[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Disabling IPv6 by default when creating a new namespace in Linux

I looked into the code to figure out where the IPv6 configuration is copied from for a new namespace.

I came across this function addrconf_init_net. I assume this is the function that is invoked when a new namespace is created.

Inside this function, I came across this code, 

	if (IS_ENABLED(CONFIG_SYSCTL) &&
	    !net_eq(net, &init_net)) {
		switch (sysctl_devconf_inherit_init_net) {
		case 1:  /* copy from init_net */
			memcpy(all, init_net.ipv6.devconf_all,
			       sizeof(ipv6_devconf));
			memcpy(dflt, init_net.ipv6.devconf_dflt,
			       sizeof(ipv6_devconf_dflt));
			break;
		case 3: /* copy from the current netns */
			memcpy(all, current->nsproxy->net_ns->ipv6.devconf_all,
			       sizeof(ipv6_devconf));
			memcpy(dflt,
			       current->nsproxy->net_ns->ipv6.devconf_dflt,
			       sizeof(ipv6_devconf_dflt));
			break;
		case 0:
		case 2:
			/* use compiled values */
			break;
		}
	}

If I set the value of net.core.devconf_inherit_init_net to 1, when a new namespace is created the values in init_net(which again I assume is init process' namespace value - global/default namespace)
will be copied into the new namespace. A few lines later, the following code is present.

dflt->disable_ipv6 = ipv6_defaults.disable_ipv6;      <<<<< This ipv6_defaults.disable_ipv6 comes from the GRUB command line value of disable_ipv6.

Hence if I enable IPv6 before creating a new namespace, the new namespace still will have IPv6 disabled, because of the above single line of code. Is this correct?


net.ipv6.conf.all.disable_ipv6 is used to change the IPv6 state for all the currently available interfaces.
net.ipv6.conf.default.disable_ipv6 has the default value from ipv6_defaults.disable_ipv6 i.e. the grub one. If I change this sysctl, what impact does it have?

Dheeraj

On Tue, Jun 7, 2022 at 4:25 PM Dheeraj Kandula <dkandula@gmail.com> wrote:
Thanks a lot Bjorn for pointing this out. I now have IPv6 disabled by default in newly created namespaces too.

However, when I enable IPv6 globally it is not enabled inside the already created namespaces. Maybe it has to be done explicitly. I will see if this behavior is acceptable.

Thanks a lot Bjorn. I really appreciate your time and patience.

Thanks, Marc too for taking the time to respond to my emails.

Dheeraj

On Tue, Jun 7, 2022 at 4:05 PM Bjørn Mork <bjorn@mork.no> wrote:
Dheeraj Kandula <dkandula@gmail.com> writes:

> Thanks Bjørn for the reply. But with the grub command line, IPv6 option is
> not available i.e.* net.ipv6.conf.all.disable_ipv6* i.e. net.ipv6 itself is
> not available.
>
> $ sudo sysctl net.ipv6
> sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory

Huh?  Did you set ipv6.disable instead og ipv6.disable_ipv6?  Those are
very different, as documented in the module:


bjorn@miraculix:~$ modinfo ipv6
name:           ipv6
filename:       (builtin)
alias:          net-pf-10
license:        GPL
file:           net/ipv6/ipv6
description:    IPv6 protocol stack for Linux
author:         Cast of dozens
parm:           disable:Disable IPv6 module such that it is non-functional (int)
parm:           disable_ipv6:Disable IPv6 on all interfaces (int)
parm:           autoconf:Enable IPv6 address autoconfiguration on all interfaces (int)




Bjørn
Reply to: