Disabling IPv6 by default when creating a new namespace in Linux

[Dheeraj Kandula]

Hi All,

          I have been able to disable IPv6 globally by adding the following sysctls to the /etc/sysctl.conf file.

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

When I boot up the machine (it is a VM actually), IPv6 is disabled. But when I create  a new namespace, IPv6 is enabled by default. I added the following line to /etc/sysctl.conf file, but still IPv6 is enabled.

net.core.devconf_inherit_init_net=1

I tried with setting the value to 2 and 3 too. The default is 0. But IPv6 was still enabled inside a newly created namespace.

How do I disable IPv6 by default when a new namespace is created?

My requirement is to have IPv6 disabled globally and in newly created namespaces. If the user wants to enable IPv6 in a specific namespace, he/she can do so with the following command

sudo nsenter --net=/var/run/netns/<namespace name> sysctl -w net.ipv6.all.conf.disable_ipv6=0

Dheeraj

[Dheeraj Kandula]

Hi Bjørn

         Thanks for your reply. Are you suggesting that if I boot up the machine with "net.ipv6.conf.all.disable_ipv6=1" and "net.ipv6.conf.default.disable_ipv6=1", IPv6 should be disabled in newly created namespaces too.

It doesn't work that way on my machine. Can you point me to the function that is used for creating a new namespace?

Thanks

Dheeraj

On Tue, Jun 7, 2022 at 12:56 PM Bjørn Mork <bj...@mork.no> wrote:

Dheeraj Kandula <dkan...@gmail.com> writes:

> How do I disable IPv6 by default when a new namespace is created?

Looking at the code, I see that the default for all namespaces will be
taken from the ipv6 module parameter "disable_ipv6".  This parameter is
not writable and the ipv6 module is built-in, so you cannot change it
after boot.  But booting with "ipv6.disable_ipv6=1" on the command line
should work.


Bjørn

[Marc Haber]

On Tue, Jun 07, 2022 at 12:24:39PM -0400, Dheeraj Kandula wrote:
> *My requirement is to have IPv6 disabled globally and in newly created
> namespaces*

Why do you deliberately cripple your system and force it to use legacy
technology?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

[Bjørn Mork]

Dheeraj Kandula <dkan...@gmail.com> writes:

> Thanks for your reply. Are you suggesting that if I boot up the
> machine with "net.ipv6.conf.all.disable_ipv6=1" and
> "net.ipv6.conf.default.disable_ipv6=1", IPv6 should be disabled in newly
> created namespaces too.

No. But if you boot with "ipv6.disable_ipv6=1" then you should see

grep . /sys/module/ipv6/parameters/disable_ipv6

returning 1. This will be used as the default value of
"net.ipv6.conf.default.disable_ipv6" for all namespaces. Including the
default namespace.

That's a lot of nested defaults ;-) Hope you get the meaning.


Bjørn

[Dheeraj Kandula]

On my system I see the following values:

$cat /sys/module/ipv6/parameters/disable_ipv6

0

$ sudo sysctl net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1

$ sudo sysctl net.ipv6.conf.default.disable_ipv6
net.ipv6.conf.default.disable_ipv6 = 1

Are you suggesting that "cat /sys/module/ipv6/parameters/disable_ipv6" should be 1?

Dheeraj

[Bjørn Mork]

Dheeraj Kandula <dkan...@gmail.com> writes:

> How do I disable IPv6 by default when a new namespace is created?

[Dheeraj Kandula]

It is a requirement that I am working on. I can't reveal further details. Sorry.

Dheeraj

[Bjørn Mork]

Marc Haber <mh+debi...@zugschlus.de> writes:
> On Tue, Jun 07, 2022 at 12:24:39PM -0400, Dheeraj Kandula wrote:
>> *My requirement is to have IPv6 disabled globally and in newly created
>> namespaces*
>
> Why do you deliberately cripple your system and force it to use legacy
> technology?

I don't think this is constructive.

I've never done this myself, but I have no problems seeing that there
are reasons to use the per-interface disable_ipv6 knob. This isn't
"crippling" anything. And it can make perfect sense to set it by
default and then only enable ipv6 where needed and supported.


Bjørn

[Bjørn Mork]

Dheeraj Kandula <dkan...@gmail.com> writes:

> On my system I see the following values:
>
> $cat /sys/module/ipv6/parameters/disable_ipv6
> 0

Yes, that's the default unless you change it..

> Are you suggesting that "cat /sys/module/ipv6/parameters/disable_ipv6"
> should be 1?

Yes, And if you boot with "ipv6.disable_ipv6=1" on the command line,
then it will be.


Bjørn

[marcos...@gmail.com]

Dheeraj,

You don't need to touch the /etc/sysctl.conf. You need to touch your bootloader configuration file. You can see an example of how to do it here: https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/

On 07/06/2022 15:33, Dheeraj Kandula <dkan...@gmail.com> wrote:
> Thanks Bjørn for your response. I think I am getting a bit confused here.
>
> I booted up my Linux VM and set the following in my /etc/sysctl.conf file:
>
> net.ipv6.conf.all.disable_ipv6=1
> net.ipv6.conf.default.disable_ipv6=1
>
> I saved the file.
>
> *I rebooted my VM.*
>
> After reboot, I check the value of
> "/sys/module/ipv6/parameters/disable_ipv6". *It is still 0.*
>
> As it is still 0, the new namespaces are created with IPv6 enabled. Is
> this a bug in the kernel code?
>
> Dheeraj
>
> On Tue, Jun 7, 2022 at 2:17 PM Bjørn Mork <bj...@mork.no
> <mailto:bj...@mork.no>> wrote:

[Dheeraj Kandula]

Thanks Bjørn for your response. I think I am getting a bit confused here.

I booted up my Linux VM and set the following in my /etc/sysctl.conf file:

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

I saved the file.

I rebooted my VM.

After reboot, I check the value of "/sys/module/ipv6/parameters/disable_ipv6". It is still 0.

As it is still 0, the new namespaces are created with IPv6 enabled. Is this a bug in the kernel code?

Dheeraj

[Bjørn Mork]

Dheeraj Kandula <dkan...@gmail.com> writes:

> Thanks Bjørn for your response. I think I am getting a bit confused here.
>
> I booted up my Linux VM and set the following in my /etc/sysctl.conf file:

You need to make the change in your boot loader. grub or whatever.
That's where the kernel command line is set.

E.g edit /etc/default/grub and add ipv6.disable_ipv6=1 to the
GRUB_CMDLINE_LINUX variable, and then run update-grub to produce a new
/boot/grub/grub.cfg configuration file.




Bjørn

[Dheeraj Kandula]

Thanks Bjørn for the reply. But with the grub command line, IPv6 option is not available i.e. net.ipv6.conf.all.disable_ipv6 i.e. net.ipv6 itself is not available.

$ sudo sysctl net.ipv6
sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory

I want to enable and disable IPv6 when the Linux box is up and running.

Sysctls worked but not for new namespaces. Is this a limitation of Linux?

BTW, the value is still 0 for disable_ipv6

$ cat /sys/module/ipv6/parameters/disable_ipv6
0

Dheeraj

[Dheeraj Kandula]

Thanks Marc for your email. With the grub option, the IPv6 feature itself may have been removed from the running Linux kernel. But, I want IPv6 functionality to be present in the kernel but with the capability to enable or disable it.

If disabled, IPv6 should be disabled on current namespaces and future namespaces, until I enable IPv6 again.

Is this possible in Linux?

Dheeraj

[Dheeraj Kandula]

Hi All,

       If this is not supported in Linux, can I go ahead and file a bug/enhancement request against the Linux kernel?

Dheeraj

[Bjørn Mork]

Dheeraj Kandula <dkan...@gmail.com> writes:

> Thanks Bjørn for the reply. But with the grub command line, IPv6 option is

> not available i.e.* net.ipv6.conf.all.disable_ipv6* i.e. net.ipv6 itself is

> not available.
>
> $ sudo sysctl net.ipv6
> sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory

Huh? Did you set ipv6.disable instead og ipv6.disable_ipv6? Those are
very different, as documented in the module:


bjorn@miraculix:~$ modinfo ipv6
name: ipv6
filename: (builtin)
alias: net-pf-10
license: GPL
file: net/ipv6/ipv6
description: IPv6 protocol stack for Linux
author: Cast of dozens
parm: disable:Disable IPv6 module such that it is non-functional (int)
parm: disable_ipv6:Disable IPv6 on all interfaces (int)
parm: autoconf:Enable IPv6 address autoconfiguration on all interfaces (int)




Bjørn

[Dheeraj Kandula]

Thanks a lot Bjorn for pointing this out. I now have IPv6 disabled by default in newly created namespaces too.

However, when I enable IPv6 globally it is not enabled inside the already created namespaces. Maybe it has to be done explicitly. I will see if this behavior is acceptable.

Thanks a lot Bjorn. I really appreciate your time and patience.

Thanks, Marc too for taking the time to respond to my emails.

Dheeraj

[Dheeraj Kandula]

I looked into the code to figure out where the IPv6 configuration is copied from for a new namespace.

I came across this function addrconf_init_net. I assume this is the function that is invoked when a new namespace is created.

Inside this function, I came across this code,

	if (IS_ENABLED(CONFIG_SYSCTL) &&
	    !net_eq(net, &init_net)) {
		switch (sysctl_devconf_inherit_init_net) {
		case 1:  /* copy from init_net */
			memcpy(all, init_net.ipv6.devconf_all,
			       sizeof(ipv6_devconf));
			memcpy(dflt, init_net.ipv6.devconf_dflt,
			       sizeof(ipv6_devconf_dflt));
			break;
		case 3: /* copy from the current netns */
			memcpy(all, current->nsproxy->net_ns->ipv6.devconf_all,
			       sizeof(ipv6_devconf));
			memcpy(dflt,
			       current->nsproxy->net_ns->ipv6.devconf_dflt,
			       sizeof(ipv6_devconf_dflt));
			break;
		case 0:
		case 2:
			/* use compiled values */
			break;
		}
	}

If I set the value of net.core.devconf_inherit_init_net to 1, when a new namespace is created the values in init_net(which again I assume is init process' namespace value - global/default namespace)

will be copied into the new namespace. A few lines later, the following code is present.

dflt->disable_ipv6 = ipv6_defaults.disable_ipv6;      <<<<< This ipv6_defaults.disable_ipv6 comes from the GRUB command line value of disable_ipv6.

Hence if I enable IPv6 before creating a new namespace, the new namespace still will have IPv6 disabled, because of the above single line of code. Is this correct?

net.ipv6.conf.all.disable_ipv6 is used to change the IPv6 state for all the currently available interfaces.

net.ipv6.conf.default.disable_ipv6 has the default value from ipv6_defaults.disable_ipv6 i.e. the grub one. If I change this sysctl, what impact does it have?

Dheeraj

[Bjørn Mork]

Yes, this looks inconsistent.

It might have been intentional to avoid breaking existing behaviour,
since the inherit_init_net knob was added long after the default
disable_ipv6 stuff. But there doesn't seem to have been any discussion
around this when that knob was first introduced:
https://lore.kernel.org/all/20190122.110739.5256...@davemloft.net/T/
This is unsuspected if it was intentional. I would have expected at
least a comment in the commit message.

I suggest you ask about this on the net...@vger.kernel.org list. They
are the experts. Don't know how easy it is attracting attention to such
a question though... One trick might be to send a patch fixing the
problem. That should at least provoke a discussion. Or simply be
applied if everyone agrees that it's correct ;-)


Bjørn