Bug#1059332: bridge-utils: Using tokenized interface identifiers with bridge-utils ifupdown via /etc/network/interfaces fails

Fri, 22 Dec 2023 08:57:16 -0800 

Package: bridge-utils
Version: 1.7.1-1
Severity: normal

Issue
=====
Using "ip token", a command to specify a fixed Interface ID for IPv6 
addressing, fails with bridges in Debian Bookworm, as the token needs to be set in 
between interface creation and taking the interface up.
/lib/bridge-utils/ifupdown.sh currently does not allow to hook into that stage.

Using the following interface config:

auto br0
iface br0 inet dhcp
 bridge_ports enp1s0
 bridge_hw 12:34:56:78:90:12
iface br0 inet6 manual
 pre-up ip token set ::192.168.1.35 dev br0

causes the system to end up with the usual EUI-64 based global IPv6 addresses 
in addition to the token-based addresses.
The kernel then keeps the EUI-64 based addresses in addition to the wanted 
token-based addresses until they expire, at which point only the tokized 
interface identifiers keep being used.


Workaround
==========
As a "hack", the following workaround configuration can be used:

auto br0
iface br0 inet dhcp
 pre-up brctl addbr br0
 pre-up ip link set dev br0 address 12:34:56:78:90:12
 pre-up ip token set ::192.168.1.35 dev br0
 bridge_ports enp1s0
 bridge_hw 00:1e:06:45:2e:fa
iface br0 inet6 manual

This causes the "ip token" command to apply between interface creation and 
taking the interface up, which works as expected (i.e. the system only has global 
addresses based on the token).
Of course, any required feature dealt with in /lib/bridge-utils/ifupdown.sh in 
between interface creation and taking the interface up needs to be replicated 
manually via pre-up.


Proposed fix
============
Adding the lines:

  if [ "$IF_BRIDGE_TOKEN" ]
  then
    ip token set $IF_BRIDGE_TOKEN dev $IFACE
  fi

right before:

  # We activate the bridge
  ip link set dev $IFACE up

in /lib/bridge-utils/ifupdown.sh and using the interface config:

auto br0
iface br0 inet dhcp
 bridge_ports enp1s0
 bridge_hw 12:34:56:78:90:12
 bridge_token ::192.168.1.35

fixes the problem. However, this necessarily introduces a dependency on iproute2 (i.e. it should 
probably be a "recommends", existence of "/sbin/ip" might be necessary to 
check, documentation needs to be adapted).

Reply via email to