feat: add option to control ipv6 and ipv4 forwarding

defaults/main.yml

@@ -20,3 +20,6 @@ kernel_namespace_support_enabled: False
 kernel_coredump_enabled: True
 
 kernel_ipv6_enabled: False
+kernel_ipv6_forwarding_enabled: False
+
+kernel_ipv4_forwarding_enabled: False

molecule/rocky9/tests/test_default.py

@@ -1,4 +1,5 @@
 import os
+import pytest
 
 import testinfra.utils.ansible_runner
 
@@ -16,6 +17,16 @@ def test_sysctl_file(host):
     assert sysctl.mode == 0o644
 
 
+@pytest.mark.parametrize(
+    "name,value", [
+        ("net.ipv4.ip_forward", 0),
+        ("net.ipv6.conf.all.forwarding", 0),
+    ]
+)
+def test_sysctl_values(host, name, value):
+    assert host.sysctl(name) == value
+
+
 def test_modprobe_file(host):
     modprobe = host.file("/etc/modprobe.d/custom.conf")
 
@@ -31,9 +42,3 @@ def test_coredump_config(host):
     assert host.file("/etc/sysctl.d/dump.conf").exists
     assert host.file("/etc/security/limits.d/dump.conf").exists
     assert host.file("/etc/profile.d/dump.sh").exists
-
-
-def test_cgroup_config(host):
-    proc = host.run("mount -l | grep cgroup")
-
-    assert "cgroup2 on /sys/fs/cgroup type cgroup2" in proc.stdout

templates/etc/sysctl.d/local.conf.j2

@@ -64,7 +64,7 @@ net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
 
 # Don't act as a router
-net.ipv4.ip_forward = 0
+net.ipv4.ip_forward = {{ kernel_ipv4_forwarding_enabled | bool | ternary(1, 0, 0) }}
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 
@@ -94,7 +94,7 @@ net.ipv6.conf.all.accept_source_route = 0
 net.ipv6.conf.default.accept_source_route = 0
 
 # Disable forwarding of IPv6
-net.ipv6.conf.all.forwarding = 0
+net.ipv6.conf.all.forwarding = {{ kernel_ipv6_forwarding_enabled | bool | ternary(1, 0, 0) }}
 {% endif %}
 {% if kernel_namespace_support_enabled | bool %}