Yesterday I did run into one of these issues, which drives me crazy. As it was an unneeded one also. After an update of my Gentoo system and rebooting it, the routing didn't work anymore. My routing configuration is a bit complex, so let me make a long story short. After digging a while I checked out the ip4 forwarding. And what did I recognize - it was set to OFF, instead it should be ON.

In  /etc/sysctl.d/local.conf  I have the following entry:

net.ipv4.ip_forward=1

I could swear that this was working and set correctily at the last reboot (round about 3 months ago)!

To set this parameter by hand is/was not an issue, but I wanted to know the reason why this was happen. I did restart the  sysctl  service and saw:

 * WARNING: you are stopping a boot service
 * Caching service dependencies ...                                               [ ok ]
 * Configuring kernel parameters ...
* Applying /etc/sysctl.d/local.conf ...
net.ipv4.ip_forward = 1
* Applying /etc/sysctl.conf ...
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1

My configuration was applied first and than overwritten! As of Gentoo's  CONFIG_PROTECT  feature I never touch a config file as long I can do all configuration in a  /etc/*.d/  directory. These configuration settings should overwrite any other settings and not vice versa - like all other programs except  sysctl  do. It was strange that it was so by design, as far I read.

I don't like a to use a workaround, because it could never be a clean solution. But in this case it have to be. I created a file  /etc/local.d/sysctl.start  to do at boot time:

/sbin/sysctl -p /etc/sysctl.d/local.conf

I didn't searching for what was changed - as this was not important for me now. But I think it was the order of reading config files, not the config file itself. Maybe it is related with an OpenRC update.

I was reminded about this issue few days ago. It still happens 2 years later, which forces me to dig a bit deeper. In  /etc/sysctl.conf  is still the line

net.ipv4.ip_forward = 0

I don't understand why, because this is the default kernel setting - there is no need to set it again. Now, you can edit  /etc/sysctl.conf  and change the value to 1. But I try to prevent doing this in general, because it creates extra work on updates with the CONFIG_PROTECT variable. The setting is a violation of the KISS principle - even if it is relative small. It requires more and extra work to change it as usually needed and outside the standard too - another sysadmin (maybe) have to spend time to investigate to get the workaround.

The behavior is NOT a bug of sysctl but Gentoo. I filed a bug at Gentoo which was closed faster than I needed to file it with a simple “worked for me”. Sure - if you don't have to enable (IPv4) routing. Perhaps it was my fault as I didn't use the correct description (which is always hard - you don't know what the reader interprets). Using a simpler different wording: this setting have to be removed or disabled by default. However, I couldn't see availability to try to understand the issue if you have to enable (IPv4) routing or of further discussion. Sure most systems work w/o this, but not all. Weird?