/bindings/sdn/fabrics.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pve-rs/src/bindings/sdn/fabrics.rs b/pve-rs/src/bindings/sdn/fabrics.rs
index 785b537..000ecb7 100644
--- a/pve-rs/src/bindings/sdn/fabrics.rs
+++ b/pve-rs/src/bindings/sdn/fabrics.rs
@@ -774,6 +774,14 @@ pub mod pve_rs_sdn_fabrics {
                             writeln!(interfaces, "iface {name} inet manual")?;
                             writeln!(interfaces, "\tip-forward 1")?;
                             writeln!(interfaces, "\tip6-forward 1")?;
+                            writeln!(
+                                interfaces,
+                                "\tpost-up echo 1 > /proc/sys/net/ipv6/conf/{name}/force_forwarding"
+                            )?;
+                            writeln!(
+                                interfaces,
+                                "\tpost-down echo 0 > /proc/sys/net/ipv6/conf/{name}/force_forwarding"
+                            )?;
                             // BGP unnumbered uses RAs to discover peer link-local
                             // addresses. frr listens for them itself, but the kernel
                             // would otherwise install RA-derived routes we don't want.
-- 
2.47.3

[PATCH docs v3 5/5] sdn: drop global ipv6 forwarding workaround from OpenFabric docs

[Lukas Sichert]

OpenFabric fabrics with ipv6 need forwarding on transit nodes so packets
can be relayed between peers that are not directly connected.

Drop the old recommendation to enable host-wide
net.ipv6.conf.all.forwarding from the documentation. The generated fabric
interface configuration now handles the required forwarding setup, so the
manual global forwarding workaround is no longer needed.

Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
---
 pvesdn.adoc | 21 +++++----------------
 1 file changed, 5 insertions(+), 16 deletions(-)

diff --git a/pvesdn.adoc b/pvesdn.adoc
index d20a0eb..d11fec7 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -604,23 +604,12 @@ behavior and proper source address selection throughout the fabric.
 Notes on IPv6
 ^^^^^^^^^^^^^
 
-IPv6 is currently only usable on OpenFabric fabrics. These IPv6 Fabrics need
-global IPv6 forwarding enabled on all nodes contained in the fabric. Without
+IPv6 is currently only usable on OpenFabric and BGP fabrics. These IPv6 Fabrics
+need IPv6 forwarding enabled on all transit nodes contained in the fabric. Without
 IPv6 forwarding, non-full-mesh fabrics won't work because the transit nodes
-don't forward packets to the outer nodes. Currently there isn't an easy way to
-enable IPv6 forwarding per-interface like with IPv4, so it has to be enabled
-globally. This can be accomplished by appending this line:
-
-----
-post-up sysctl -w net.ipv6.conf.all.forwarding=1
-----
-
-to a fabric interface in the `/etc/network/interfaces` file. This will enable
-IPv6 forwarding globally once that interface comes up. Note that this affects
-how your interfaces handle automatic IPv6 setup (SLAAC), Neighbour
-Advertisements, Router Solicitations, and Router Advertisements. More details
-here: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt under
-`net.ipv6.conf.all.forwarding`.
+don't forward packets to the outer nodes. IPv6 forwarding is enabled by default
+on the necessary interfaces using the force_forwarding flag. More details here:
+docs.kernel.org/networking/ip-sysctl.html
 
 [[pvesdn_openfabric]]
 OpenFabric
-- 
2.47.3