From d918dace95cdaa6f2c5ad73a93c4bf0888dcc978 Mon Sep 17 00:00:00 2001
From: Stefan Agner <stefan@agner.ch>
Date: Thu, 19 Mar 2026 13:00:10 +0100
Subject: [PATCH] Drop explicit IPv6 forwarding sysctl (#4589)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove net.ipv6.conf.all.forwarding=1 from 60-otbr-ip-forward.conf
and rely on Docker to enable IPv6 forwarding instead, just as we
already rely on it for IPv4 forwarding (needed for NAT64 in OTBR).
When this sysctl was added (d9ec60316), Docker did not enable IPv6 by
default. Since Docker 27 (April 2024), IPv6 support — including
ip6tables — is enabled by default, and Docker enables IPv6 forwarding
at startup just like it does for IPv4.

Importantly, when Docker enables forwarding itself (rather than finding
it already on), it also sets the FORWARD chain policy to DROP as a
safety measure, Pre-enabling the sysctl prevents this, leaving the IPv6
FORWARD chain at ACCEPT. By removing our sysctl, we get the same
protective DROP policy for IPv6 that we already benefit from for IPv4.
---
 .../rootfs-overlay/usr/lib/sysctl.d/60-otbr-ip-forward.conf      | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 buildroot-external/rootfs-overlay/usr/lib/sysctl.d/60-otbr-ip-forward.conf

diff --git a/buildroot-external/rootfs-overlay/usr/lib/sysctl.d/60-otbr-ip-forward.conf b/buildroot-external/rootfs-overlay/usr/lib/sysctl.d/60-otbr-ip-forward.conf
deleted file mode 100644
index ebddeaa66..000000000
--- a/buildroot-external/rootfs-overlay/usr/lib/sysctl.d/60-otbr-ip-forward.conf
+++ /dev/null
@@ -1 +0,0 @@
-net.ipv6.conf.all.forwarding = 1