[Bug 494958] New: IPV6_PRIVACY (use_tempaddr) does not work
http://bugzilla.novell.com/show_bug.cgi?id=494958 Summary: IPV6_PRIVACY (use_tempaddr) does not work Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: i686 OS/Version: openSUSE 11.1 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: georgmueller@gmx.net QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.8) Gecko/2009032600 SUSE/3.0.8-1.1.1 Firefox/3.0.8 I am using radvd on the server for IPv6 auto-configuration. I want to hide my MAC address (using use_tempaddr=1 sysctl setting). IPV6_PRIVACY in /etc/sysconfig/sysctl is set to "yes" and /var/log/boot.msg contains the statement "Enabling IPv6 privacy" from /etc/init.d/boot.ipconfig. Reproducible: Always Steps to Reproduce: 1. set IPV6_PRIVACY=yes in /etc/sysconfig/sysctl 2. reboot 3. check IPv6 address I tried to add 'echo "1" > /proc/sys/net/ipv6/conf/default/use_tempaddr' but this does not help either. Actual Results: "sysctl -a | grep use_tempaddr" results in: net.ipv6.conf.all.use_tempaddr = 1 net.ipv6.conf.default.use_tempaddr = 0 net.ipv6.conf.lo.use_tempaddr = -1 net.ipv6.conf.eth0.use_tempaddr = 0 use_tempaddr for eth0 is 0 and my IPv6 address contains my MAC address. Expected Results: net.ipv6.conf.eth0.use_tempaddr should be 1 and my IPv6 address should not contain my MAC address. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=494958
Leon Wang
http://bugzilla.novell.com/show_bug.cgi?id=494958
User georgmueller@gmx.net added comment
http://bugzilla.novell.com/show_bug.cgi?id=494958#c1
--- Comment #1 from Georg Müller
http://bugzilla.novell.com/show_bug.cgi?id=494958
Jeff Mahoney
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c2
Jiri Bohac
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c3
Marius Tomaschewski
Hmm, my long time plan: push a change to the upstream kernel that makes the /proc/sys/net/ipv[46]/conf/all/* work. This is going to take time and I don't think it is a good idea to diverge from upstream here. The change may never get there, people have different ideas about how this should work :(
Until then, this should be fixed in the sysconfig package. I checked the kernel code and:
- setting /proc/sys/net/ipv6/conf/all/use_tempaddr cannot have any effect at all.
OK... this is a bad thing.
- /proc/sys/net/ipv6/conf/default/use_tempaddr will set the default for newly registered interfaces. If this is set in the initscripts, it might already be too late, as some network drivers are compiled-in into the kernel, may be loaded from initrd, etc. I think this is unusable.
Yes, at least physical interfaces are already there...
The only way to fix this is to read the settings of IPV6_PRIVACY somewhere near ifup (don't know what to do for networkmanager?) and set /proc/sys/net/ipv6/conf/
/use_tempaddr accordingly. Marius, could this be done?
rpm -qf /etc/init.d/boot.ipconfig => aaa_base added maintainer to Cc and also Kay. Hmm... This can be set per inteface also via PRE_UP_SCRIPT -- see "man 8 ifup". For virtual interfaces it has to go to sysctl.conf or sysconfig/sysctl as it is using the ..../default/use_temoaddr variable I think. Or does it work properly when the iterface is already up? It would be possible to add a per interface IPV6_PRIVACY variable to ifcfg files and apply before "ip link set up" call... But I'd prefer to use similar names as in proc/sysctl, that is e.g.: SYSCTL_NET_IPV6_CONF_USE_TEMPADDR SYSCTL_NET_IPV6_CONF_AUTOCONF or I think better via per interface ifsysctl.$INTERFACE files with content like: net.ipv6.conf.$IF.autoconf = 0 net.ipv6.conf.$IF.use_tempaddr = 1 IF is the interface name as required in sysctl: ${INTERFACE/\./\/} that can be used instead of the real interface name. In any case, this is not easy or impossible to make for all the virtual interfaces when it is too late when we do it after the ip link set up. Just think of ppp interface, that is created by pppd, not by ifup. But this would be a feature request for 11.3 to make this -- a workaround via a PRE_UP_SCRIPT exists. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c4
Jiri Bohac
Hmm... This can be set per inteface also via PRE_UP_SCRIPT -- see "man 8 ifup".
For virtual interfaces it has to go to sysctl.conf or sysconfig/sysctl as it is using the ..../default/use_temoaddr variable I think. Or does it work properly when the iterface is already up?
net.ipv6.conf.default.use_tempaddr needs to be set before the device is created to have any effect. net.ipv6.conf.IF.use_tempaddr should to be set after the device is created and before the device is brought up. this is a really good idea ... perhaps all the SYSCTL* options could somehow be set without having a list of them in the scripts, so when a new sysctl option is added in the kernel , we won't have to midify the scripts?
or I think better via per interface ifsysctl.$INTERFACE files with content like:
net.ipv6.conf.$IF.autoconf = 0 net.ipv6.conf.$IF.use_tempaddr = 1
This is a really good idea! Perhaps there is a way to have this in the ifcfg- file itself (to keep all the interface settings together) but at the same not requiring the scripts to individually handle the options?
In any case, this is not easy or impossible to make for all the virtual interfaces when it is too late when we do it after the ip link set up.
Couldn't this be handled by udev by calling a script when the interface is registered? It might be hard or impossible to make sure the script finishes before something else brings the device up, though. Kay? One way around this (for this case) could be to disable the IPv6 autoconfiguration completely in the ..../default/... sysctl and only enable it from the udev-called script after setting use_tempaddr.
But this would be a feature request for 11.3 to make this -- a workaround via a PRE_UP_SCRIPT exists.
Right. Still, this does not solve the problem of virtual devices. That would be at least partially fixed by making boot.ipconfig set /proc/sys/net/ipv6/conf/default/use_tempaddr instead of .../all/... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c5
Marius Tomaschewski
(In reply to comment #3)
or I think better via per interface ifsysctl.$INTERFACE files with content like:
net.ipv6.conf.$IF.autoconf = 0 net.ipv6.conf.$IF.use_tempaddr = 1
This is a really good idea! Perhaps there is a way to have this in the ifcfg- file itself (to keep all the interface settings together) but at the same not requiring the scripts to individually handle the options?
In any case, this is not easy or impossible to make for all the virtual interfaces when it is too late when we do it after the ip link set up.
Couldn't this be handled by udev by calling a script when the interface is registered? It might be hard or impossible to make sure the script finishes before something else brings the device up, though. Kay?
Yes, udev seems to be the best place to execute it. I'll implement a script and call it from /etc/udev/rules.d/77-network.rules it will use /etc/sysconfig/network/ifsysctl-$INTERFACE to set all what's needed when NETWORKMANAGER="no". ==>> Tambet, should I call it also in NETWORKMANAGER="yes" case? The file _inside_ of the file is allowed to use $SYSCTL_IF and the $INTERFACE variables. The SYSCTL_IF variable will be set to ${INTERFACE//./\/} by the script. Example: net.ipv6.conf.$SYSCTL_IF.use_tempaddr Note: sysctl supports two separators "." (default) and "/". When "." is used, every "." in the interface name has to be replaced by "/", e.g. INTERFACE=foo1.42 => SYSCTL_IF=foo1/42 When "/" is used as separator, $INTERFACE can be passed directly, e.g. net/ipv6/conf/$INTERFACE/use_tempaddr
Right. Still, this does not solve the problem of virtual devices. That would be at least partially fixed by making boot.ipconfig set /proc/sys/net/ipv6/conf/default/use_tempaddr instead of .../all/...
yes... it is not only about use_tempaddr -- it is useful/required also for e.g. bridge port setup to tweak these settings. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c8
--- Comment #8 from Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c9
Tambet Ingo
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c
Dirk Mueller
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c11
--- Comment #11 from Georg Müller
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c12
Georg Müller
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c13
--- Comment #13 from Jiri Bohac
I first extract all "all" lines, replace all with $INTERFACE and send them to sysctl. then I grep for lines with $INTERFACE.
I thought the per-interface sysctl settings performed by the patch from Marius was a great idea. Perhaps, we could also have a global file /etc/sysconfig/network/ifsysctl-all with settings for all interfaces. These could be applied first, followed by the settings from the per-interface file. But taking the "all" settings from /etc/sysctl.conf is a hack, which is likely to bite us one day. Comment #8: The scripts seem to work fine for interfaces brought up with ifup. But in will they work correctly if something (pppd has been mentioned here earlier, networkmanager might have the same problem): 1) creates a virtual device 2) brings the device "up" immediately If I understand it correctly, 1) triggers the udev event asynchronously (?), so 2) may complete before udev runs. In case of config options like use_tempaddr, which need to be set before the interface is brought up, this might not work reliably. Any thoughts how to improve this? Is there a way to at least make the udev script run before NetworkManager discovers a newly plugged-in interface? That would probably fix the problem for NetworkManager. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c14
--- Comment #14 from Chris Hills
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c15
--- Comment #15 from Georg Müller
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c16
--- Comment #16 from Jiri Bohac
I agree that per-interface configuration is preferable, but is this not a kernel bug? The interface should not have to be turned down and up to change privacy settings.
I agree that in case of use_tempaddr, the kernel could behave better and configure the private address even if the option is turned on after the interface got its address. But there are options where setting them prior to bringing the interface up may be very important, e.g. disable_ipv6. The user will rightfully expect that if this option is set, the interface will not start sending out router solicitations when brought up. Yet, if we call the sysctl after bringing the interface up a few solicitations will have been sent out before IPv6 is disabled on the interface. So this possible race condition should be taken into account when designing how this will work. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c17
--- Comment #17 from Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c18
Marius Tomaschewski
None of our released distributions contain NetworkManager which supports IPv6, so it probably doesn't matter much either way from my perspective. Let's leave the script from comment #8 as it is and I'll let you know if I need it changed sometime later.
Tambet, can we make it optional using a special variable controlling it? See comment 11. (In reply to comment #13)
If I understand it correctly, 1) triggers the udev event asynchronously (?), so 2) may complete before udev runs. In case of config options like use_tempaddr, which need to be set before the interface is brought up, this might not work reliably.
Any thoughts how to improve this?
asynchronously to "brctl addbr && ip link set up" calls, yes. Bug the udev rules are executed one after another. We can call udevadm settle after e.g. "brctl addbr" -- it is a good idea anyway. Further, with newer udev, it is possible to set a "done" flag in the udevdb and wait for it to appear. This means we have to put settle between: "brctl addbr ; settle ; ip link set up" Physical interfaces usually appear before NetworkManager gets started anyway. When NetworkManager gets the interface faster than the udev rule, something is wrong anyway. The interface can get renamed by udev rules... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c19
--- Comment #19 from Georg Müller
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c20
Marius Tomaschewski
My script was just a quick shot to show what I mean. The second sed was a copy/paste error (it was late ;) ).
The sed would not replace all "all" substrings ( sed s/all/eth0/g would do that), and since I grep for a string from the beginning (^) I only replace the 'all' at the beginning.
Yes, it was late yesterday too. Note: I don't force you to use $INTERFACE -- you can use the interface name directly. See also the script attached in comment 17 and in this one -- there is a interface independent ifsysctl file now and the global /etc/sysctl.conf can be applied as well.
Regarding ifup and NetworkManager: If I add an interface via vconfig, it uses the value of "net.ipv6.conf.default.use_tempaddr" - so it works here.
Well, any new interface makes use of the default -- when the default is already applied. This is the case, because boot.sysctl script runs before network where any virtual interfaces are created. This is not the case for physical interfaces that are created earlier and why we need a fix. But this special problem can be solved using a PRE_UP_SCRIPT as well - at least for the ifup / NM=no case (I'm bad and don't care about NM in worst case ;-). The point is different: sysconfig needs per-interface settings and has to provide this (complete, not only a fix for this bug) functionality anyway, e.g. to disable ipv6 or autoconfig only on a particular interface (e.g. on a bridge port) or set another settings required in some setups. It makes sense to combine a bug fix for this issue and this requirement. I can provide this script as new feature for 11.3 only and ignore this bug, but because it is very useful and avoids the need of user hacks also on 11.x, we can _try_ to provide it earlier as update - it may still get rejected by the maintenance team.
The execution of the script is not really related to if-up, but to udev, or am I wrong?
Well... udev yes and no, because it is net subsystem (=ifup/NM) related. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c21
Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c22
Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c23
Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c24
--- Comment #24 from Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c25
--- Comment #25 from Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c26
Marius Tomaschewski
SYSCTL_NETWORKMANAGER=no by default or can we set it to yes?
Will be "no" by default as Tambet decided in comment 9. To enable it with NetworkManager as well, the variable IFSYSCTL_NETWORKMANAGER (added IF in the front to match the ifsysctl config names) has to be changed to "yes". -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c30
Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=494958
http://bugzilla.novell.com/show_bug.cgi?id=494958#c32
--- Comment #32 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com