Why linux kernel can't update ipv6 conf via netlink.


New Member
Nov 18, 2019
Reaction score
for example, we can enable ipv6 forwording via "sysctl -w net.ipv6.conf.default.forwarding=1" with priviledge=true in docker.
it can't update it with only net-admin.

I didn't understand what you mean and I think I'm not the only one.

What did you try to do exactly ?
it can't update it with only net-admin
never heard of "net-admin" to configure anything on linux. Can you give us more details ?
thanks for your reply.

In k8s container, the process is running without root priviledge. /proc/sys/net is read-only filesystem.
We can't update any conf under /proc/sys/net.

In detail, for ipv4, inet_set_link_af(net/ipv4/devinet.c) can update IFLA_INET_CONF attributes.
But for ipv6, inet6_set_link_af(net/ipv6/addrconf.c) can't update IFLA_INET6_CONF attributes.
What I understand is that you are trying to change some kernel parameters from inside a docker container.

You can't change the hosts kernel parameters from inside a container
Note: Not all sysctls are namespaced. Docker does not support changing sysctls inside of a container that also modify the host system. As the kernel evolves we expect to see more sysctls become namespaced.

You need to set the proper parameters on your host. You can also set some sysctl on the container itself, but the scope will be limited to the container itself.
$ docker run --sysctl net.ipv4.ip_forward=1 someimage

If it's about kubernetes (your said k8), there is some doc here : https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
  1. Open a terminal window.
  2. Change to the root user.
  3. Issue the command sysctl -w net. ipv6. conf. all. disable_ipv6=1.
  4. Issue the command sysctl -w net. ipv6. conf. default. disable_ipv6=1.