Forum: >>> Magnum BBS <<<

Re: Disabling IPv6 by default when creating a new namespace in Linux

From Dheeraj Kandula@21:1/5 to bjorn@mork.no on Tue Jun 7 19:10:01 2022

Hi Bjørn
Thanks for your reply. Are you suggesting that if I boot up the machine with "net.ipv6.conf.all.disable_ipv6=1" and "net.ipv6.conf.default.disable_ipv6=1", IPv6 should be disabled in newly created namespaces too.
It doesn't work that way on my machine. Can you point me to the function
that is used for creating a new namespace?

Thanks
Dheeraj

On Tue, Jun 7, 2022 at 12:56 PM Bjørn Mork <bjorn@mork.no> wrote:

Dheeraj Kandula <dkandula@gmail.com> writes:

How do I disable IPv6 by default when a new namespace is created?

Looking at the code, I see that the default for all namespaces will be
taken from the ipv6 module parameter "disable_ipv6". This parameter is
not writable and the ipv6 module is built-in, so you cannot change it
after boot. But booting with "ipv6.disable_ipv6=1" on the command line should work.

Bjørn

<div dir="ltr"><div>Hi Bjørn</div><div> Thanks for your reply. Are you suggesting that if I boot up the machine with "net.ipv6.conf.all.disable_ipv6=1" and "net.ipv6.conf.default.disable_ipv6=1", IPv6 should be
disabled in newly created namespaces too.</div><div>It doesn't work that way on my machine. Can you point me to the function that is used for creating a new namespace?</div><div><br></div><div>Thanks</div><div>Dheeraj<br></div></div><br><div class="
gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 7, 2022 at 12:56 PM Bjørn Mork <<a href="mailto:bjorn@mork.no">bjorn@mork.no</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(
204,204,204);padding-left:1ex">Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>> writes:<br>

> How do I disable IPv6 by default when a new namespace is created?<br>

Looking at the code, I see that the default for all namespaces will be<br> taken from the ipv6 module parameter "disable_ipv6". This parameter is<br>
not writable and the ipv6 module is built-in, so you cannot change it<br>
after boot. But booting with "ipv6.disable_ipv6=1" on the command line<br>
should work.<br>

Bjørn<br>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Dheeraj Kandula@21:1/5 to All on Tue Jun 7 18:30:01 2022

Hi All,
I have been able to disable IPv6 globally by adding the following sysctls to the /etc/sysctl.conf file.

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

When I boot up the machine (it is a VM actually), IPv6 is disabled. But
when I create a new namespace, IPv6 is enabled by default. I added the following line to /etc/sysctl.conf file, but still IPv6 is enabled.

net.core.devconf_inherit_init_net=1

I tried with setting the value to 2 and 3 too. The default is 0. But IPv6
was still enabled inside a newly created namespace.

How do I disable IPv6 by default when a new namespace is created?

*My requirement is to have IPv6 disabled globally and in newly created namespaces*. If the user wants to enable IPv6 in a specific namespace,
he/she can do so with the following command

*sudo nsenter --net=/var/run/netns/<namespace name> sysctl -w net.ipv6.all.conf.disable_ipv6=0*

Dheeraj

<div dir="ltr"><div>Hi All,</div><div> I have been able to disable IPv6 globally by adding the following sysctls to the /etc/sysctl.conf file.</div><div><br></div><div>net.ipv6.conf.all.disable_ipv6=1<br>net.ipv6.conf.default.disable_
ipv6=1</div><div><br></div><div>When I boot up the machine (it is a VM actually), IPv6 is disabled. But when I create a new namespace, IPv6 is enabled by default. I added the following line to /etc/sysctl.conf file, but still IPv6 is enabled.</div><div>
<br></div><div>net.core.devconf_inherit_init_net=1</div><div><br></div><div>I tried with setting the value to 2 and 3 too. The default is 0. But IPv6 was still enabled inside a newly created namespace.<br></div><div><br></div><div>How do I disable IPv6
by default when a new namespace is created? <br></div><div><br></div><div><span style="background-color:rgb(238,238,238)"><b>My requirement is to have IPv6 disabled globally and in newly created namespaces</b></span>. If the user wants to enable IPv6 in
a specific namespace, he/she can do so with the following command</div><div><br></div><div><strong>sudo nsenter --net=/var/run/netns/<namespace name> sysctl -w net.ipv6.all.conf.disable_ipv6=0<br></strong></div><div><br></div><div>Dheeraj</div><div>
<br></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Dheeraj Kandula@21:1/5 to bjorn@mork.no on Tue Jun 7 19:30:01 2022

On my system I see the following values:

$cat /sys/module/ipv6/parameters/disable_ipv6

0

$ sudo sysctl net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1

$ sudo sysctl net.ipv6.conf.default.disable_ipv6 net.ipv6.conf.default.disable_ipv6 = 1

Are you suggesting that "cat /sys/module/ipv6/parameters/disable_ipv6"
should be 1?

Dheeraj

On Tue, Jun 7, 2022 at 1:11 PM Bjørn Mork <bjorn@mork.no> wrote:

Dheeraj Kandula <dkandula@gmail.com> writes:

Thanks for your reply. Are you suggesting that if I boot up the machine with "net.ipv6.conf.all.disable_ipv6=1" and "net.ipv6.conf.default.disable_ipv6=1", IPv6 should be disabled in newly created namespaces too.

No. But if you boot with "ipv6.disable_ipv6=1" then you should see

grep . /sys/module/ipv6/parameters/disable_ipv6

returning 1. This will be used as the default value of "net.ipv6.conf.default.disable_ipv6" for all namespaces. Including the default namespace.

That's a lot of nested defaults ;-) Hope you get the meaning.

Bjørn

<div dir="ltr"><div>On my system I see the following values:</div><div><br></div><div>$cat /sys/module/ipv6/parameters/disable_ipv6</div><div>0</div><div><br></div><div>$ sudo sysctl net.ipv6.conf.all.disable_ipv6<br>net.ipv6.conf.all.disable_ipv6 = 1</

<div><br></div><div>$ sudo sysctl net.ipv6.conf.default.disable_ipv6<br>net.ipv6.conf.default.disable_ipv6 = 1</div><div><br></div><div>Are you suggesting that "cat /sys/module/ipv6/parameters/disable_ipv6" should be 1?<br></div><div><br></
<div>Dheeraj</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 7, 2022 at 1:11 PM Bjørn Mork <<a href="mailto:bjorn@mork.no">bjorn@mork.no</a>> wrote:<br></div><blockquote class="gmail_quote"

style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>> writes:<br>

> Thanks for your reply. Are you suggesting that if I boot up the<br>
> machine with "net.ipv6.conf.all.disable_ipv6=1" and<br>
> "net.ipv6.conf.default.disable_ipv6=1", IPv6 should be disabled in newly<br>
> created namespaces too.<br>

No. But if you boot with "ipv6.disable_ipv6=1" then you should see<br>

grep . /sys/module/ipv6/parameters/disable_ipv6<br>

returning 1. This will be used as the default value of<br> "net.ipv6.conf.default.disable_ipv6" for all namespaces. Including the<br>
default namespace.<br>

That's a lot of nested defaults ;-) Hope you get the meaning.<br>

Bjørn<br>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Marc Haber@21:1/5 to Dheeraj Kandula on Tue Jun 7 19:20:01 2022

On Tue, Jun 07, 2022 at 12:24:39PM -0400, Dheeraj Kandula wrote:

*My requirement is to have IPv6 disabled globally and in newly created namespaces*

Why do you deliberately cripple your system and force it to use legacy technology?

Greetings
Marc

-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?utf-8?Q?Bj=C3=B8rn_Mork?=@21:1/5 to Dheeraj Kandula on Tue Jun 7 19:30:01 2022

Dheeraj Kandula <dkandula@gmail.com> writes:

Thanks for your reply. Are you suggesting that if I boot up the machine with "net.ipv6.conf.all.disable_ipv6=1" and "net.ipv6.conf.default.disable_ipv6=1", IPv6 should be disabled in newly created namespaces too.

No. But if you boot with "ipv6.disable_ipv6=1" then you should see

grep . /sys/module/ipv6/parameters/disable_ipv6

returning 1. This will be used as the default value of "net.ipv6.conf.default.disable_ipv6" for all namespaces. Including the
default namespace.

That's a lot of nested defaults ;-) Hope you get the meaning.

Bjørn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Dheeraj Kandula@21:1/5 to All on Tue Jun 7 19:30:01 2022

It is a requirement that I am working on. I can't reveal further details. Sorry.

Dheeraj

On Tue, Jun 7, 2022 at 1:11 PM Marc Haber <mh+debian-ipv6@zugschlus.de>
wrote:

On Tue, Jun 07, 2022 at 12:24:39PM -0400, Dheeraj Kandula wrote:

*My requirement is to have IPv6 disabled globally and in newly created namespaces*

Why do you deliberately cripple your system and force it to use legacy technology?

Greetings
Marc

--

----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

<div dir="ltr"><div>It is a requirement that I am working on. I can't reveal further details. Sorry.<br></div><div><br></div><div>Dheeraj<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 7, 2022 at 1:11 PM
Marc Haber <<a href="mailto:mh%2Bdebian-ipv6@zugschlus.de">mh+debian-ipv6@zugschlus.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, Jun 07,
2022 at 12:24:39PM -0400, Dheeraj Kandula wrote:<br>
> *My requirement is to have IPv6 disabled globally and in newly created<br> > namespaces*<br>

Why do you deliberately cripple your system and force it to use legacy<br> technology?<br>

Greetings<br>
Marc<br>

-- <br> -----------------------------------------------------------------------------<br>
Marc Haber | "I don't trust Computers. They | Mailadresse im Header<br>
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402<br>
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421<br>

</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?utf-8?Q?Bj=C3=B8rn_Mork?=@21:1/5 to Marc Haber on Tue Jun 7 19:40:01 2022

Marc Haber <mh+debian-ipv6@zugschlus.de> writes:

On Tue, Jun 07, 2022 at 12:24:39PM -0400, Dheeraj Kandula wrote:

*My requirement is to have IPv6 disabled globally and in newly created
namespaces*

Why do you deliberately cripple your system and force it to use legacy technology?

I don't think this is constructive.

I've never done this myself, but I have no problems seeing that there
are reasons to use the per-interface disable_ipv6 knob. This isn't
"crippling" anything. And it can make perfect sense to set it by
default and then only enable ipv6 where needed and supported.

Bjørn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?utf-8?Q?Bj=C3=B8rn_Mork?=@21:1/5 to Dheeraj Kandula on Tue Jun 7 21:00:01 2022

Dheeraj Kandula <dkandula@gmail.com> writes:

Thanks Bjørn for your response. I think I am getting a bit confused here.

I booted up my Linux VM and set the following in my /etc/sysctl.conf file:

You need to make the change in your boot loader. grub or whatever.
That's where the kernel command line is set.

E.g edit /etc/default/grub and add ipv6.disable_ipv6=1 to the GRUB_CMDLINE_LINUX variable, and then run update-grub to produce a new /boot/grub/grub.cfg configuration file.

Bjørn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From marcoshalano@gmail.com@21:1/5 to Dheeraj Kandula on Tue Jun 7 20:40:01 2022

Dheeraj,

You don't need to touch the /etc/sysctl.conf. You need to touch your bootloader configuration file. You can see an example of how to do it here: https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/

On 07/06/2022 15:33, Dheeraj Kandula <dkandula@gmail.com> wrote:

Thanks Bjørn for your response. I think I am getting a bit confused here.

I booted up my Linux VM and set the following in my /etc/sysctl.conf file:

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

I saved the file.

*I rebooted my VM.*

After reboot, I check the value of "/sys/module/ipv6/parameters/disable_ipv6". *It is still 0.*

As it is still 0, the new namespaces are created with IPv6 enabled. Is
this a bug in the kernel code?

Dheeraj

On Tue, Jun 7, 2022 at 2:17 PM Bjørn Mork <bjorn@mork.no <mailto:bjorn@mork.no>> wrote:

Dheeraj Kandula <dkandula@gmail.com <mailto:dkandula@gmail.com>> writes:

> On my system I see the following values:
>
> $cat /sys/module/ipv6/parameters/disable_ipv6
> 0

Yes, that's the default unless you change it..

> Are you suggesting that "cat
/sys/module/ipv6/parameters/disable_ipv6"
> should be 1?

Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line,
then it will be.

Bjørn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?utf-8?Q?Bj=C3=B8rn_Mork?=@21:1/5 to Dheeraj Kandula on Tue Jun 7 20:40:01 2022

Dheeraj Kandula <dkandula@gmail.com> writes:

On my system I see the following values:

$cat /sys/module/ipv6/parameters/disable_ipv6
0

Yes, that's the default unless you change it..

Are you suggesting that "cat /sys/module/ipv6/parameters/disable_ipv6"
should be 1?

Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line,
then it will be.

Bjørn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Dheeraj Kandula@21:1/5 to bjorn@mork.no on Tue Jun 7 20:40:01 2022

Thanks Bjørn for your response. I think I am getting a bit confused here.

I booted up my Linux VM and set the following in my /etc/sysctl.conf file:

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

I saved the file.

*I rebooted my VM.*

After reboot, I check the value of
"/sys/module/ipv6/parameters/disable_ipv6". *It is still 0.*

As it is still 0, the new namespaces are created with IPv6 enabled. Is this
a bug in the kernel code?

Dheeraj

On Tue, Jun 7, 2022 at 2:17 PM Bjørn Mork <bjorn@mork.no> wrote:

Dheeraj Kandula <dkandula@gmail.com> writes:

On my system I see the following values:

$cat /sys/module/ipv6/parameters/disable_ipv6
0

Yes, that's the default unless you change it..

Are you suggesting that "cat /sys/module/ipv6/parameters/disable_ipv6" should be 1?

Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line,
then it will be.

Bjørn

<div dir="ltr"><div>Thanks Bjørn for your response. I think I am getting a bit confused here.</div><div><br></div><div>I booted up my Linux VM and set the following in my /etc/sysctl.conf file:</div><div><br></div><div>net.ipv6.conf.all.disable_ipv6=1<

net.ipv6.conf.default.disable_ipv6=1</div><div><br></div><div>I saved the file.</div><div><br></div><div><b>I rebooted my VM.</b></div><div><br></div><div>After reboot, I check the value of "/sys/module/ipv6/parameters/disable_ipv6". <b>It

is still 0.</b> <br></div><div><br></div><div>As it is still 0, the new namespaces are created with IPv6 enabled. Is this a bug in the kernel code?</div><div></div><div><br></div><div>Dheeraj<br></div></div><br><div class="gmail_quote"><div dir="ltr"
class="gmail_attr">On Tue, Jun 7, 2022 at 2:17 PM Bjørn Mork <<a href="mailto:bjorn@mork.no">bjorn@mork.no</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"

Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>> writes:<br>

> On my system I see the following values:<br>
><br>
> $cat /sys/module/ipv6/parameters/disable_ipv6<br>
> 0<br>

Yes, that's the default unless you change it..<br>

> Are you suggesting that "cat /sys/module/ipv6/parameters/disable_ipv6"<br>
> should be 1?<br>

Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line,<br>
then it will be.<br>

Bjørn<br>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Dheeraj Kandula@21:1/5 to marcoshalano@gmail.com on Tue Jun 7 21:40:01 2022

Thanks Marc for your email. With the grub option, the IPv6 feature itself
may have been removed from the running Linux kernel. But, I want IPv6 functionality to be present in the kernel but with the capability to enable
or disable it.

If disabled, IPv6 should be disabled on current namespaces and future namespaces, until I enable IPv6 again.

Is this possible in Linux?

Dheeraj

On Tue, Jun 7, 2022 at 2:38 PM <marcoshalano@gmail.com> wrote:

Dheeraj,

You don't need to touch the /etc/sysctl.conf. You need to touch your bootloader configuration file. You can see an example of how to do it here: https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/

On 07/06/2022 15:33, Dheeraj Kandula <dkandula@gmail.com> wrote:

Thanks Bjørn for your response. I think I am getting a bit confused here.

I booted up my Linux VM and set the following in my /etc/sysctl.conf

file:

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

I saved the file.

*I rebooted my VM.*

After reboot, I check the value of "/sys/module/ipv6/parameters/disable_ipv6". *It is still 0.*

As it is still 0, the new namespaces are created with IPv6 enabled. Is
this a bug in the kernel code?

Dheeraj

On Tue, Jun 7, 2022 at 2:17 PM Bjørn Mork <bjorn@mork.no <mailto:bjorn@mork.no>> wrote:

Dheeraj Kandula <dkandula@gmail.com <mailto:dkandula@gmail.com>>

writes:

> On my system I see the following values:
>
> $cat /sys/module/ipv6/parameters/disable_ipv6
> 0

Yes, that's the default unless you change it..

> Are you suggesting that "cat
/sys/module/ipv6/parameters/disable_ipv6"
> should be 1?

Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line,
then it will be.

Bjørn

<div dir="ltr"><div>Thanks Marc for your email. With the grub option, the IPv6 feature itself may have been removed from the running Linux kernel. But, I want IPv6 functionality to be present in the kernel but with the capability to enable or disable it.<
/div><div><br></div><div>If disabled, IPv6 should be disabled on current namespaces and future namespaces, until I enable IPv6 again.</div><div><br></div><div>Is this possible in Linux?</div><div><br></div><div>Dheeraj<br></div></div><br><div class="
gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 7, 2022 at 2:38 PM <<a href="mailto:marcoshalano@gmail.com">marcoshalano@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Dheeraj,<br>

You don't need to touch the /etc/sysctl.conf. You need to touch your bootloader configuration file. You can see an example of how to do it here: <a href="https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/" rel="noreferrer" target="_blank"

https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/</a><br>

On 07/06/2022 15:33, Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>> wrote:<br>
> Thanks Bjørn for your response. I think I am getting a bit confused here.<br>
> <br>
> I booted up my Linux VM and set the following in my /etc/sysctl.conf file:<br>
> <br>
> net.ipv6.conf.all.disable_ipv6=1<br>
> net.ipv6.conf.default.disable_ipv6=1<br>
> <br>
> I saved the file.<br>
> <br>
> *I rebooted my VM.*<br>
> <br>
> After reboot, I check the value of <br>
> "/sys/module/ipv6/parameters/disable_ipv6". *It is still 0.*<br> > <br>
> As it is still 0, the new namespaces are created with IPv6 enabled. Is <br>
> this a bug in the kernel code?<br>
> <br>
> Dheeraj<br>
> <br>
> On Tue, Jun 7, 2022 at 2:17 PM Bjørn Mork <<a href="mailto:bjorn@mork.no" target="_blank">bjorn@mork.no</a> <br>
> <mailto:<a href="mailto:bjorn@mork.no" target="_blank">bjorn@mork.no</a>>> wrote:<br>
> <br>
> Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a> <mailto:<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>>> writes:<br>
> <br>
> > On my system I see the following values:<br>
> ><br>
> > $cat /sys/module/ipv6/parameters/disable_ipv6<br>
> > 0<br>
> <br>
> Yes, that's the default unless you change it..<br>
> <br>
> > Are you suggesting that "cat<br>
> /sys/module/ipv6/parameters/disable_ipv6"<br>
> > should be 1?<br>
> <br>
> Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line,<br>
> then it will be.<br>
> <br>
> <br>
> Bjørn<br>
> <br>
> <br>

</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Dheeraj Kandula@21:1/5 to bjorn@mork.no on Tue Jun 7 21:30:01 2022

Thanks Bjørn for the reply. But with the grub command line, IPv6 option is
not available i.e.* net.ipv6.conf.all.disable_ipv6* i.e. net.ipv6 itself is
not available.

$ sudo sysctl net.ipv6
sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory

I want to enable and disable IPv6 when the Linux box is up and running.

Sysctls worked but not for new namespaces. Is this a limitation of Linux?

BTW, the value is still 0 for disable_ipv6

$ cat /sys/module/ipv6/parameters/disable_ipv6

0

Dheeraj

On Tue, Jun 7, 2022 at 2:38 PM Bjørn Mork <bjorn@mork.no> wrote:

Dheeraj Kandula <dkandula@gmail.com> writes:

Thanks Bjørn for your response. I think I am getting a bit confused here.

I booted up my Linux VM and set the following in my /etc/sysctl.conf

file:

You need to make the change in your boot loader. grub or whatever.
That's where the kernel command line is set.

E.g edit /etc/default/grub and add ipv6.disable_ipv6=1 to the GRUB_CMDLINE_LINUX variable, and then run update-grub to produce a new /boot/grub/grub.cfg configuration file.

Bjørn

<div dir="ltr"><div>Thanks Bjørn for the reply. But with the grub command line, IPv6 option is not available i.e.<b> net.ipv6.conf.all.disable_ipv6</b> i.e. net.ipv6 itself is not available. <br></div><div><br></div><div>$ sudo sysctl net.ipv6<br>sysctl:
cannot stat /proc/sys/net/ipv6: No such file or directory<br></div><div><br></div><div>I want to enable and disable IPv6 when the Linux box is up and running. <br></div><div><br></div><div>Sysctls worked but not for new namespaces. Is this a limitation
of Linux?</div><div><br></div><div>BTW, the value is still 0 for disable_ipv6<br></div><div><br></div><div>$ cat /sys/module/ipv6/parameters/disable_ipv6<br>0<br></div><div><br></div><div>Dheeraj<br></div></div><br><div class="gmail_quote"><div dir="ltr"
class="gmail_attr">On Tue, Jun 7, 2022 at 2:38 PM Bjørn Mork <<a href="mailto:bjorn@mork.no">bjorn@mork.no</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"

Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>> writes:<br>

> Thanks Bjørn for your response. I think I am getting a bit confused here.<br>
><br>
> I booted up my Linux VM and set the following in my /etc/sysctl.conf file:<br>

You need to make the change in your boot loader. grub or whatever.<br> That's where the kernel command line is set.<br>

E.g edit /etc/default/grub and add ipv6.disable_ipv6=1 to the<br> GRUB_CMDLINE_LINUX variable, and then run update-grub to produce a new<br> /boot/grub/grub.cfg configuration file.<br>

Bjørn<br>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Dheeraj Kandula@21:1/5 to dkandula@gmail.com on Tue Jun 7 21:50:01 2022

Hi All,
If this is not supported in Linux, can I go ahead and file a bug/enhancement request against the Linux kernel?

Dheeraj

On Tue, Jun 7, 2022 at 3:31 PM Dheeraj Kandula <dkandula@gmail.com> wrote:

Thanks Marc for your email. With the grub option, the IPv6 feature itself
may have been removed from the running Linux kernel. But, I want IPv6 functionality to be present in the kernel but with the capability to enable or disable it.

If disabled, IPv6 should be disabled on current namespaces and future namespaces, until I enable IPv6 again.

Is this possible in Linux?

Dheeraj

On Tue, Jun 7, 2022 at 2:38 PM <marcoshalano@gmail.com> wrote:

Dheeraj,

You don't need to touch the /etc/sysctl.conf. You need to touch your
bootloader configuration file. You can see an example of how to do it here: >> https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/

On 07/06/2022 15:33, Dheeraj Kandula <dkandula@gmail.com> wrote:

Thanks Bjørn for your response. I think I am getting a bit confused

here.

I booted up my Linux VM and set the following in my /etc/sysctl.conf

file:

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

I saved the file.

*I rebooted my VM.*

After reboot, I check the value of
"/sys/module/ipv6/parameters/disable_ipv6". *It is still 0.*

As it is still 0, the new namespaces are created with IPv6 enabled. Is
this a bug in the kernel code?

Dheeraj

On Tue, Jun 7, 2022 at 2:17 PM Bjørn Mork <bjorn@mork.no
<mailto:bjorn@mork.no>> wrote:

Dheeraj Kandula <dkandula@gmail.com <mailto:dkandula@gmail.com>>

writes:

> On my system I see the following values:
>
> $cat /sys/module/ipv6/parameters/disable_ipv6
> 0

Yes, that's the default unless you change it..

> Are you suggesting that "cat
/sys/module/ipv6/parameters/disable_ipv6"
> should be 1?

Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line, >> > then it will be.

Bjørn

<div dir="ltr"><div>Hi All,</div><div> If this is not supported in Linux, can I go ahead and file a bug/enhancement request against the Linux kernel?</div><div><br></div><div>Dheeraj<br></div></div><br><div class="gmail_quote"><div dir="ltr"
class="gmail_attr">On Tue, Jun 7, 2022 at 3:31 PM Dheeraj Kandula <<a href="mailto:dkandula@gmail.com">dkandula@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);
padding-left:1ex"><div dir="ltr"><div>Thanks Marc for your email. With the grub option, the IPv6 feature itself may have been removed from the running Linux kernel. But, I want IPv6 functionality to be present in the kernel but with the capability to
enable or disable it.</div><div><br></div><div>If disabled, IPv6 should be disabled on current namespaces and future namespaces, until I enable IPv6 again.</div><div><br></div><div>Is this possible in Linux?</div><div><br></div><div>Dheeraj<br></div></

<br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 7, 2022 at 2:38 PM <<a href="mailto:marcoshalano@gmail.com" target="_blank">marcoshalano@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px

0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Dheeraj,<br>

You don't need to touch the /etc/sysctl.conf. You need to touch your bootloader configuration file. You can see an example of how to do it here: <a href="https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/" rel="noreferrer" target="_blank"

https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/</a><br>

On 07/06/2022 15:33, Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>> wrote:<br>
> Thanks Bjørn for your response. I think I am getting a bit confused here.<br>
> <br>
> I booted up my Linux VM and set the following in my /etc/sysctl.conf file:<br>
> <br>
> net.ipv6.conf.all.disable_ipv6=1<br>
> net.ipv6.conf.default.disable_ipv6=1<br>
> <br>
> I saved the file.<br>
> <br>
> *I rebooted my VM.*<br>
> <br>
> After reboot, I check the value of <br>
> "/sys/module/ipv6/parameters/disable_ipv6". *It is still 0.*<br> > <br>
> As it is still 0, the new namespaces are created with IPv6 enabled. Is <br>
> this a bug in the kernel code?<br>
> <br>
> Dheeraj<br>
> <br>
> On Tue, Jun 7, 2022 at 2:17 PM Bjørn Mork <<a href="mailto:bjorn@mork.no" target="_blank">bjorn@mork.no</a> <br>
> <mailto:<a href="mailto:bjorn@mork.no" target="_blank">bjorn@mork.no</a>>> wrote:<br>
> <br>
> Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a> <mailto:<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>>> writes:<br>
> <br>
> > On my system I see the following values:<br>
> ><br>
> > $cat /sys/module/ipv6/parameters/disable_ipv6<br>
> > 0<br>
> <br>
> Yes, that's the default unless you change it..<br>
> <br>
> > Are you suggesting that "cat<br>
> /sys/module/ipv6/parameters/disable_ipv6"<br>
> > should be 1?<br>
> <br>
> Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line,<br>
> then it will be.<br>
> <br>
> <br>
> Bjørn<br>
> <br>
> <br>

</blockquote></div>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?utf-8?Q?Bj=C3=B8rn_Mork?=@21:1/5 to Dheeraj Kandula on Tue Jun 7 22:30:01 2022

Dheeraj Kandula <dkandula@gmail.com> writes:

Thanks Bjørn for the reply. But with the grub command line, IPv6 option is not available i.e.* net.ipv6.conf.all.disable_ipv6* i.e. net.ipv6 itself is not available.

$ sudo sysctl net.ipv6
sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory

Huh? Did you set ipv6.disable instead og ipv6.disable_ipv6? Those are
very different, as documented in the module:

bjorn@miraculix:~$ modinfo ipv6
name: ipv6
filename: (builtin)
alias: net-pf-10
license: GPL
file: net/ipv6/ipv6
description: IPv6 protocol stack for Linux
author: Cast of dozens
parm: disable:Disable IPv6 module such that it is non-functional (int)
parm: disable_ipv6:Disable IPv6 on all interfaces (int)
parm: autoconf:Enable IPv6 address autoconfiguration on all interfaces (int)

Bjørn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Dheeraj Kandula@21:1/5 to bjorn@mork.no on Tue Jun 7 22:30:02 2022

Thanks a lot Bjorn for pointing this out. I now have IPv6 disabled by
default in newly created namespaces too.

However, when I enable IPv6 globally it is not enabled inside the already created namespaces. Maybe it has to be done explicitly. I will see if this behavior is acceptable.

Thanks a lot Bjorn. I really appreciate your time and patience.

Thanks, Marc too for taking the time to respond to my emails.

Dheeraj

On Tue, Jun 7, 2022 at 4:05 PM Bjørn Mork <bjorn@mork.no> wrote:

Dheeraj Kandula <dkandula@gmail.com> writes:

Thanks Bjørn for the reply. But with the grub command line, IPv6 option

is

not available i.e.* net.ipv6.conf.all.disable_ipv6* i.e. net.ipv6 itself

is

not available.

$ sudo sysctl net.ipv6
sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory

Huh? Did you set ipv6.disable instead og ipv6.disable_ipv6? Those are
very different, as documented in the module:

bjorn@miraculix:~$ modinfo ipv6
name: ipv6
filename: (builtin)
alias: net-pf-10
license: GPL
file: net/ipv6/ipv6
description: IPv6 protocol stack for Linux
author: Cast of dozens
parm: disable:Disable IPv6 module such that it is non-functional (int)
parm: disable_ipv6:Disable IPv6 on all interfaces (int)
parm: autoconf:Enable IPv6 address autoconfiguration on all interfaces (int)

Bjørn

<div dir="ltr"><div>Thanks a lot Bjorn for pointing this out. I now have IPv6 disabled by default in newly created namespaces too.<br></div><div><br></div><div>However, when I enable IPv6 globally it is not enabled inside the already created namespaces.
Maybe it has to be done explicitly. I will see if this behavior is acceptable. <br></div><div><br></div><div>Thanks a lot Bjorn. I really appreciate your time and patience. <br></div><div><br></div><div>Thanks, Marc too for taking the time to respond to
my emails.<br></div><div><br></div><div>Dheeraj<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 7, 2022 at 4:05 PM Bjørn Mork <<a href="mailto:bjorn@mork.no">bjorn@mork.no</a>> wrote:<br></div><blockquote
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>> writes:<br>

> Thanks Bjørn for the reply. But with the grub command line, IPv6 option is<br>
> not available i.e.* net.ipv6.conf.all.disable_ipv6* i.e. net.ipv6 itself is<br>
> not available.<br>
><br>
> $ sudo sysctl net.ipv6<br>
> sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory<br>

Huh? Did you set ipv6.disable instead og ipv6.disable_ipv6? Those are<br> very different, as documented in the module:<br>

bjorn@miraculix:~$ modinfo ipv6<br>
name: ipv6<br>
filename: (builtin)<br>
alias: net-pf-10<br>
license: GPL<br>
file: net/ipv6/ipv6<br>
description: IPv6 protocol stack for Linux<br>
author: Cast of dozens<br>
parm: disable:Disable IPv6 module such that it is non-functional (int)<br>
parm: disable_ipv6:Disable IPv6 on all interfaces (int)<br> parm: autoconf:Enable IPv6 address autoconfiguration on all interfaces (int)<br>

Bjørn<br>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Dheeraj Kandula@21:1/5 to dkandula@gmail.com on Wed Jun 8 17:20:01 2022

I looked into the code to figure out where the IPv6 configuration is copied from for a new namespace.

I came across this function addrconf_init_net. I assume this is the
function that is invoked when a new namespace is created.

Inside this function, I came across this code,

if (IS_ENABLED <https://elixir.bootlin.com/linux/latest/C/ident/IS_ENABLED>(CONFIG_SYSCTL <https://elixir.bootlin.com/linux/latest/K/ident/CONFIG_SYSCTL>) &&
!net_eq <https://elixir.bootlin.com/linux/latest/C/ident/net_eq>(net,
&init_net <https://elixir.bootlin.com/linux/latest/C/ident/init_net>))
{
switch <https://elixir.bootlin.com/linux/latest/C/ident/switch> (sysctl_devconf_inherit_init_net <https://elixir.bootlin.com/linux/latest/C/ident/sysctl_devconf_inherit_init_net>)
{
case 1: /* copy from init_net */
memcpy <https://elixir.bootlin.com/linux/latest/C/ident/memcpy>(all
<https://elixir.bootlin.com/linux/latest/C/ident/all>, init_net <https://elixir.bootlin.com/linux/latest/C/ident/init_net>.ipv6 <https://elixir.bootlin.com/linux/latest/C/ident/ipv6>.devconf_all <https://elixir.bootlin.com/linux/latest/C/ident/devconf_all>,
sizeof(ipv6_devconf <https://elixir.bootlin.com/linux/latest/C/ident/ipv6_devconf>));
memcpy <https://elixir.bootlin.com/linux/latest/C/ident/memcpy>(dflt
<https://elixir.bootlin.com/linux/latest/C/ident/dflt>, init_net <https://elixir.bootlin.com/linux/latest/C/ident/init_net>.ipv6 <https://elixir.bootlin.com/linux/latest/C/ident/ipv6>.devconf_dflt <https://elixir.bootlin.com/linux/latest/C/ident/devconf_dflt>,
sizeof(ipv6_devconf_dflt <https://elixir.bootlin.com/linux/latest/C/ident/ipv6_devconf_dflt>));
break <https://elixir.bootlin.com/linux/latest/C/ident/break>;
case 3: /* copy from the current netns */
memcpy <https://elixir.bootlin.com/linux/latest/C/ident/memcpy>(all
<https://elixir.bootlin.com/linux/latest/C/ident/all>, current <https://elixir.bootlin.com/linux/latest/C/ident/current>->nsproxy <https://elixir.bootlin.com/linux/latest/C/ident/nsproxy>->net_ns <https://elixir.bootlin.com/linux/latest/C/ident/net_ns>->ipv6 <https://elixir.bootlin.com/linux/latest/C/ident/ipv6>.devconf_all <https://elixir.bootlin.com/linux/latest/C/ident/devconf_all>,
sizeof(ipv6_devconf <https://elixir.bootlin.com/linux/latest/C/ident/ipv6_devconf>));
memcpy <https://elixir.bootlin.com/linux/latest/C/ident/memcpy>(dflt
<https://elixir.bootlin.com/linux/latest/C/ident/dflt>,
current <https://elixir.bootlin.com/linux/latest/C/ident/current>->nsproxy <https://elixir.bootlin.com/linux/latest/C/ident/nsproxy>->net_ns <https://elixir.bootlin.com/linux/latest/C/ident/net_ns>->ipv6 <https://elixir.bootlin.com/linux/latest/C/ident/ipv6>.devconf_dflt <https://elixir.bootlin.com/linux/latest/C/ident/devconf_dflt>,
sizeof(ipv6_devconf_dflt <https://elixir.bootlin.com/linux/latest/C/ident/ipv6_devconf_dflt>));
break <https://elixir.bootlin.com/linux/latest/C/ident/break>;
case 0:
case 2:
/* use compiled values */
break <https://elixir.bootlin.com/linux/latest/C/ident/break>;
}
}

If I set the value of net.core.devconf_inherit_init_net to 1, when a
new namespace is created the values in init_net(which again I assume
is init process' namespace value - global/default namespace)

will be copied into the new namespace. A few lines later, the
following code is present.

dflt <https://elixir.bootlin.com/linux/latest/C/ident/dflt>->disable_ipv6 <https://elixir.bootlin.com/linux/latest/C/ident/disable_ipv6> =
ipv6_defaults <https://elixir.bootlin.com/linux/latest/C/ident/ipv6_defaults>.disable_ipv6
<https://elixir.bootlin.com/linux/latest/C/ident/disable_ipv6>;
<<<<< This ipv6_defaults.disable_ipv6 comes from the GRUB command line
value of disable_ipv6.

Hence if I enable IPv6 before creating a new namespace, the new
namespace still will have IPv6 disabled, because of the above single
line of code. Is this correct?

net.ipv6.conf.all.disable_ipv6 is used to change the IPv6 state for
all the currently available interfaces.

net.ipv6.conf.default.disable_ipv6 has the default value from ipv6_defaults.disable_ipv6 i.e. the grub one. If I change this sysctl,
what impact does it have?

Dheeraj

On Tue, Jun 7, 2022 at 4:25 PM Dheeraj Kandula <dkandula@gmail.com> wrote:

Thanks a lot Bjorn for pointing this out. I now have IPv6 disabled by
default in newly created namespaces too.

However, when I enable IPv6 globally it is not enabled inside the already created namespaces. Maybe it has to be done explicitly. I will see if this behavior is acceptable.

Thanks a lot Bjorn. I really appreciate your time and patience.

Thanks, Marc too for taking the time to respond to my emails.

Dheeraj

On Tue, Jun 7, 2022 at 4:05 PM Bjørn Mork <bjorn@mork.no> wrote:

Dheeraj Kandula <dkandula@gmail.com> writes:

Thanks Bjørn for the reply. But with the grub command line, IPv6 option >> is
not available i.e.* net.ipv6.conf.all.disable_ipv6* i.e. net.ipv6

itself is

not available.

$ sudo sysctl net.ipv6
sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory

Huh? Did you set ipv6.disable instead og ipv6.disable_ipv6? Those are
very different, as documented in the module:

bjorn@miraculix:~$ modinfo ipv6
name: ipv6
filename: (builtin)
alias: net-pf-10
license: GPL
file: net/ipv6/ipv6
description: IPv6 protocol stack for Linux
author: Cast of dozens
parm: disable:Disable IPv6 module such that it is
non-functional (int)
parm: disable_ipv6:Disable IPv6 on all interfaces (int)
parm: autoconf:Enable IPv6 address autoconfiguration on all
interfaces (int)

Bjørn

<div dir="ltr"><div>I looked into the code to figure out where the IPv6 configuration is copied from for a new namespace.<br></div><div><br></div><div>I came across this function addrconf_init_net. I assume this is the function that is invoked when a new
namespace is created.</div><div><br></div><div>Inside this function, I came across this code, <br></div><div><br></div><div><pre> <span class="gmail-k">if</span> <span class="gmail-p">(</span><span class="gmail-n"><a href="https://elixir.bootlin.com/
linux/latest/C/ident/IS_ENABLED">IS_ENABLED</a></span><span class="gmail-p">(</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/K/ident/CONFIG_SYSCTL">CONFIG_SYSCTL</a></span><span class="gmail-p">)</span> <span class="gmail-o">
&&</span>
<span class="gmail-o">!</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/net_eq">net_eq</a></span><span class="gmail-p">(</span><span class="gmail-n">net</span><span class="gmail-p">,</span> <span class="gmail-o">&
amp;</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/init_net">init_net</a></span><span class="gmail-p">))</span> <span class="gmail-p">{</span>
<span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/switch">switch</a></span> <span class="gmail-p">(</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/sysctl_devconf_inherit_init_net">
sysctl_devconf_inherit_init_net</a></span><span class="gmail-p">)</span> <span class="gmail-p">{</span>
<span class="gmail-k">case</span> <span class="gmail-mi">1</span><span class="gmail-o">:</span> <span class="gmail-cm">/* copy from init_net */</span>
<span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/memcpy">memcpy</a></span><span class="gmail-p">(</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/all">all</a></span><span class="gmail-
p">,</span> <span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/init_net">init_net</a></span><span class="gmail-p">.</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/ipv6">ipv6</a></span><
span class="gmail-p">.</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/devconf_all">devconf_all</a></span><span class="gmail-p">,</span>
<span class="gmail-k">sizeof</span><span class="gmail-p">(</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/ipv6_devconf">ipv6_devconf</a></span><span class="gmail-p">));</span>
<span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/memcpy">memcpy</a></span><span class="gmail-p">(</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/dflt">dflt</a></span><span class="
gmail-p">,</span> <span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/init_net">init_net</a></span><span class="gmail-p">.</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/ipv6">ipv6</a></
span><span class="gmail-p">.</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/devconf_dflt">devconf_dflt</a></span><span class="gmail-p">,</span>
<span class="gmail-k">sizeof</span><span class="gmail-p">(</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/ipv6_devconf_dflt">ipv6_devconf_dflt</a></span><span class="gmail-p">));</span>
<span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/break">break</a></span><span class="gmail-p">;</span>
<span class="gmail-k">case</span> <span class="gmail-mi">3</span><span class="gmail-o">:</span> <span class="gmail-cm">/* copy from the current netns */</span>
<span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/memcpy">memcpy</a></span><span class="gmail-p">(</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/all">all</a></span><span class="gmail-
p">,</span> <span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/current">current</a></span><span class="gmail-o">-></span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/nsproxy">nsproxy</a></
span><span class="gmail-o">-></span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/net_ns">net_ns</a></span><span class="gmail-o">-></span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/
ident/ipv6">ipv6</a></span><span class="gmail-p">.</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/devconf_all">devconf_all</a></span><span class="gmail-p">,</span>
<span class="gmail-k">sizeof</span><span class="gmail-p">(</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/ipv6_devconf">ipv6_devconf</a></span><span class="gmail-p">));</span>
<span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/memcpy">memcpy</a></span><span class="gmail-p">(</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/dflt">dflt</a></span><span class="
gmail-p">,</span>
<span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/current">current</a></span><span class="gmail-o">-></span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/nsproxy">nsproxy</a></
span><span class="gmail-o">-></span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/net_ns">net_ns</a></span><span class="gmail-o">-></span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/
ident/ipv6">ipv6</a></span><span class="gmail-p">.</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/devconf_dflt">devconf_dflt</a></span><span class="gmail-p">,</span>
<span class="gmail-k">sizeof</span><span class="gmail-p">(</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/ipv6_devconf_dflt">ipv6_devconf_dflt</a></span><span class="gmail-p">));</span>
<span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/break">break</a></span><span class="gmail-p">;</span>
<span class="gmail-k">case</span> <span class="gmail-mi">0</span><span class="gmail-o">:</span>
<span class="gmail-k">case</span> <span class="gmail-mi">2</span><span class="gmail-o">:</span>
<span class="gmail-cm">/* use compiled values */</span>
<span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/break">break</a></span><span class="gmail-p">;</span>
<span class="gmail-p">}</span>
<span class="gmail-p">}<br><br></span></pre><pre><span class="gmail-p">If I set the value of net.core.devconf_inherit_init_net to 1, when a new namespace is created the values in init_net(which again I assume is init process' namespace value -
global/default namespace)<br></span></pre><pre><span class="gmail-p">will be copied into the new namespace. A few lines later, the following code is present.<br><br><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/dflt">dflt<

</span><span class="gmail-o">-></span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/disable_ipv6">disable_ipv6</a></span> <span class="gmail-o">=</span> <span class="gmail-n"><a href="https://elixir.bootlin.com/

linux/latest/C/ident/ipv6_defaults">ipv6_defaults</a></span><span class="gmail-p">.</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/disable_ipv6">disable_ipv6</a></span><span class="gmail-p">; <<<<<
This ipv6_defaults.disable_ipv6 comes from the GRUB command line value of disable_ipv6.</span>
<br></span></pre><pre><span class="gmail-p">Hence if I enable IPv6 before creating a new namespace, the new namespace still will have IPv6 disabled, because of the above single line of code. Is this correct?<br><br><br></span></pre><pre><span class="
gmail-p">net.ipv6.conf.all.disable_ipv6 is used to change the IPv6 state for all the currently available interfaces.<br></span></pre><pre><span class="gmail-p">net.ipv6.conf.default.disable_ipv6 has the default value from ipv6_defaults.disable_ipv6 i.e.
the grub one. If I change this sysctl, what impact does it have?<br></span></pre><pre><span class="gmail-p"><br></span></pre><pre><span class="gmail-p">Dheeraj<br></span></pre></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On
Tue, Jun 7, 2022 at 4:25 PM Dheeraj Kandula <<a href="mailto:dkandula@gmail.com">dkandula@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div
dir="ltr"><div>Thanks a lot Bjorn for pointing this out. I now have IPv6 disabled by default in newly created namespaces too.<br></div><div><br></div><div>However, when I enable IPv6 globally it is not enabled inside the already created namespaces. Maybe
it has to be done explicitly. I will see if this behavior is acceptable. <br></div><div><br></div><div>Thanks a lot Bjorn. I really appreciate your time and patience. <br></div><div><br></div><div>Thanks, Marc too for taking the time to respond to my
emails.<br></div><div><br></div><div>Dheeraj<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 7, 2022 at 4:05 PM Bjørn Mork <<a href="mailto:bjorn@mork.no" target="_blank">bjorn@mork.no</a>> wrote:<br></div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>> writes:<br>

> Thanks Bjørn for the reply. But with the grub command line, IPv6 option is<br>
> not available i.e.* net.ipv6.conf.all.disable_ipv6* i.e. net.ipv6 itself is<br>
> not available.<br>
><br>
> $ sudo sysctl net.ipv6<br>
> sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory<br>

Huh? Did you set ipv6.disable instead og ipv6.disable_ipv6? Those are<br> very different, as documented in the module:<br>

bjorn@miraculix:~$ modinfo ipv6<br>
name: ipv6<br>
filename: (builtin)<br>
alias: net-pf-10<br>
license: GPL<br>
file: net/ipv6/ipv6<br>
description: IPv6 protocol stack for Linux<br>
author: Cast of dozens<br>
parm: disable:Disable IPv6 module such that it is non-functional (int)<br>
parm: disable_ipv6:Disable IPv6 on all interfaces (int)<br> parm: autoconf:Enable IPv6 address autoconfiguration on all interfaces (int)<br>

Bjørn<br>
</blockquote></div>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?utf-8?Q?Bj=C3=B8rn_Mork?=@21:1/5 to Dheeraj Kandula on Thu Jun 9 09:10:01 2022

Dheeraj Kandula <dkandula@gmail.com> writes:

I looked into the code to figure out where the IPv6 configuration is copied from for a new namespace.

I came across this function addrconf_init_net. I assume this is the function that is invoked when a new namespace is created.

Inside this function, I came across this code,

if (IS_ENABLED(CONFIG_SYSCTL) &&
!net_eq(net, &init_net)) {
switch (sysctl_devconf_inherit_init_net) {
case 1: /* copy from init_net */
memcpy(all, init_net.ipv6.devconf_all,
sizeof(ipv6_devconf));
memcpy(dflt, init_net.ipv6.devconf_dflt,
sizeof(ipv6_devconf_dflt));
break;
case 3: /* copy from the current netns */
memcpy(all, current->nsproxy->net_ns->ipv6.devconf_all,
sizeof(ipv6_devconf));
memcpy(dflt,
current->nsproxy->net_ns->ipv6.devconf_dflt,
sizeof(ipv6_devconf_dflt));
break;
case 0:
case 2:
/* use compiled values */
break;
}
}

If I set the value of net.core.devconf_inherit_init_net to 1, when a new namespace is created the values in init_net(which again I assume is init process' namespace value - global/default namespace)

will be copied into the new namespace. A few lines later, the following code is present.

dflt->disable_ipv6 = ipv6_defaults.disable_ipv6; <<<<< This ipv6_defaults.disable_ipv6 comes from the GRUB command line value of disable_ipv6.

Hence if I enable IPv6 before creating a new namespace, the new namespace still will have IPv6 disabled, because of the above single line of code. Is this correct?

net.ipv6.conf.all.disable_ipv6 is used to change the IPv6 state for all the currently available interfaces.

net.ipv6.conf.default.disable_ipv6 has the default value from ipv6_defaults.disable_ipv6 i.e. the grub one. If I change this sysctl, what impact does it have?

Yes, this looks inconsistent.

It might have been intentional to avoid breaking existing behaviour,
since the inherit_init_net knob was added long after the default
disable_ipv6 stuff. But there doesn't seem to have been any discussion
around this when that knob was first introduced: https://lore.kernel.org/all/20190122.110739.525639247784135260.davem@davemloft.net/T/
This is unsuspected if it was intentional. I would have expected at
least a comment in the commit message.

I suggest you ask about this on the netdev@vger.kernel.org list. They
are the experts. Don't know how easy it is attracting attention to such
a question though... One trick might be to send a patch fixing the
problem. That should at least provoke a discussion. Or simply be
applied if everyone agrees that it's correct ;-)

Bjørn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	296
Nodes:	16 (2 / 14)
Uptime:	43:04:26
Calls:	6,648
Files:	12,193
Messages:	5,329,632

Re: Disabling IPv6 by default when creating a new namespace in Linux

Who's Online

System Info