* [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking
@ 2022-10-19 22:24 Alexandre Derumier
2022-10-20 10:05 ` Wolfgang Bumiller
2023-01-16 9:45 ` [pve-devel] applied: " Wolfgang Bumiller
0 siblings, 2 replies; 6+ messages in thread
From: Alexandre Derumier @ 2022-10-19 22:24 UTC (permalink / raw)
To: pve-devel
It's possible to have a
/proc/sys/net/ipv6/ directory
but no
/proc/sys/net/ipv6/conf/$iface/disable_ipv6
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
src/PVE/Network.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
index c468e40..9d726cd 100644
--- a/src/PVE/Network.pm
+++ b/src/PVE/Network.pm
@@ -210,8 +210,8 @@ my $cond_create_bridge = sub {
sub disable_ipv6 {
my ($iface) = @_;
- return if !-d '/proc/sys/net/ipv6'; # ipv6 might be completely disabled
my $file = "/proc/sys/net/ipv6/conf/$iface/disable_ipv6";
+ return if !-e $file; # ipv6 might be completely disabled
open(my $fh, '>', $file) or die "failed to open $file for writing: $!\n";
print {$fh} "1\n" or die "failed to disable link-local ipv6 for $iface\n";
close($fh);
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking
2022-10-19 22:24 [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking Alexandre Derumier
@ 2022-10-20 10:05 ` Wolfgang Bumiller
2022-10-20 16:18 ` DERUMIER, Alexandre
2023-01-16 9:45 ` [pve-devel] applied: " Wolfgang Bumiller
1 sibling, 1 reply; 6+ messages in thread
From: Wolfgang Bumiller @ 2022-10-20 10:05 UTC (permalink / raw)
To: Alexandre Derumier; +Cc: pve-devel
On Thu, Oct 20, 2022 at 12:24:29AM +0200, Alexandre Derumier wrote:
> It's possible to have a
> /proc/sys/net/ipv6/ directory
>
> but no
> /proc/sys/net/ipv6/conf/$iface/disable_ipv6
Do we know why this happens? That doesn't seem right to me, unless
some kind of race somewhere with the interface creation?
Or is there a legitimate kernel option that causes this?
>
> Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
> ---
> src/PVE/Network.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
> index c468e40..9d726cd 100644
> --- a/src/PVE/Network.pm
> +++ b/src/PVE/Network.pm
> @@ -210,8 +210,8 @@ my $cond_create_bridge = sub {
>
> sub disable_ipv6 {
> my ($iface) = @_;
> - return if !-d '/proc/sys/net/ipv6'; # ipv6 might be completely disabled
> my $file = "/proc/sys/net/ipv6/conf/$iface/disable_ipv6";
> + return if !-e $file; # ipv6 might be completely disabled
> open(my $fh, '>', $file) or die "failed to open $file for writing: $!\n";
> print {$fh} "1\n" or die "failed to disable link-local ipv6 for $iface\n";
> close($fh);
> --
> 2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking
2022-10-20 10:05 ` Wolfgang Bumiller
@ 2022-10-20 16:18 ` DERUMIER, Alexandre
[not found] ` <mailman.64.1666287516.489.pve-devel@lists.proxmox.com>
0 siblings, 1 reply; 6+ messages in thread
From: DERUMIER, Alexandre @ 2022-10-20 16:18 UTC (permalink / raw)
To: Wolfgang Bumiller, Alexandre Derumier; +Cc: pve-devel
I'm really unable to reproduce this.
User is able to reproduce it 100%, depending on the brigde where the vm is started.
(some bridge with sdn generated for example).
I don't have asked to user to reboot.
ifupdown2 seem to thrown warning too, so I don't known if it's a special sysctl triggering this, or a kernel bug, or something else.
________________________________
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Sent: Thursday, October 20, 2022 12:05 PM
To: Alexandre Derumier <aderumier@odiso.com>
Cc: pve-devel@lists.proxmox.com <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking
On Thu, Oct 20, 2022 at 12:24:29AM +0200, Alexandre Derumier wrote:
> It's possible to have a
> /proc/sys/net/ipv6/ directory
>
> but no
> /proc/sys/net/ipv6/conf/$iface/disable_ipv6
Do we know why this happens? That doesn't seem right to me, unless
some kind of race somewhere with the interface creation?
Or is there a legitimate kernel option that causes this?
>
> Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
> ---
> src/PVE/Network.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
> index c468e40..9d726cd 100644
> --- a/src/PVE/Network.pm
> +++ b/src/PVE/Network.pm
> @@ -210,8 +210,8 @@ my $cond_create_bridge = sub {
>
> sub disable_ipv6 {
> my ($iface) = @_;
> - return if !-d '/proc/sys/net/ipv6'; # ipv6 might be completely disabled
> my $file = "/proc/sys/net/ipv6/conf/$iface/disable_ipv6";
> + return if !-e $file; # ipv6 might be completely disabled
> open(my $fh, '>', $file) or die "failed to open $file for writing: $!\n";
> print {$fh} "1\n" or die "failed to disable link-local ipv6 for $iface\n";
> close($fh);
> --
> 2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking
[not found] ` <mailman.64.1666287516.489.pve-devel@lists.proxmox.com>
@ 2022-10-21 4:55 ` DERUMIER, Alexandre
2022-10-21 8:16 ` Wolfgang Bumiller
0 siblings, 1 reply; 6+ messages in thread
From: DERUMIER, Alexandre @ 2022-10-21 4:55 UTC (permalink / raw)
To: pve-devel, mark
Hi,
This is to avoid to have ipv6 local-link ip address on every generated
tap interfaces (and fwbr bridges too).
(and have bad packets send to the network)
This, of course, don't disabling ipv6 support inside the vm/ct.
Le jeudi 20 octobre 2022 à 17:07 +0000, Mark Schouten via pve-devel a
écrit :
> Hi,
>
> Sorry. But I always get extremely triggered by functions called
> ‘disable_ipv6()’.
>
> Can someone hit me with a cluebat as to why that function even
> exists?
> (Since we deploy Proxmox without IPv4, so anywhere where ipv6 is
> actively disabled, will break stuff for us).
>
> —
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking
2022-10-21 4:55 ` DERUMIER, Alexandre
@ 2022-10-21 8:16 ` Wolfgang Bumiller
0 siblings, 0 replies; 6+ messages in thread
From: Wolfgang Bumiller @ 2022-10-21 8:16 UTC (permalink / raw)
To: DERUMIER, Alexandre; +Cc: pve-devel, mark
On Fri, Oct 21, 2022 at 04:55:08AM +0000, DERUMIER, Alexandre wrote:
> Hi,
>
> This is to avoid to have ipv6 local-link ip address on every generated
> tap interfaces (and fwbr bridges too).
> (and have bad packets send to the network)
To be more precise: it's a security measure.
You don't want the host to get IPv6-link-local addresses on every tap,
veth, fw-link, fw-bridge device we create, as each of those would
potentially allow VMs to send packets addressed to that device, which is
very unexpected :-)
>
>
> This, of course, don't disabling ipv6 support inside the vm/ct.
>
>
>
> Le jeudi 20 octobre 2022 à 17:07 +0000, Mark Schouten via pve-devel a
> écrit :
> > Hi,
> >
> > Sorry. But I always get extremely triggered by functions called
> > ‘disable_ipv6()’.
> >
> > Can someone hit me with a cluebat as to why that function even
> > exists?
> > (Since we deploy Proxmox without IPv4, so anywhere where ipv6 is
> > actively disabled, will break stuff for us).
You obviously don't use...
...umm
...any software out there that does networking :-D
Well, maybe Ceph Hammer, that one worked, but IPv6-only got increasingly
inbearable afterwards until I gave up.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] applied: [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking
2022-10-19 22:24 [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking Alexandre Derumier
2022-10-20 10:05 ` Wolfgang Bumiller
@ 2023-01-16 9:45 ` Wolfgang Bumiller
1 sibling, 0 replies; 6+ messages in thread
From: Wolfgang Bumiller @ 2023-01-16 9:45 UTC (permalink / raw)
To: Alexandre Derumier; +Cc: pve-devel, R. Grieger
Sorry for the delay, the change definitely doesn't hurt, I was just
wondering how it would happen.
It's now applied, thanks!
On Thu, Oct 20, 2022 at 12:24:29AM +0200, Alexandre Derumier wrote:
> It's possible to have a
> /proc/sys/net/ipv6/ directory
>
> but no
> /proc/sys/net/ipv6/conf/$iface/disable_ipv6
>
> Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
> ---
> src/PVE/Network.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
> index c468e40..9d726cd 100644
> --- a/src/PVE/Network.pm
> +++ b/src/PVE/Network.pm
> @@ -210,8 +210,8 @@ my $cond_create_bridge = sub {
>
> sub disable_ipv6 {
> my ($iface) = @_;
> - return if !-d '/proc/sys/net/ipv6'; # ipv6 might be completely disabled
> my $file = "/proc/sys/net/ipv6/conf/$iface/disable_ipv6";
> + return if !-e $file; # ipv6 might be completely disabled
> open(my $fh, '>', $file) or die "failed to open $file for writing: $!\n";
> print {$fh} "1\n" or die "failed to disable link-local ipv6 for $iface\n";
> close($fh);
> --
> 2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-01-16 9:45 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-19 22:24 [pve-devel] [PATCH pve-common] fix #4299: network : disable_ipv6: fix path checking Alexandre Derumier
2022-10-20 10:05 ` Wolfgang Bumiller
2022-10-20 16:18 ` DERUMIER, Alexandre
[not found] ` <mailman.64.1666287516.489.pve-devel@lists.proxmox.com>
2022-10-21 4:55 ` DERUMIER, Alexandre
2022-10-21 8:16 ` Wolfgang Bumiller
2023-01-16 9:45 ` [pve-devel] applied: " Wolfgang Bumiller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox