Dheeraj Kandula <dkandula@gmail.com> writes:
How do I disable IPv6 by default when a new namespace is created?
Looking at the code, I see that the default for all namespaces will be
taken from the ipv6 module parameter "disable_ipv6". This parameter is
not writable and the ipv6 module is built-in, so you cannot change it
after boot. But booting with "ipv6.disable_ipv6=1" on the command line should work.
Bjørn
Dheeraj Kandula <dkandula@gmail.com> writes:
Thanks for your reply. Are you suggesting that if I boot up the machine with "net.ipv6.conf.all.disable_ipv6=1" and "net.ipv6.conf.default.disable_ipv6=1", IPv6 should be disabled in newly created namespaces too.
No. But if you boot with "ipv6.disable_ipv6=1" then you should see
grep . /sys/module/ipv6/parameters/disable_ipv6
returning 1. This will be used as the default value of "net.ipv6.conf.default.disable_ipv6" for all namespaces. Including the default namespace.
That's a lot of nested defaults ;-) Hope you get the meaning.
Bjørn
<div><br></div><div>$ sudo sysctl net.ipv6.conf.default.disable_ipv6<br>net.ipv6.conf.default.disable_ipv6 = 1</div><div><br></div><div>Are you suggesting that "cat /sys/module/ipv6/parameters/disable_ipv6" should be 1?<br></div><div><br></style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>> writes:<br>
<div>Dheeraj</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 7, 2022 at 1:11 PM Bjørn Mork <<a href="mailto:bjorn@mork.no">bjorn@mork.no</a>> wrote:<br></div><blockquote class="gmail_quote"
*My requirement is to have IPv6 disabled globally and in newly created namespaces*
Thanks for your reply. Are you suggesting that if I boot up the machine with "net.ipv6.conf.all.disable_ipv6=1" and "net.ipv6.conf.default.disable_ipv6=1", IPv6 should be disabled in newly created namespaces too.
On Tue, Jun 07, 2022 at 12:24:39PM -0400, Dheeraj Kandula wrote:
*My requirement is to have IPv6 disabled globally and in newly created namespaces*
Why do you deliberately cripple your system and force it to use legacy technology?
Greetings
Marc
--
----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
On Tue, Jun 07, 2022 at 12:24:39PM -0400, Dheeraj Kandula wrote:
*My requirement is to have IPv6 disabled globally and in newly created
namespaces*
Why do you deliberately cripple your system and force it to use legacy technology?
Thanks Bjørn for your response. I think I am getting a bit confused here.
I booted up my Linux VM and set the following in my /etc/sysctl.conf file:
Thanks Bjørn for your response. I think I am getting a bit confused here.
I booted up my Linux VM and set the following in my /etc/sysctl.conf file:
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
I saved the file.
*I rebooted my VM.*
After reboot, I check the value of "/sys/module/ipv6/parameters/disable_ipv6". *It is still 0.*
As it is still 0, the new namespaces are created with IPv6 enabled. Is
this a bug in the kernel code?
Dheeraj
On Tue, Jun 7, 2022 at 2:17 PM Bjørn Mork <bjorn@mork.no <mailto:bjorn@mork.no>> wrote:
Dheeraj Kandula <dkandula@gmail.com <mailto:dkandula@gmail.com>> writes:
> On my system I see the following values:
>
> $cat /sys/module/ipv6/parameters/disable_ipv6
> 0
Yes, that's the default unless you change it..
> Are you suggesting that "cat
/sys/module/ipv6/parameters/disable_ipv6"
> should be 1?
Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line,
then it will be.
Bjørn
On my system I see the following values:
$cat /sys/module/ipv6/parameters/disable_ipv6
0
Are you suggesting that "cat /sys/module/ipv6/parameters/disable_ipv6"
should be 1?
Dheeraj Kandula <dkandula@gmail.com> writes:
On my system I see the following values:
$cat /sys/module/ipv6/parameters/disable_ipv6
0
Yes, that's the default unless you change it..
Are you suggesting that "cat /sys/module/ipv6/parameters/disable_ipv6" should be 1?
Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line,
then it will be.
Bjørn
net.ipv6.conf.default.disable_ipv6=1</div><div><br></div><div>I saved the file.</div><div><br></div><div><b>I rebooted my VM.</b></div><div><br></div><div>After reboot, I check the value of "/sys/module/ipv6/parameters/disable_ipv6". <b>Itis still 0.</b> <br></div><div><br></div><div>As it is still 0, the new namespaces are created with IPv6 enabled. Is this a bug in the kernel code?</div><div></div><div><br></div><div>Dheeraj<br></div></div><br><div class="gmail_quote"><div dir="ltr"
Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>> writes:<br>
Dheeraj,
You don't need to touch the /etc/sysctl.conf. You need to touch your bootloader configuration file. You can see an example of how to do it here: https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/
On 07/06/2022 15:33, Dheeraj Kandula <dkandula@gmail.com> wrote:
Thanks Bjørn for your response. I think I am getting a bit confused here.
I booted up my Linux VM and set the following in my /etc/sysctl.conffile:
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
I saved the file.
*I rebooted my VM.*
After reboot, I check the value of "/sys/module/ipv6/parameters/disable_ipv6". *It is still 0.*
As it is still 0, the new namespaces are created with IPv6 enabled. Is
this a bug in the kernel code?
Dheeraj
On Tue, Jun 7, 2022 at 2:17 PM Bjørn Mork <bjorn@mork.no <mailto:bjorn@mork.no>> wrote:
Dheeraj Kandula <dkandula@gmail.com <mailto:dkandula@gmail.com>>writes:
> On my system I see the following values:
>
> $cat /sys/module/ipv6/parameters/disable_ipv6
> 0
Yes, that's the default unless you change it..
> Are you suggesting that "cat
/sys/module/ipv6/parameters/disable_ipv6"
> should be 1?
Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line,
then it will be.
Bjørn
https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/</a><br>
Dheeraj Kandula <dkandula@gmail.com> writes:
Thanks Bjørn for your response. I think I am getting a bit confused here.
I booted up my Linux VM and set the following in my /etc/sysctl.conffile:
You need to make the change in your boot loader. grub or whatever.
That's where the kernel command line is set.
E.g edit /etc/default/grub and add ipv6.disable_ipv6=1 to the GRUB_CMDLINE_LINUX variable, and then run update-grub to produce a new /boot/grub/grub.cfg configuration file.
Bjørn
Dheeraj Kandula <<a href="mailto:dkandula@gmail.com" target="_blank">dkandula@gmail.com</a>> writes:<br>
Thanks Marc for your email. With the grub option, the IPv6 feature itself
may have been removed from the running Linux kernel. But, I want IPv6 functionality to be present in the kernel but with the capability to enable or disable it.
If disabled, IPv6 should be disabled on current namespaces and future namespaces, until I enable IPv6 again.
Is this possible in Linux?
Dheeraj
On Tue, Jun 7, 2022 at 2:38 PM <marcoshalano@gmail.com> wrote:
Dheeraj,
You don't need to touch the /etc/sysctl.conf. You need to touch your
bootloader configuration file. You can see an example of how to do it here: >> https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/
On 07/06/2022 15:33, Dheeraj Kandula <dkandula@gmail.com> wrote:
Thanks Bjørn for your response. I think I am getting a bit confusedhere.
file:
I booted up my Linux VM and set the following in my /etc/sysctl.conf
writes:
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
I saved the file.
*I rebooted my VM.*
After reboot, I check the value of
"/sys/module/ipv6/parameters/disable_ipv6". *It is still 0.*
As it is still 0, the new namespaces are created with IPv6 enabled. Is
this a bug in the kernel code?
Dheeraj
On Tue, Jun 7, 2022 at 2:17 PM Bjørn Mork <bjorn@mork.no
<mailto:bjorn@mork.no>> wrote:
Dheeraj Kandula <dkandula@gmail.com <mailto:dkandula@gmail.com>>
> On my system I see the following values:
>
> $cat /sys/module/ipv6/parameters/disable_ipv6
> 0
Yes, that's the default unless you change it..
> Are you suggesting that "cat
/sys/module/ipv6/parameters/disable_ipv6"
> should be 1?
Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line, >> > then it will be.
Bjørn
<br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 7, 2022 at 2:38 PM <<a href="mailto:marcoshalano@gmail.com" target="_blank">marcoshalano@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Dheeraj,<br>
https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/</a><br>
Thanks Bjørn for the reply. But with the grub command line, IPv6 option is not available i.e.* net.ipv6.conf.all.disable_ipv6* i.e. net.ipv6 itself is not available.
$ sudo sysctl net.ipv6
sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory
Dheeraj Kandula <dkandula@gmail.com> writes:
Thanks Bjørn for the reply. But with the grub command line, IPv6 optionis
not available i.e.* net.ipv6.conf.all.disable_ipv6* i.e. net.ipv6 itselfis
not available.
$ sudo sysctl net.ipv6
sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory
Huh? Did you set ipv6.disable instead og ipv6.disable_ipv6? Those are
very different, as documented in the module:
bjorn@miraculix:~$ modinfo ipv6
name: ipv6
filename: (builtin)
alias: net-pf-10
license: GPL
file: net/ipv6/ipv6
description: IPv6 protocol stack for Linux
author: Cast of dozens
parm: disable:Disable IPv6 module such that it is non-functional (int)
parm: disable_ipv6:Disable IPv6 on all interfaces (int)
parm: autoconf:Enable IPv6 address autoconfiguration on all interfaces (int)
Bjørn
Thanks a lot Bjorn for pointing this out. I now have IPv6 disabled by
default in newly created namespaces too.
However, when I enable IPv6 globally it is not enabled inside the already created namespaces. Maybe it has to be done explicitly. I will see if this behavior is acceptable.
Thanks a lot Bjorn. I really appreciate your time and patience.
Thanks, Marc too for taking the time to respond to my emails.
Dheeraj
On Tue, Jun 7, 2022 at 4:05 PM Bjørn Mork <bjorn@mork.no> wrote:
Dheeraj Kandula <dkandula@gmail.com> writes:
Thanks Bjørn for the reply. But with the grub command line, IPv6 option >> isitself is
not available i.e.* net.ipv6.conf.all.disable_ipv6* i.e. net.ipv6
not available.
$ sudo sysctl net.ipv6
sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory
Huh? Did you set ipv6.disable instead og ipv6.disable_ipv6? Those are
very different, as documented in the module:
bjorn@miraculix:~$ modinfo ipv6
name: ipv6
filename: (builtin)
alias: net-pf-10
license: GPL
file: net/ipv6/ipv6
description: IPv6 protocol stack for Linux
author: Cast of dozens
parm: disable:Disable IPv6 module such that it is
non-functional (int)
parm: disable_ipv6:Disable IPv6 on all interfaces (int)
parm: autoconf:Enable IPv6 address autoconfiguration on all
interfaces (int)
Bjørn
</span><span class="gmail-o">-></span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/disable_ipv6">disable_ipv6</a></span> <span class="gmail-o">=</span> <span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/ipv6_defaults">ipv6_defaults</a></span><span class="gmail-p">.</span><span class="gmail-n"><a href="https://elixir.bootlin.com/linux/latest/C/ident/disable_ipv6">disable_ipv6</a></span><span class="gmail-p">; <<<<<
I looked into the code to figure out where the IPv6 configuration is copied from for a new namespace.
I came across this function addrconf_init_net. I assume this is the function that is invoked when a new namespace is created.
Inside this function, I came across this code,
if (IS_ENABLED(CONFIG_SYSCTL) &&
!net_eq(net, &init_net)) {
switch (sysctl_devconf_inherit_init_net) {
case 1: /* copy from init_net */
memcpy(all, init_net.ipv6.devconf_all,
sizeof(ipv6_devconf));
memcpy(dflt, init_net.ipv6.devconf_dflt,
sizeof(ipv6_devconf_dflt));
break;
case 3: /* copy from the current netns */
memcpy(all, current->nsproxy->net_ns->ipv6.devconf_all,
sizeof(ipv6_devconf));
memcpy(dflt,
current->nsproxy->net_ns->ipv6.devconf_dflt,
sizeof(ipv6_devconf_dflt));
break;
case 0:
case 2:
/* use compiled values */
break;
}
}
If I set the value of net.core.devconf_inherit_init_net to 1, when a new namespace is created the values in init_net(which again I assume is init process' namespace value - global/default namespace)
will be copied into the new namespace. A few lines later, the following code is present.
dflt->disable_ipv6 = ipv6_defaults.disable_ipv6; <<<<< This ipv6_defaults.disable_ipv6 comes from the GRUB command line value of disable_ipv6.
Hence if I enable IPv6 before creating a new namespace, the new namespace still will have IPv6 disabled, because of the above single line of code. Is this correct?
net.ipv6.conf.all.disable_ipv6 is used to change the IPv6 state for all the currently available interfaces.
net.ipv6.conf.default.disable_ipv6 has the default value from ipv6_defaults.disable_ipv6 i.e. the grub one. If I change this sysctl, what impact does it have?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 43:04:26 |
Calls: | 6,648 |
Files: | 12,193 |
Messages: | 5,329,632 |