>> e.g. when a function checks ip_forwarding and then calls a 2nd function
>> which also checks ip_forwarding then you can't ensure that both see the
>> same value. This can be a very nasty footgun.
>
>This is why I pass flags.  I think the other sysctl integers are
>independent.  But who knows, only net lock has no risk.  Everything
>else needs manual inspection of the packet path.

Kernel code must be able to deal with circumstances changing.  For example,
ip_forwarding.