Re: "accept_ra 1" vs "accept_ra 2" in interfaces configuration-file
On Wed, Aug 22, 2018 at 2:02 AM Andy Smith wrote: > > Hi Martin, > > On Wed, Aug 22, 2018 at 01:06:32AM +0300, Martin T wrote: > > In addition, "accept_ra" with a value of 2 should ensure that RA > > messages are accepted even if forwarding for that interface is > > enabled, shouldn't it? > > Yes, it should. > > That's the way it's documented and our use case is what it's meant > to serve, so if it's not behaving that way for you then I think it > is a bug and should be reported upstream in the kernel bugzilla. > > Cheers, > Andy > Hi Andy, I did some additional tests and made following observations: 1) For IPv6 one can't enable/disable routing for specific interface(s). It is either off(/proc/sys/net/ipv6/conf/all/forwarding is 0) or on(/proc/sys/net/ipv6/conf/all/forwarding is 1). 2) /proc/sys/net/ipv6/conf//forwarding controls simply if interface sends out RS messages and accepts RA messages Also, I found a post from David Miller in 2001(!) where he told pretty much the same: https://bugzilla.redhat.com/show_bug.cgi?id=38533 This means that I set the accept_ra in interfaces file to 1 for eth0(ISP-facing interface) and added those two lines to sysctl.conf: net.ipv6.conf.all.forwarding=1 net.ipv6.conf.eth0.forwarding=0 Martin
Re: "accept_ra 1" vs "accept_ra 2" in interfaces configuration-file
Hi Martin, On Wed, Aug 22, 2018 at 01:06:32AM +0300, Martin T wrote: > In addition, "accept_ra" with a value of 2 should ensure that RA > messages are accepted even if forwarding for that interface is > enabled, shouldn't it? Yes, it should. That's the way it's documented and our use case is what it's meant to serve, so if it's not behaving that way for you then I think it is a bug and should be reported upstream in the kernel bugzilla. Cheers, Andy
Re: "accept_ra 1" vs "accept_ra 2" in interfaces configuration-file
On Tue, Aug 21, 2018 at 1:23 AM Andy Smith wrote: > > Hi Martin, > > On Mon, Aug 20, 2018 at 03:58:36PM +0300, Martin T wrote: > > On Mon, Aug 20, 2018 at 7:55 AM Andy Smith wrote: > > > Back in 2011 this was a hard-won battle: > > > > > > > > > http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/ > > […] > > > Thanks for this very informative blog post! However, setting the > > "net.ipv6.conf.all.forwarding" to 1 in /etc/sysctl.conf and > > "accept_ra" to 2 in /etc/network/interfaces for ISP facing > > interface(eth0) didn't work for me. I expected SLAAC to work, but it > > didn't. I'm running kernel version 4.9.0. > > Strange. I've had a look and it seems I continued to use the > workaround mentioned in the blog post even though supposedly I no > longer need to. If you use that workaround, does it (SLAAC) start > working for you? > > Also, is it just address assignment that doesn't work or is it also > default router assignment that doesn't work? On my servers that > forward v6 I don't use dynamic assignment of addresses, I statically > assign them, but I do use dynamic assignment of default route. > > Cheers, > Andy > Hi Andy, Thanks for your reply! > If you use that workaround, does it (SLAAC) start working for you? Do you mean the pre-up statements in /etc/network/interfaces? If yes, then with those workarounds the SLAAC works, i.e I get the default route. My ISP-facing interface is eth0 and it has forwarding disabled: # cat /proc/sys/net/ipv6/conf/eth0/forwarding 0 # Rest of the options are set: # cd /proc/sys/net/ipv6/conf/ # cat default/forwarding 1 # cat all/forwarding 1 # cat eth0/accept_ra 2 # cat all/accept_ra 1 # cat default/accept_ra 1 # However, I quite do not understand how returned IPv6 traffic(ingress traffic to eth0) is routed to my LAN-facing interface when I have disabled it in /proc/sys/net/ipv6/conf/eth0/forwarding? If I do the same for IPv4 traffic(echo 0 > /proc/sys/net/ipv4/conf/eth0/forwarding), then returned traffic is dropped because forwarding for eth0 is disabled. In addition, "accept_ra" with a value of 2 should ensure that RA messages are accepted even if forwarding for that interface is enabled, shouldn't it? > Also, is it just address assignment that doesn't work or is it also > default router assignment that doesn't work? On my servers that > forward v6 I don't use dynamic assignment of addresses, I statically > assign them, but I do use dynamic assignment of default route. I have exactly the same case. I use dynamic assignment only for default route and this doesn't work even if "accept_ra" has a value of 2. thanks, Martin
Re: "accept_ra 1" vs "accept_ra 2" in interfaces configuration-file
Hi Martin, On Mon, Aug 20, 2018 at 03:58:36PM +0300, Martin T wrote: > On Mon, Aug 20, 2018 at 7:55 AM Andy Smith wrote: > > Back in 2011 this was a hard-won battle: > > > > > > http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/ […] > Thanks for this very informative blog post! However, setting the > "net.ipv6.conf.all.forwarding" to 1 in /etc/sysctl.conf and > "accept_ra" to 2 in /etc/network/interfaces for ISP facing > interface(eth0) didn't work for me. I expected SLAAC to work, but it > didn't. I'm running kernel version 4.9.0. Strange. I've had a look and it seems I continued to use the workaround mentioned in the blog post even though supposedly I no longer need to. If you use that workaround, does it (SLAAC) start working for you? Also, is it just address assignment that doesn't work or is it also default router assignment that doesn't work? On my servers that forward v6 I don't use dynamic assignment of addresses, I statically assign them, but I do use dynamic assignment of default route. Cheers, Andy
Re: "accept_ra 1" vs "accept_ra 2" in interfaces configuration-file
On Mon, Aug 20, 2018 at 7:55 AM Andy Smith wrote: > > Hi Martin, > > On Mon, Aug 20, 2018 at 05:12:56AM +0300, Martin T wrote: > > According to "man interfaces" "accept_ra 1" makes interface to accept > > IPv6 RA messages. "accept_ra 2" does the same and in addition, it also > > enables forwarding. What does the forwarding mean in this context? One > > could think, that it modifies the /proc/sys/net/ipv6/conf/*/forwarding > > file(s), but this does not seem to be the case. > > If forwarding = 1 then by default RAs will not be accepted. Setting > accept_ra to 2 allows RAs to be accepted even when forwarding = 1. > > Changing the values of either forwarding or accept_ra does not alter > the values of the other. Only the behaviour of the system. > > Back in 2011 this was a hard-won battle: > > > http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/ > > Cheers, > Andy > Hi Andy! Thanks for this very informative blog post! However, setting the "net.ipv6.conf.all.forwarding" to 1 in /etc/sysctl.conf and "accept_ra" to 2 in /etc/network/interfaces for ISP facing interface(eth0) didn't work for me. I expected SLAAC to work, but it didn't. I'm running kernel version 4.9.0. Settings can be seen below: # sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 1 # # sysctl net.ipv6.conf.eth0.accept_ra net.ipv6.conf.eth0.accept_ra = 2 # When I set the "net.ipv6.conf.all.forwarding" to 0 and reboot the router, then SLAAC works. What might cause this? thanks, Martin
Re: "accept_ra 1" vs "accept_ra 2" in interfaces configuration-file
Hi Martin, On Mon, Aug 20, 2018 at 05:12:56AM +0300, Martin T wrote: > According to "man interfaces" "accept_ra 1" makes interface to accept > IPv6 RA messages. "accept_ra 2" does the same and in addition, it also > enables forwarding. What does the forwarding mean in this context? One > could think, that it modifies the /proc/sys/net/ipv6/conf/*/forwarding > file(s), but this does not seem to be the case. If forwarding = 1 then by default RAs will not be accepted. Setting accept_ra to 2 allows RAs to be accepted even when forwarding = 1. Changing the values of either forwarding or accept_ra does not alter the values of the other. Only the behaviour of the system. Back in 2011 this was a hard-won battle: http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/ Cheers, Andy
"accept_ra 1" vs "accept_ra 2" in interfaces configuration-file
Hi! According to "man interfaces" "accept_ra 1" makes interface to accept IPv6 RA messages. "accept_ra 2" does the same and in addition, it also enables forwarding. What does the forwarding mean in this context? One could think, that it modifies the /proc/sys/net/ipv6/conf/*/forwarding file(s), but this does not seem to be the case. thanks, Martin
