disable IPv6 RA sysctls for networkd #3438

bcressey · 2023-09-08T22:40:26Z

Issue number:

Description of changes:
Try to keep the kernel's IPv6 RA client from changing anything when using systemd-networkd's client, since that could put the interface into an unexpected state that requires a service restart to fix.

This disables all sysctls where the upstream docs have this note:

Functional default: enabled if accept_ra is enabled.

These sysctls are used to selectively enable or disable parts of the kernel's accept_ra behavior, so disabling them all gets us as close as we can to having the entire feature disabled.

Testing done:

Before:

# cat /etc/sysctl.d/90-primary_interface.conf
-net.ipv4.conf.eth0.rp_filter = 2

# head /proc/sys/net/ipv6/conf/eth0/accept_ra{,_defrtr,_pinfo,_rtr_pref,_mtu}
==> /proc/sys/net/ipv6/conf/eth0/accept_ra <==
0

==> /proc/sys/net/ipv6/conf/eth0/accept_ra_defrtr <==
1

==> /proc/sys/net/ipv6/conf/eth0/accept_ra_pinfo <==
1

==> /proc/sys/net/ipv6/conf/eth0/accept_ra_rtr_pref <==
1

==> /proc/sys/net/ipv6/conf/eth0/accept_ra_mtu <==
1

# sysctl -w net.ipv6.conf.eth0.accept_ra=2
net.ipv6.conf.eth0.accept_ra = 2

# dmesg|grep ICMPv6
[  402.503946] ICMPv6: RA: ndisc_router_discovery failed to add default route

After:

# cat /etc/sysctl.d/90-primary_interface.conf
-net.ipv4.conf.eth0.rp_filter = 2
-net.ipv6.conf.eth0.accept_ra = 0
-net.ipv6.conf.eth0.accept_ra_defrtr = 0
-net.ipv6.conf.eth0.accept_ra_pinfo = 0
-net.ipv6.conf.eth0.accept_ra_rtr_pref = 0
-net.ipv6.conf.eth0.accept_ra_mtu = 0

# head /proc/sys/net/ipv6/conf/eth0/accept_ra{,_defrtr,_pinfo,_rtr_pref,_mtu}
==> /proc/sys/net/ipv6/conf/eth0/accept_ra <==
0

==> /proc/sys/net/ipv6/conf/eth0/accept_ra_defrtr <==
0

==> /proc/sys/net/ipv6/conf/eth0/accept_ra_pinfo <==
0

==> /proc/sys/net/ipv6/conf/eth0/accept_ra_rtr_pref <==
0

==> /proc/sys/net/ipv6/conf/eth0/accept_ra_mtu <==
0

# sysctl -w net.ipv6.conf.eth0.accept_ra=2
net.ipv6.conf.eth0.accept_ra = 2

# dmesg|grep ICMPv6
<nothing>

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

Try to keep the kernel's IPv6 RA client from changing anything when using systemd-networkd's client, since that could put the interface into an unexpected state that requires a service restart to fix. Signed-off-by: Ben Cressey <[email protected]>

zmrow · 2023-09-08T22:53:39Z

Related to #3394

zmrow

🚢

bcressey requested review from zmrow and yeazelm September 8, 2023 22:40

zmrow approved these changes Sep 8, 2023

View reviewed changes

yeazelm approved these changes Sep 8, 2023

View reviewed changes

bcressey merged commit 703692e into bottlerocket-os:develop Sep 9, 2023

bcressey deleted the netdog-ipv6-sysctls branch September 9, 2023 00:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

disable IPv6 RA sysctls for networkd #3438

disable IPv6 RA sysctls for networkd #3438

bcressey commented Sep 8, 2023

zmrow commented Sep 8, 2023

zmrow left a comment

disable IPv6 RA sysctls for networkd #3438

disable IPv6 RA sysctls for networkd #3438

Conversation

bcressey commented Sep 8, 2023

zmrow commented Sep 8, 2023

zmrow left a comment

Choose a reason for hiding this comment