[PATCH docs/network/perl-rs 0/4] sdn: enable force_forwarding for ipv6 forwarding

[PATCH docs/network/perl-rs 0/4] sdn: enable force_forwarding for ipv6 forwarding

[Lukas Sichert]

Gabriel's upstream kernel patch [1] added
net.ipv6.conf.<iface>.force_forwarding. This allows enabling IPv6
forwarding on selected interfaces without requiring
net.ipv6.conf.all.forwarding.

This is useful for SDN setups because all.forwarding has host-wide side
effects. In particular, it disables Router Advertisement processing by
default, which can break SLAAC on unrelated interfaces. SDN only needs
forwarding on the VNet, exit-node, or fabric interfaces that participate
in routed IPv6 traffic.

This series generates ifupdown post-up/post-down commands for those
interfaces so force_forwarding is enabled when the interface is brought
up and reset when it is brought down.
The tests are adjusted for the generated /etc/network/interfaces.d/sdn
output.
Also the series rewrite the documenation to reflect the updated
behaviour.


[1] lkml.org/lkml/2025/7/7/577


network:

Lukas Sichert (2):
  sdn: evpn: enable force_forwarding for ipv6 forwarding to subnets
  sdn: simple: enable force_forwarding for ipv6 forwarding to subnets

 src/PVE/Network/SDN/Zones/EvpnPlugin.pm       | 20 +++++++++++++++----
 src/PVE/Network/SDN/Zones/SimplePlugin.pm     | 20 +++++++++++++++----
 .../expected_sdn_interfaces                   |  4 ++++
 .../exitnode_snat/expected_sdn_interfaces     |  4 ++++
 .../exitnodenullroute/expected_sdn_interfaces |  4 ++++
 .../evpn/ipv4ipv6/expected_sdn_interfaces     |  4 ++++
 .../zones/evpn/ipv6/expected_sdn_interfaces   |  4 ++++
 .../evpn/ipv6underlay/expected_sdn_interfaces |  4 ++++
 .../simple/ipv4v6/expected_sdn_interfaces     |  4 ++++
 .../simple/ipv6snat/expected_sdn_interfaces   |  4 ++++
 10 files changed, 64 insertions(+), 8 deletions(-)


perl-rs:

Lukas Sichert (1):
  fabrics: openfabric: enable force_forwarding for ipv6 transit traffic

 pve-rs/src/bindings/sdn/fabrics.rs | 10 ++++++++++
 1 file changed, 10 insertions(+)


docs:

Lukas Sichert (1):
  sdn: drop global IPv6 forwarding workaround from OpenFabric docs

 pvesdn.adoc | 18 +++---------------
 1 file changed, 3 insertions(+), 15 deletions(-)


Summary over all repositories:
  12 files changed, 77 insertions(+), 23 deletions(-)

-- 
Generated by murpp 0.12.0

[PATCH network 1/4] sdn: evpn: enable force_forwarding for ipv6 forwarding to subnets

[Lukas Sichert]

EVPN zones can route IPv6 subnet traffic through a VNet and an outgoing
interface. Until now, this depended on global IPv6 forwarding state,
which also changes Router Advertisement handling for the whole host.

Use the per-interface 'force_forwarding' setting instead. For IPv6
subnets that need forwarding, generate post-up/post-down commands for
both the VNet interface and the outgoing interface. Track interfaces
that already received 'force_forwarding' commands to avoid duplicates
when multiple subnets share the same outgoing path. Update the expected
SDN interface output in the zone tests accordingly.

Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
---
 src/PVE/Network/SDN/Zones/EvpnPlugin.pm       | 20 +++++++++++++++----
 .../expected_sdn_interfaces                   |  4 ++++
 .../exitnode_snat/expected_sdn_interfaces     |  4 ++++
 .../exitnodenullroute/expected_sdn_interfaces |  4 ++++
 .../evpn/ipv4ipv6/expected_sdn_interfaces     |  4 ++++
 .../zones/evpn/ipv6/expected_sdn_interfaces   |  4 ++++
 .../evpn/ipv6underlay/expected_sdn_interfaces |  4 ++++
 7 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
index dfbd7e9..7622457 100644
--- a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -238,11 +238,13 @@ sub generate_sdn_config {
     my $ipv6 = undef;
     my $enable_forward_v4 = undef;
     my $enable_forward_v6 = undef;
+    my $force_forward_enabled = {};
     my $subnets = PVE::Network::SDN::Vnets::get_subnets($vnetid, 1);
     foreach my $subnetid (sort keys %{$subnets}) {
         my $subnet = $subnets->{$subnetid};
         my $cidr = $subnet->{cidr};
         my $mask = $subnet->{mask};
+        my $vnet = $subnet->{vnet};
 
         my $gateway = $subnet->{gateway};
         if ($gateway) {
@@ -266,11 +268,21 @@ sub generate_sdn_config {
             $enable_forward_v4 = 1 if $gateway;
         }
 
-        if ($subnet->{snat}) {
+        #find outgoing interface
+        my ($outip, $outiface) =
+            PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+
+        if ($outiface && $enable_forward_v6 && !($force_forward_enabled->{$outiface})) {
+            push @iface_config,
+                "post-up echo 1 > /proc/sys/net/ipv6/conf/$outiface/force_forwarding";
+            push @iface_config,
+                "post-down echo 0 > /proc/sys/net/ipv6/conf/$outiface/force_forwarding";
+            push @iface_config, "post-up echo 1 > /proc/sys/net/ipv6/conf/$vnet/force_forwarding";
+            push @iface_config, "post-down echo 0 > /proc/sys/net/ipv6/conf/$vnet/force_forwarding";
+            $force_forward_enabled->{$outiface} = 1;
+        }
 
-            #find outgoing interface
-            my ($outip, $outiface) =
-                PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+        if ($subnet->{snat}) {
             if ($outip && $outiface && $is_evpn_gateway) {
                 #use snat, faster than masquerade
                 push @iface_config,
diff --git a/src/test/zones/evpn/exitnode_local_routing_ipv6/expected_sdn_interfaces b/src/test/zones/evpn/exitnode_local_routing_ipv6/expected_sdn_interfaces
index b46d4e7..e620e15 100644
--- a/src/test/zones/evpn/exitnode_local_routing_ipv6/expected_sdn_interfaces
+++ b/src/test/zones/evpn/exitnode_local_routing_ipv6/expected_sdn_interfaces
@@ -3,6 +3,10 @@
 auto myvnet
 iface myvnet
 	address 2a08:2142:302:3::1/64
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
 	bridge_ports vxlan_myvnet
 	bridge_stp off
 	bridge_fd 0
diff --git a/src/test/zones/evpn/exitnode_snat/expected_sdn_interfaces b/src/test/zones/evpn/exitnode_snat/expected_sdn_interfaces
index 0d7d174..bdd6dd3 100644
--- a/src/test/zones/evpn/exitnode_snat/expected_sdn_interfaces
+++ b/src/test/zones/evpn/exitnode_snat/expected_sdn_interfaces
@@ -18,6 +18,10 @@ iface myvnet
 auto myvnet2
 iface myvnet2
 	address 2a08:2142:302:3::1/64
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet2/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet2/force_forwarding
 	post-up ip6tables -t nat -A POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 2001:db8::2
 	post-down ip6tables -t nat -D POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 2001:db8::2
 	post-up ip6tables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
diff --git a/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces b/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
index 4bf5ccf..557ccd3 100644
--- a/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
+++ b/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
@@ -6,6 +6,10 @@ iface myvnet
 	address 192.168.0.1/24
 	address 192.168.10.1/24
 	address 2b0f:1480:4000:6000::1/64
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
 	address 2b0f:1480:4000:8000::1/64
 	address 2b0f:1480::1/64
 	bridge_ports vxlan_myvnet
diff --git a/src/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces b/src/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces
index 7a5d741..fcff2ba 100644
--- a/src/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces
+++ b/src/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces
@@ -4,6 +4,10 @@ auto myvnet
 iface myvnet
 	address 10.0.0.1/24
 	address 2a08:2142:302:3::1/64
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
 	hwaddress A2:1D:CB:1A:C0:8B
 	bridge_ports vxlan_myvnet
 	bridge_stp off
diff --git a/src/test/zones/evpn/ipv6/expected_sdn_interfaces b/src/test/zones/evpn/ipv6/expected_sdn_interfaces
index b2bdbfe..2ab9bf9 100644
--- a/src/test/zones/evpn/ipv6/expected_sdn_interfaces
+++ b/src/test/zones/evpn/ipv6/expected_sdn_interfaces
@@ -3,6 +3,10 @@
 auto myvnet
 iface myvnet
 	address 2a08:2142:302:3::1/64
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
 	hwaddress A2:1D:CB:1A:C0:8B
 	bridge_ports vxlan_myvnet
 	bridge_stp off
diff --git a/src/test/zones/evpn/ipv6underlay/expected_sdn_interfaces b/src/test/zones/evpn/ipv6underlay/expected_sdn_interfaces
index 3b91f75..624f38a 100644
--- a/src/test/zones/evpn/ipv6underlay/expected_sdn_interfaces
+++ b/src/test/zones/evpn/ipv6underlay/expected_sdn_interfaces
@@ -3,6 +3,10 @@
 auto myvnet
 iface myvnet
 	address 2a08:2142:302:3::1/64
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
 	hwaddress A2:1D:CB:1A:C0:8B
 	bridge_ports vxlan_myvnet
 	bridge_stp off
-- 
2.47.3

[PATCH network 2/4] sdn: simple: enable force_forwarding for ipv6 forwarding to subnets

[Lukas Sichert]

Simple zones can route ipv6 subnet traffic through a VNet bridge. Until
now, this depended on global ipv6 forwarding state, which also changes
Router Advertisement handling for the whole host.

Use the per-interface 'force_forwarding' setting instead. For ipv6
subnets that need forwarding, generate post-up/post-down commands for
both the VNet interface and the outgoing interface. Track interfaces
that already received 'force_forwarding' commands to avoid duplicates
when multiple subnets share the same outgoing path.
Update the expected SDN interface output in the zone tests accordingly.

Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
---
 src/PVE/Network/SDN/Zones/SimplePlugin.pm     | 20 +++++++++++++++----
 .../simple/ipv4v6/expected_sdn_interfaces     |  4 ++++
 .../simple/ipv6snat/expected_sdn_interfaces   |  4 ++++
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/src/PVE/Network/SDN/Zones/SimplePlugin.pm b/src/PVE/Network/SDN/Zones/SimplePlugin.pm
index f5cd18e..acc482c 100644
--- a/src/PVE/Network/SDN/Zones/SimplePlugin.pm
+++ b/src/PVE/Network/SDN/Zones/SimplePlugin.pm
@@ -80,11 +80,13 @@ sub generate_sdn_config {
     my $ipv6 = undef;
     my $enable_forward_v4 = undef;
     my $enable_forward_v6 = undef;
+    my $force_forward_enabled = {};
 
     foreach my $subnetid (sort keys %{$subnets}) {
         my $subnet = $subnets->{$subnetid};
         my $cidr = $subnet->{cidr};
         my $mask = $subnet->{mask};
+        my $vnet = $subnet->{vnet};
 
         my $gateway = $subnet->{gateway};
         if ($gateway) {
@@ -108,12 +110,23 @@ sub generate_sdn_config {
             $enable_forward_v4 = 1 if $gateway;
         }
 
+        #find outgoing interface
+        my ($outip, $outiface) =
+            PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+
+        if ($outiface && $enable_forward_v6 && !($force_forward_enabled->{$outiface})) {
+            push @iface_config,
+                "post-up echo 1 > /proc/sys/net/ipv6/conf/$outiface/force_forwarding";
+            push @iface_config,
+                "post-down echo 0 > /proc/sys/net/ipv6/conf/$outiface/force_forwarding";
+            push @iface_config, "post-up echo 1 > /proc/sys/net/ipv6/conf/$vnet/force_forwarding";
+            push @iface_config, "post-down echo 0 > /proc/sys/net/ipv6/conf/$vnet/force_forwarding";
+            $force_forward_enabled->{$outiface} = 1;
+        }
+
         #add route for /32 pointtopoint
         push @iface_config, "up ip route add $cidr dev $vnetid" if $mask == 32 && $ipversion == 4;
         if ($subnet->{snat}) {
-            #find outgoing interface
-            my ($outip, $outiface) =
-                PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
             if ($outip && $outiface) {
                 #use snat, faster than masquerade
                 push @iface_config,
@@ -141,7 +154,6 @@ sub generate_sdn_config {
     push @iface_config, "alias $alias" if $alias;
     push @iface_config, "ip-forward on" if $enable_forward_v4;
     push @iface_config, "ip6-forward on" if $enable_forward_v6;
-
     push @{ $config->{$vnetid} }, @iface_config;
 
     return $config;
diff --git a/src/test/zones/simple/ipv4v6/expected_sdn_interfaces b/src/test/zones/simple/ipv4v6/expected_sdn_interfaces
index 34ed5db..cd19fda 100644
--- a/src/test/zones/simple/ipv4v6/expected_sdn_interfaces
+++ b/src/test/zones/simple/ipv4v6/expected_sdn_interfaces
@@ -4,6 +4,10 @@ auto myvnet
 iface myvnet
 	address 192.168.0.1/24
 	address 2a08:2142:302:3::1/64
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
 	bridge_ports none
 	bridge_stp off
 	bridge_fd 0
diff --git a/src/test/zones/simple/ipv6snat/expected_sdn_interfaces b/src/test/zones/simple/ipv6snat/expected_sdn_interfaces
index 5f6d40b..f426774 100644
--- a/src/test/zones/simple/ipv6snat/expected_sdn_interfaces
+++ b/src/test/zones/simple/ipv6snat/expected_sdn_interfaces
@@ -3,6 +3,10 @@
 auto myvnet
 iface myvnet
 	address 2a08:2142:302:3::1/64
+	post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+	post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+	post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
 	post-up ip6tables -t nat -A POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 2001:db8::2
 	post-down ip6tables -t nat -D POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 2001:db8::2
 	post-up ip6tables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
-- 
2.47.3

[PATCH perl-rs 3/4] fabrics: openfabric: enable force_forwarding for ipv6 transit traffic

[Lukas Sichert]

In a non-full-mesh OpenFabric setup, nodes may need to relay traffic
between peers that are not directly connected. This requires forwarding
ipv6 packets between fabric bridges. With the addition of
'force_forwarding' to the Linux kernel, this can be done without
enabling 'all.forwarding', which disables Router Advertisements.

Configure fabric bridges with the required 'post-up'/'post-down'
commands to enable 'force_forwarding'.

Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
---
 pve-rs/src/bindings/sdn/fabrics.rs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pve-rs/src/bindings/sdn/fabrics.rs b/pve-rs/src/bindings/sdn/fabrics.rs
index f96b6b1..785b537 100644
--- a/pve-rs/src/bindings/sdn/fabrics.rs
+++ b/pve-rs/src/bindings/sdn/fabrics.rs
@@ -596,6 +596,16 @@ pub mod pve_rs_sdn_fabrics {
             writeln!(interface, "\tlink-type {link_type}")?;
         }
         writeln!(interface, "\tip-forward 1")?;
+        if cidr.is_ipv6() {
+            writeln!(
+                interface,
+                "\tpost-up echo 1 > /proc/sys/net/ipv6/conf/{name}/force_forwarding"
+            )?;
+            writeln!(
+                interface,
+                "\tpost-down echo 0 > /proc/sys/net/ipv6/conf/{name}/force_forwarding"
+            )?;
+        }
 
         Ok(interface)
     }
-- 
2.47.3

[PATCH docs 4/4] sdn: drop global IPv6 forwarding workaround from OpenFabric docs

[Lukas Sichert]

OpenFabric fabrics with IPv6 need forwarding on transit nodes so packets
can be relayed between peers that are not directly connected.

Drop the old recommendation to enable host-wide
net.ipv6.conf.all.forwarding from the documentation. The generated fabric
interface configuration now handles the required forwarding setup, so the
manual global forwarding workaround is no longer needed.

Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
---
 pvesdn.adoc | 18 +++---------------
 1 file changed, 3 insertions(+), 15 deletions(-)

diff --git a/pvesdn.adoc b/pvesdn.adoc
index d20a0eb..ac7240c 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -605,22 +605,10 @@ Notes on IPv6
 ^^^^^^^^^^^^^
 
 IPv6 is currently only usable on OpenFabric fabrics. These IPv6 Fabrics need
-global IPv6 forwarding enabled on all nodes contained in the fabric. Without
+IPv6 forwarding enabled on all transit nodes contained in the fabric. Without
 IPv6 forwarding, non-full-mesh fabrics won't work because the transit nodes
-don't forward packets to the outer nodes. Currently there isn't an easy way to
-enable IPv6 forwarding per-interface like with IPv4, so it has to be enabled
-globally. This can be accomplished by appending this line:
-
-----
-post-up sysctl -w net.ipv6.conf.all.forwarding=1
-----
-
-to a fabric interface in the `/etc/network/interfaces` file. This will enable
-IPv6 forwarding globally once that interface comes up. Note that this affects
-how your interfaces handle automatic IPv6 setup (SLAAC), Neighbour
-Advertisements, Router Solicitations, and Router Advertisements. More details
-here: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt under
-`net.ipv6.conf.all.forwarding`.
+don't forward packets to the outer nodes. IPv6 fowarding is enabled per default
+on the necessary interfaces.
 
 [[pvesdn_openfabric]]
 OpenFabric
-- 
2.47.3

Re: [PATCH docs 4/4] sdn: drop global IPv6 forwarding workaround from OpenFabric docs

[Gabriel Goller]

On 01.06.2026 17:15, Lukas Sichert wrote:
> OpenFabric fabrics with IPv6 need forwarding on transit nodes so packets
> can be relayed between peers that are not directly connected.
> 
> Drop the old recommendation to enable host-wide
> net.ipv6.conf.all.forwarding from the documentation. The generated fabric
> interface configuration now handles the required forwarding setup, so the
> manual global forwarding workaround is no longer needed.
> 
> Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
> ---
>  pvesdn.adoc | 18 +++---------------
>  1 file changed, 3 insertions(+), 15 deletions(-)
> 
> diff --git a/pvesdn.adoc b/pvesdn.adoc
> index d20a0eb..ac7240c 100644
> --- a/pvesdn.adoc
> +++ b/pvesdn.adoc
> @@ -605,22 +605,10 @@ Notes on IPv6
>  ^^^^^^^^^^^^^
>  
>  IPv6 is currently only usable on OpenFabric fabrics. These IPv6 Fabrics need
> -global IPv6 forwarding enabled on all nodes contained in the fabric. Without
> +IPv6 forwarding enabled on all transit nodes contained in the fabric. Without
>  IPv6 forwarding, non-full-mesh fabrics won't work because the transit nodes
> -don't forward packets to the outer nodes. Currently there isn't an easy way to
> -enable IPv6 forwarding per-interface like with IPv4, so it has to be enabled
> -globally. This can be accomplished by appending this line:
> -
> -----
> -post-up sysctl -w net.ipv6.conf.all.forwarding=1
> -----
> -
> -to a fabric interface in the `/etc/network/interfaces` file. This will enable
> -IPv6 forwarding globally once that interface comes up. Note that this affects
> -how your interfaces handle automatic IPv6 setup (SLAAC), Neighbour
> -Advertisements, Router Solicitations, and Router Advertisements. More details
> -here: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt under
> -`net.ipv6.conf.all.forwarding`.
> +don't forward packets to the outer nodes. IPv6 fowarding is enabled per default
> +on the necessary interfaces.
>  
>  [[pvesdn_openfabric]]
>  OpenFabric
> -- 

I'd mention here somewhere that `force_forwarding` is used (and maybe link to
the kernel docs).

Re: [PATCH perl-rs 3/4] fabrics: openfabric: enable force_forwarding for ipv6 transit traffic

[Gabriel Goller]

On 01.06.2026 17:15, Lukas Sichert wrote:
> In a non-full-mesh OpenFabric setup, nodes may need to relay traffic
> between peers that are not directly connected. This requires forwarding
> ipv6 packets between fabric bridges. With the addition of
> 'force_forwarding' to the Linux kernel, this can be done without
> enabling 'all.forwarding', which disables Router Advertisements.
> 
> Configure fabric bridges with the required 'post-up'/'post-down'
> commands to enable 'force_forwarding'.
> 
> Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
> ---
>  pve-rs/src/bindings/sdn/fabrics.rs | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/pve-rs/src/bindings/sdn/fabrics.rs b/pve-rs/src/bindings/sdn/fabrics.rs
> index f96b6b1..785b537 100644
> --- a/pve-rs/src/bindings/sdn/fabrics.rs
> +++ b/pve-rs/src/bindings/sdn/fabrics.rs
> @@ -596,6 +596,16 @@ pub mod pve_rs_sdn_fabrics {
>              writeln!(interface, "\tlink-type {link_type}")?;
>          }
>          writeln!(interface, "\tip-forward 1")?;
> +        if cidr.is_ipv6() {
> +            writeln!(
> +                interface,
> +                "\tpost-up echo 1 > /proc/sys/net/ipv6/conf/{name}/force_forwarding"
> +            )?;
> +            writeln!(
> +                interface,
> +                "\tpost-down echo 0 > /proc/sys/net/ipv6/conf/{name}/force_forwarding"
> +            )?;
> +        }
>  
>          Ok(interface)
>      }

The bgp fabric also needs force_forwarding AFAIK. @Hannes?

Also I just noticed on the bgp fabric we put ipv6 addresses in ifupdown2 inet
blocks (instead of inet6) -- shouldn't cause any problems though.

Re: [PATCH perl-rs 3/4] fabrics: openfabric: enable force_forwarding for ipv6 transit traffic

[Hannes Laimer]

On 2026-06-02 11:02, Gabriel Goller wrote:
> On 01.06.2026 17:15, Lukas Sichert wrote:
>> In a non-full-mesh OpenFabric setup, nodes may need to relay traffic
>> between peers that are not directly connected. This requires forwarding
>> ipv6 packets between fabric bridges. With the addition of
>> 'force_forwarding' to the Linux kernel, this can be done without
>> enabling 'all.forwarding', which disables Router Advertisements.
>>
>> Configure fabric bridges with the required 'post-up'/'post-down'
>> commands to enable 'force_forwarding'.
>>
>> Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
>> ---
>>  pve-rs/src/bindings/sdn/fabrics.rs | 10 ++++++++++
>>  1 file changed, 10 insertions(+)
>>
>> diff --git a/pve-rs/src/bindings/sdn/fabrics.rs b/pve-rs/src/bindings/sdn/fabrics.rs
>> index f96b6b1..785b537 100644
>> --- a/pve-rs/src/bindings/sdn/fabrics.rs
>> +++ b/pve-rs/src/bindings/sdn/fabrics.rs
>> @@ -596,6 +596,16 @@ pub mod pve_rs_sdn_fabrics {
>>              writeln!(interface, "\tlink-type {link_type}")?;
>>          }
>>          writeln!(interface, "\tip-forward 1")?;
>> +        if cidr.is_ipv6() {
>> +            writeln!(
>> +                interface,
>> +                "\tpost-up echo 1 > /proc/sys/net/ipv6/conf/{name}/force_forwarding"
>> +            )?;
>> +            writeln!(
>> +                interface,
>> +                "\tpost-down echo 0 > /proc/sys/net/ipv6/conf/{name}/force_forwarding"
>> +            )?;
>> +        }
>>  
>>          Ok(interface)
>>      }
> 
> The bgp fabric also needs force_forwarding AFAIK. @Hannes?

yes, we also need it there, same thing

> 
> Also I just noticed on the bgp fabric we put ipv6 addresses in ifupdown2 inet
> blocks (instead of inet6) -- shouldn't cause any problems though.

superseded: [PATCH docs/network/perl-rs 0/4] sdn: enable force_forwarding for ipv6 forwarding

[Lukas Sichert]

superseded-by v2:
https://lore.proxmox.com/all/20260603142921.91174-1-l.sichert@proxmox.com/