From: Lukas Sichert <l.sichert@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Lukas Sichert <l.sichert@proxmox.com>
Subject: [PATCH network 1/4] sdn: evpn: enable force_forwarding for ipv6 forwarding to subnets
Date: Mon, 1 Jun 2026 17:15:43 +0200 [thread overview]
Message-ID: <20260601151550.118977-2-l.sichert@proxmox.com> (raw)
In-Reply-To: <20260601151550.118977-1-l.sichert@proxmox.com>
EVPN zones can route IPv6 subnet traffic through a VNet and an outgoing
interface. Until now, this depended on global IPv6 forwarding state,
which also changes Router Advertisement handling for the whole host.
Use the per-interface 'force_forwarding' setting instead. For IPv6
subnets that need forwarding, generate post-up/post-down commands for
both the VNet interface and the outgoing interface. Track interfaces
that already received 'force_forwarding' commands to avoid duplicates
when multiple subnets share the same outgoing path. Update the expected
SDN interface output in the zone tests accordingly.
Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
---
src/PVE/Network/SDN/Zones/EvpnPlugin.pm | 20 +++++++++++++++----
.../expected_sdn_interfaces | 4 ++++
.../exitnode_snat/expected_sdn_interfaces | 4 ++++
.../exitnodenullroute/expected_sdn_interfaces | 4 ++++
.../evpn/ipv4ipv6/expected_sdn_interfaces | 4 ++++
.../zones/evpn/ipv6/expected_sdn_interfaces | 4 ++++
.../evpn/ipv6underlay/expected_sdn_interfaces | 4 ++++
7 files changed, 40 insertions(+), 4 deletions(-)
diff --git a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
index dfbd7e9..7622457 100644
--- a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -238,11 +238,13 @@ sub generate_sdn_config {
my $ipv6 = undef;
my $enable_forward_v4 = undef;
my $enable_forward_v6 = undef;
+ my $force_forward_enabled = {};
my $subnets = PVE::Network::SDN::Vnets::get_subnets($vnetid, 1);
foreach my $subnetid (sort keys %{$subnets}) {
my $subnet = $subnets->{$subnetid};
my $cidr = $subnet->{cidr};
my $mask = $subnet->{mask};
+ my $vnet = $subnet->{vnet};
my $gateway = $subnet->{gateway};
if ($gateway) {
@@ -266,11 +268,21 @@ sub generate_sdn_config {
$enable_forward_v4 = 1 if $gateway;
}
- if ($subnet->{snat}) {
+ #find outgoing interface
+ my ($outip, $outiface) =
+ PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+
+ if ($outiface && $enable_forward_v6 && !($force_forward_enabled->{$outiface})) {
+ push @iface_config,
+ "post-up echo 1 > /proc/sys/net/ipv6/conf/$outiface/force_forwarding";
+ push @iface_config,
+ "post-down echo 0 > /proc/sys/net/ipv6/conf/$outiface/force_forwarding";
+ push @iface_config, "post-up echo 1 > /proc/sys/net/ipv6/conf/$vnet/force_forwarding";
+ push @iface_config, "post-down echo 0 > /proc/sys/net/ipv6/conf/$vnet/force_forwarding";
+ $force_forward_enabled->{$outiface} = 1;
+ }
- #find outgoing interface
- my ($outip, $outiface) =
- PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+ if ($subnet->{snat}) {
if ($outip && $outiface && $is_evpn_gateway) {
#use snat, faster than masquerade
push @iface_config,
diff --git a/src/test/zones/evpn/exitnode_local_routing_ipv6/expected_sdn_interfaces b/src/test/zones/evpn/exitnode_local_routing_ipv6/expected_sdn_interfaces
index b46d4e7..e620e15 100644
--- a/src/test/zones/evpn/exitnode_local_routing_ipv6/expected_sdn_interfaces
+++ b/src/test/zones/evpn/exitnode_local_routing_ipv6/expected_sdn_interfaces
@@ -3,6 +3,10 @@
auto myvnet
iface myvnet
address 2a08:2142:302:3::1/64
+ post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+ post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+ post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+ post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
bridge_ports vxlan_myvnet
bridge_stp off
bridge_fd 0
diff --git a/src/test/zones/evpn/exitnode_snat/expected_sdn_interfaces b/src/test/zones/evpn/exitnode_snat/expected_sdn_interfaces
index 0d7d174..bdd6dd3 100644
--- a/src/test/zones/evpn/exitnode_snat/expected_sdn_interfaces
+++ b/src/test/zones/evpn/exitnode_snat/expected_sdn_interfaces
@@ -18,6 +18,10 @@ iface myvnet
auto myvnet2
iface myvnet2
address 2a08:2142:302:3::1/64
+ post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+ post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+ post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet2/force_forwarding
+ post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet2/force_forwarding
post-up ip6tables -t nat -A POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 2001:db8::2
post-down ip6tables -t nat -D POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 2001:db8::2
post-up ip6tables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
diff --git a/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces b/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
index 4bf5ccf..557ccd3 100644
--- a/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
+++ b/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
@@ -6,6 +6,10 @@ iface myvnet
address 192.168.0.1/24
address 192.168.10.1/24
address 2b0f:1480:4000:6000::1/64
+ post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+ post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+ post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+ post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
address 2b0f:1480:4000:8000::1/64
address 2b0f:1480::1/64
bridge_ports vxlan_myvnet
diff --git a/src/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces b/src/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces
index 7a5d741..fcff2ba 100644
--- a/src/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces
+++ b/src/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces
@@ -4,6 +4,10 @@ auto myvnet
iface myvnet
address 10.0.0.1/24
address 2a08:2142:302:3::1/64
+ post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+ post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+ post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+ post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
hwaddress A2:1D:CB:1A:C0:8B
bridge_ports vxlan_myvnet
bridge_stp off
diff --git a/src/test/zones/evpn/ipv6/expected_sdn_interfaces b/src/test/zones/evpn/ipv6/expected_sdn_interfaces
index b2bdbfe..2ab9bf9 100644
--- a/src/test/zones/evpn/ipv6/expected_sdn_interfaces
+++ b/src/test/zones/evpn/ipv6/expected_sdn_interfaces
@@ -3,6 +3,10 @@
auto myvnet
iface myvnet
address 2a08:2142:302:3::1/64
+ post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+ post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+ post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+ post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
hwaddress A2:1D:CB:1A:C0:8B
bridge_ports vxlan_myvnet
bridge_stp off
diff --git a/src/test/zones/evpn/ipv6underlay/expected_sdn_interfaces b/src/test/zones/evpn/ipv6underlay/expected_sdn_interfaces
index 3b91f75..624f38a 100644
--- a/src/test/zones/evpn/ipv6underlay/expected_sdn_interfaces
+++ b/src/test/zones/evpn/ipv6underlay/expected_sdn_interfaces
@@ -3,6 +3,10 @@
auto myvnet
iface myvnet
address 2a08:2142:302:3::1/64
+ post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+ post-down echo 0 > /proc/sys/net/ipv6/conf/vmbr0/force_forwarding
+ post-up echo 1 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
+ post-down echo 0 > /proc/sys/net/ipv6/conf/myvnet/force_forwarding
hwaddress A2:1D:CB:1A:C0:8B
bridge_ports vxlan_myvnet
bridge_stp off
--
2.47.3
next prev parent reply other threads:[~2026-06-01 15:16 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 15:15 [PATCH docs/network/perl-rs 0/4] sdn: enable force_forwarding for ipv6 forwarding Lukas Sichert
2026-06-01 15:15 ` Lukas Sichert [this message]
2026-06-01 15:15 ` [PATCH network 2/4] sdn: simple: enable force_forwarding for ipv6 forwarding to subnets Lukas Sichert
2026-06-01 15:15 ` [PATCH perl-rs 3/4] fabrics: openfabric: enable force_forwarding for ipv6 transit traffic Lukas Sichert
2026-06-02 9:03 ` Gabriel Goller
2026-06-02 9:11 ` Hannes Laimer
2026-06-01 15:15 ` [PATCH docs 4/4] sdn: drop global IPv6 forwarding workaround from OpenFabric docs Lukas Sichert
2026-06-02 9:01 ` Gabriel Goller
2026-06-03 15:25 ` superseded: [PATCH docs/network/perl-rs 0/4] sdn: enable force_forwarding for ipv6 forwarding Lukas Sichert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260601151550.118977-2-l.sichert@proxmox.com \
--to=l.sichert@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox