The RetransmitSec option was introduced in systemd-v255, but I cannot get it to
work for Neighbor Solicitations from a Host. Instead, I observe that the NS are
always transmitted at 1 second intervals, regardless of whether it was changed
by:
1. Received RA Retransmit Timer
2. Sysctl net.ipv6.icmp.ratelimit
3. Systemd.network configuration file RetransmitSec
A few questions:
1. Can you point me at the networkd code that generates the neighbor
solicitations?
2. My router sends an RA with a Retransmit Timer = 5000ms:
* What is supposed to take precedence, the RA or the value in the config
file?
* With debug enabled, I see networkd writes to
/proc/sys/net/ipv6/icmp/ratelimit
i. However,
that makes no difference to the retransmit rate, which is always 1 second.
1. Why is this option not enabled under [Network], but instead under
[IPv6SendRA]. Hosts send NS that should also be ratelimited.
$ systemctl --version
systemd 255 (255-1-g6a9a58c^)
+PAM -AUDIT -SELINUX -APPARMOR -IMA -SMACK -SECCOMP -GCRYPT -GNUTLS -OPENSSL
-ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP
+LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2 -BZIP2 -LZ4 +XZ -ZLIB -ZSTD
-BPF_FRAMEWORK -XKBCOMMON -UTMP +SYSVINIT default-hierarchy=hybrid
I've tried several configuration changes, but nothing worked. E.g. I tried to
configure the Retransmit interval to 3 seconds. After each configuration
change, I ran:
$ systemctl daemon-reload; systemctl restart systemd-networkd
One of my attempts:
$ networkctl cat 10-eno0.network
# /etc/systemd/network/10-eno0.network
[Match]
KernelCommandLine=!nfsroot
Name=eno0
[DHCP]
ClientIdentifier=mac
RouteMetric=10
UseDomains=yes
UseHostname=yes
UseMTU=yes
[IPv6AcceptRA]
#UseOnLinkPrefix=yes
UseDNS=yes
UseDomains=yes
[Link]
RequiredForOnline=no
[Network]
#Address=16.107.234.71/21
#DHCP=ipv6
#DNS=1.2.3.6
#Gateway=16.107.232.1
Address=10.1.1.1/24
DHCP=no
Gateway=10.1.1.2
IPv6AcceptRA=yes
IPv6SendRA=yes
[IPv6SendRA]
RetransmitSec=3
And here is the tcpdump output:
$ tcpdump -i eno0 -n --number ip6 -vv
tcpdump: listening on eno0, link-type EN10MB (Ethernet), snapshot length 262144
bytes
1 02:23:50.607129 IP6 (hlim 255, next-header ICMPv6 (58) payload length:
56) fe80::200:10ff:fe10:1060 > ff02::1: [icmp6 sum ok] ICMP6, router
advertisement, length 56
hop limit 64, Flags [none], pref medium, router lifetime 9000s,
reachable time 3ms, retrans timer 5000ms
prefix info option (3), length 32 (4): 2001:2:0:1000::/64, Flags
[onlink, auto], valid time 65535s, pref. time 65535s
0x: 40c0 2001
0x0010: 0002 1000
mtu option (5), length 8 (1): 1500
0x: 05dc
8< -- snip unrelated multicast packets >8
4 02:24:00.932029 IP6 (hlim 255, next-header ICMPv6 (58) payload length:
10) fe80::200:10ff:fe10:1081 > fe80::9640:c9ff:fed6:77f6: [icmp6 sum ok] ICMP6,
echo request, id 0, seq 0
5 02:24:00.932412 IP6 (hlim 255, next-header ICMPv6 (58) payload length:
32) fe80::9640:c9ff:fed6:77f6 > ff02::1:ff10:1081: [icmp6 sum ok] ICMP6,
neighbor solicitation, length 32, who has fe80::200:10ff:fe10:1081
source link-address option (1), length 8 (1): 94:40:c9:d6:77:f6
0x: 9440 c9d6 77f6
6 02:24:01.934639 IP6 (hlim 255, next-header ICMPv6 (58) payload length:
32) fe80::9640:c9ff:fed6:77f6 > ff02::1:ff10:1081: [icmp6 sum ok] ICMP6,
neighbor solicitation, length 32, who has fe80::200:10ff:fe10:1081
source link-address option (1), length 8 (1): 94:40:c9:d6:77:f6
0x: 9440 c9d6 77f6
7 02:24:02.958599 IP6 (hlim 255, next-header ICMPv6 (58) payload length:
32) fe80::9640:c9ff:fed6:77f6 > ff02::1:ff10:1081: [icmp6 sum ok] ICMP6,
neighbor solicitation, length 32, who has fe80::200:10ff:fe10:1081
source link-address option (1), length 8 (1): 94:40:c9:d6:77:f6
0x: 9440 c9d6 77f6
$ sysctl net.ipv6.icmp.ratelimit
net.ipv6.icmp.ratelimit = 5000
Thanks,
Matt.
