* [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking @ 2022-10-19 22:24 Alexandre Derumier 2022-10-20 10:05 ` Wolfgang Bumiller 2023-01-16 9:45 ` [pve-devel] applied: " Wolfgang Bumiller 0 siblings, 2 replies; 6+ messages in thread From: Alexandre Derumier @ 2022-10-19 22:24 UTC (permalink / raw) To: pve-devel It's possible to have a /proc/sys/net/ipv6/ directory but no /proc/sys/net/ipv6/conf/$iface/disable_ipv6 Signed-off-by: Alexandre Derumier <aderumier@odiso.com> --- src/PVE/Network.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm index c468e40..9d726cd 100644 --- a/src/PVE/Network.pm +++ b/src/PVE/Network.pm @@ -210,8 +210,8 @@ my $cond_create_bridge = sub { sub disable_ipv6 { my ($iface) = @_; - return if !-d '/proc/sys/net/ipv6'; # ipv6 might be completely disabled my $file = "/proc/sys/net/ipv6/conf/$iface/disable_ipv6"; + return if !-e $file; # ipv6 might be completely disabled open(my $fh, '>', $file) or die "failed to open $file for writing: $!\n"; print {$fh} "1\n" or die "failed to disable link-local ipv6 for $iface\n"; close($fh); -- 2.30.2 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking 2022-10-19 22:24 [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking Alexandre Derumier @ 2022-10-20 10:05 ` Wolfgang Bumiller 2022-10-20 16:18 ` DERUMIER, Alexandre 2023-01-16 9:45 ` [pve-devel] applied: " Wolfgang Bumiller 1 sibling, 1 reply; 6+ messages in thread From: Wolfgang Bumiller @ 2022-10-20 10:05 UTC (permalink / raw) To: Alexandre Derumier; +Cc: pve-devel On Thu, Oct 20, 2022 at 12:24:29AM +0200, Alexandre Derumier wrote: > It's possible to have a > /proc/sys/net/ipv6/ directory > > but no > /proc/sys/net/ipv6/conf/$iface/disable_ipv6 Do we know why this happens? That doesn't seem right to me, unless some kind of race somewhere with the interface creation? Or is there a legitimate kernel option that causes this? > > Signed-off-by: Alexandre Derumier <aderumier@odiso.com> > --- > src/PVE/Network.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm > index c468e40..9d726cd 100644 > --- a/src/PVE/Network.pm > +++ b/src/PVE/Network.pm > @@ -210,8 +210,8 @@ my $cond_create_bridge = sub { > > sub disable_ipv6 { > my ($iface) = @_; > - return if !-d '/proc/sys/net/ipv6'; # ipv6 might be completely disabled > my $file = "/proc/sys/net/ipv6/conf/$iface/disable_ipv6"; > + return if !-e $file; # ipv6 might be completely disabled > open(my $fh, '>', $file) or die "failed to open $file for writing: $!\n"; > print {$fh} "1\n" or die "failed to disable link-local ipv6 for $iface\n"; > close($fh); > -- > 2.30.2 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking 2022-10-20 10:05 ` Wolfgang Bumiller @ 2022-10-20 16:18 ` DERUMIER, Alexandre [not found] ` <mailman.64.1666287516.489.pve-devel@lists.proxmox.com> 0 siblings, 1 reply; 6+ messages in thread From: DERUMIER, Alexandre @ 2022-10-20 16:18 UTC (permalink / raw) To: Wolfgang Bumiller, Alexandre Derumier; +Cc: pve-devel I'm really unable to reproduce this. User is able to reproduce it 100%, depending on the brigde where the vm is started. (some bridge with sdn generated for example). I don't have asked to user to reboot. ifupdown2 seem to thrown warning too, so I don't known if it's a special sysctl triggering this, or a kernel bug, or something else. ________________________________ From: Wolfgang Bumiller <w.bumiller@proxmox.com> Sent: Thursday, October 20, 2022 12:05 PM To: Alexandre Derumier <aderumier@odiso.com> Cc: pve-devel@lists.proxmox.com <pve-devel@lists.proxmox.com> Subject: Re: [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking On Thu, Oct 20, 2022 at 12:24:29AM +0200, Alexandre Derumier wrote: > It's possible to have a > /proc/sys/net/ipv6/ directory > > but no > /proc/sys/net/ipv6/conf/$iface/disable_ipv6 Do we know why this happens? That doesn't seem right to me, unless some kind of race somewhere with the interface creation? Or is there a legitimate kernel option that causes this? > > Signed-off-by: Alexandre Derumier <aderumier@odiso.com> > --- > src/PVE/Network.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm > index c468e40..9d726cd 100644 > --- a/src/PVE/Network.pm > +++ b/src/PVE/Network.pm > @@ -210,8 +210,8 @@ my $cond_create_bridge = sub { > > sub disable_ipv6 { > my ($iface) = @_; > - return if !-d '/proc/sys/net/ipv6'; # ipv6 might be completely disabled > my $file = "/proc/sys/net/ipv6/conf/$iface/disable_ipv6"; > + return if !-e $file; # ipv6 might be completely disabled > open(my $fh, '>', $file) or die "failed to open $file for writing: $!\n"; > print {$fh} "1\n" or die "failed to disable link-local ipv6 for $iface\n"; > close($fh); > -- > 2.30.2 ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <mailman.64.1666287516.489.pve-devel@lists.proxmox.com>]
* Re: [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking [not found] ` <mailman.64.1666287516.489.pve-devel@lists.proxmox.com> @ 2022-10-21 4:55 ` DERUMIER, Alexandre 2022-10-21 8:16 ` Wolfgang Bumiller 0 siblings, 1 reply; 6+ messages in thread From: DERUMIER, Alexandre @ 2022-10-21 4:55 UTC (permalink / raw) To: pve-devel, mark Hi, This is to avoid to have ipv6 local-link ip address on every generated tap interfaces (and fwbr bridges too). (and have bad packets send to the network) This, of course, don't disabling ipv6 support inside the vm/ct. Le jeudi 20 octobre 2022 à 17:07 +0000, Mark Schouten via pve-devel a écrit : > Hi, > > Sorry. But I always get extremely triggered by functions called > ‘disable_ipv6()’. > > Can someone hit me with a cluebat as to why that function even > exists? > (Since we deploy Proxmox without IPv4, so anywhere where ipv6 is > actively disabled, will break stuff for us). > > — ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking 2022-10-21 4:55 ` DERUMIER, Alexandre @ 2022-10-21 8:16 ` Wolfgang Bumiller 0 siblings, 0 replies; 6+ messages in thread From: Wolfgang Bumiller @ 2022-10-21 8:16 UTC (permalink / raw) To: DERUMIER, Alexandre; +Cc: pve-devel, mark On Fri, Oct 21, 2022 at 04:55:08AM +0000, DERUMIER, Alexandre wrote: > Hi, > > This is to avoid to have ipv6 local-link ip address on every generated > tap interfaces (and fwbr bridges too). > (and have bad packets send to the network) To be more precise: it's a security measure. You don't want the host to get IPv6-link-local addresses on every tap, veth, fw-link, fw-bridge device we create, as each of those would potentially allow VMs to send packets addressed to that device, which is very unexpected :-) > > > This, of course, don't disabling ipv6 support inside the vm/ct. > > > > Le jeudi 20 octobre 2022 à 17:07 +0000, Mark Schouten via pve-devel a > écrit : > > Hi, > > > > Sorry. But I always get extremely triggered by functions called > > ‘disable_ipv6()’. > > > > Can someone hit me with a cluebat as to why that function even > > exists? > > (Since we deploy Proxmox without IPv4, so anywhere where ipv6 is > > actively disabled, will break stuff for us). You obviously don't use... ...umm ...any software out there that does networking :-D Well, maybe Ceph Hammer, that one worked, but IPv6-only got increasingly inbearable afterwards until I gave up. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] applied: [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking 2022-10-19 22:24 [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking Alexandre Derumier 2022-10-20 10:05 ` Wolfgang Bumiller @ 2023-01-16 9:45 ` Wolfgang Bumiller 1 sibling, 0 replies; 6+ messages in thread From: Wolfgang Bumiller @ 2023-01-16 9:45 UTC (permalink / raw) To: Alexandre Derumier; +Cc: pve-devel, R. Grieger Sorry for the delay, the change definitely doesn't hurt, I was just wondering how it would happen. It's now applied, thanks! On Thu, Oct 20, 2022 at 12:24:29AM +0200, Alexandre Derumier wrote: > It's possible to have a > /proc/sys/net/ipv6/ directory > > but no > /proc/sys/net/ipv6/conf/$iface/disable_ipv6 > > Signed-off-by: Alexandre Derumier <aderumier@odiso.com> > --- > src/PVE/Network.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm > index c468e40..9d726cd 100644 > --- a/src/PVE/Network.pm > +++ b/src/PVE/Network.pm > @@ -210,8 +210,8 @@ my $cond_create_bridge = sub { > > sub disable_ipv6 { > my ($iface) = @_; > - return if !-d '/proc/sys/net/ipv6'; # ipv6 might be completely disabled > my $file = "/proc/sys/net/ipv6/conf/$iface/disable_ipv6"; > + return if !-e $file; # ipv6 might be completely disabled > open(my $fh, '>', $file) or die "failed to open $file for writing: $!\n"; > print {$fh} "1\n" or die "failed to disable link-local ipv6 for $iface\n"; > close($fh); > -- > 2.30.2 ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-01-16 9:45 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-19 22:24 [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking Alexandre Derumier
2022-10-20 10:05 ` Wolfgang Bumiller
2022-10-20 16:18 ` DERUMIER, Alexandre
[not found] ` <mailman.64.1666287516.489.pve-devel@lists.proxmox.com>
2022-10-21 4:55 ` DERUMIER, Alexandre
2022-10-21 8:16 ` Wolfgang Bumiller
2023-01-16 9:45 ` [pve-devel] applied: " Wolfgang Bumiller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox