> e.g. when a function checks ip_forwarding and then calls a 2nd function
> which also checks ip_forwarding then you can't ensure that both see the
> same value. This can be a very nasty footgun.

Wait wait.  So you are talking about two seperate sysctl(2) invocations?

That's not atomic.  There is no chance of it being atomic.  That is
not solveable.