problem with ip-forwarding after migration to suse-11.2

Ethernet configuration:

  • eth0 private net
  • eth1 internet

eth1 is connected to a cable modem and uses dhcp. After migrating to suse-11.2 ip-forwarding (once the system is up and running) is sometimes deactivated and i have no clue why. /etc/syslog.conf has an entry

net.ipv4.ip_forwarding = 1

i have modified the SuSE-scripts

/sbin/SuSEfirewall
/sbin/ifup-dhcp
/etc/init.d/SuSEfirewall2_setup

to make sure each time my firewall-rules are loaded ip-forwarding is explicitly enabled. This worked perfectly with suse-11.0. Now ip-forwarding is enabled after a system reboot or after one of the above scripts is called, but somewhere somehow ip-forwarding is always deactivated and i have no idea how this happens. This may happen after 5 minutes or after 5 hours.
As a workaround i created a cronjob running every 5 minutes issuing a sysctl-command to enable ip-forwarding.

Not sure about all the places you need to make changes manually. So, why don’t you set it via Yast?

I have a quite complicated ruleset which cannot be configured using yast (actually i have 4 ethenet devices and thus four networks)

That is OK, you don’t have to use Yast for firewall set up. But, you can use Yast (Network Devices -> Network Settings) to enable IP forwarding.

And that is the tricky part: it is activated within yast. The problem is that once the system is up and running, this setting will be overridden eventually - this may happen after 5 minutes or after serveral hours. I assume this is somehow connected with the suse dhcp scripts. What i do not understand is how, when and why the original setting for ip-forwarding is overridden. The log files are not helping because i can’t find anything there.

When it ‘auto’-disables ip-forwarding can you please check:

cat /proc/sys/net/ipv4/ip_forward

? This should return ‘1’. In 11.2 ip_forward is set by /etc/init.d/boot.ipconfig:

   #
   # Enable IP forwarding ?
   #
   if test -e /proc/sys/net/ipv4/ip_forward -a -n "$IP_FORWARD" ; then
    case $IP_FORWARD in
      yes)
        echo -n "Enabling IP forwarding"
        echo "1" > /proc/sys/net/ipv4/ip_forward
      ;;
      *)
        echo -n "Disabling IP forwarding"
        echo "0" > /proc/sys/net/ipv4/ip_forward
      ;;
    esac
    rc_status -v -r
   fi

Anything in your setup which does change this inadvertently?

I understand all this. The boot scripts or yast-configurations are not the problem - ip-forwarding is active after system reboot, change of runlevel or explicit call of the above mentioned (modified) suse-scripts. The problem is that while the system is running (may take a few hours) all of a sudden ip-forwarding is turned off and i don’t what causes this.

Nor do I. But it would be very helpful to know, when forwarding has stopped, if ip_forward is actually turned off in the kernel, or if the setting remains unchanged. In the first case it would mean to search what is turning it off (could still be the kernel itself) but in the second case a kernel bug is more likely.

ip-forwarding is really turned off, i checked it with

sysctl net.ipv4.ipforwarding

i can turn it on again with

sysctl -w net.ipv4.ipforwarding=1

but this is alway a temporary solution. Like i said, at some point in time ip-forwarding will be turned off again, even if it takes a few hours.

of course i mean net.ipv4.ip_forward :wink: