Using /etc/sysctl.d script to disable ipv6 doesn't seem to work

waitin_for_eric · 2016-12-11 19:30:43

I am running Arch Linux on a virtual machine in VirtualBox. I am using a VPN that doesn't support ipv6, so I am trying to disable ipv6 so that I am not bypassing the vpn.
I've followed the directions on the wiki for disabling ipv6. I have put the following in /etc/sysctl.d/40-ipv6.conf

# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.enp0s3.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.tun0.disable_ipv6 = 1

On a reboot, my ethernet interface still has ipv6 enabled and an ipv6 address:

# sysctl -a | grep "disable_ipv6"
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.enp0s3.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.tun0.disable_ipv6 = 1

If I run sysctl --system it gets disabled properly:

# sudo sysctl --system

* Applying /etc/sysctl.d/40-ipv6.conf ...
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.enp0s3.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.tun0.disable_ipv6 = 1
* Applying /usr/lib/sysctl.d/50-coredump.conf ...
kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %e
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
net.core.default_qdisc = fq_codel
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/50-dmesg-restrict.conf ...
kernel.dmesg_restrict = 1
* Applying /etc/sysctl.d/50-kptr-restrict.conf ...
kernel.kptr_restrict = 1

It seems that sysctl runs on boot, but that the value gets overwritten. How can I verify that or find out what overwrites it?

R00KIE · 2016-12-11 21:35:50

Re-read the wiki page and try a different method https://wiki.archlinux.org/index.php/IP … ctionality

fermi · 2017-03-19 10:23:49

This is a consequence of the order in which things are applied.
systemd-analyze plot > /tmp/something.svg
The svg file will show you that systemd-sysctl.service which is responsible for applying the parameters within: /etc/sysctl.d/40-ipv6.conf is executed before the presence of your wlan adapter:
sys-subsystems-net-devices-wlan0-device.

This is also the reason why a sudo sysctl --system after reboot will apply the parameters.

mich41 · 2017-03-19 11:37:14

fermi wrote:

/etc/sysctl.d/40-ipv6.conf is executed before the presence of your wlan adapter

This is irrelevant because net.ipv6.conf.default.* are the defaults which apply to all interfaces added in the future.

The problem is that systemd installs some udev rules to /lib/udev/rules.d which are executed on all newly added interfaces and screw up their configuration behind your back. Run

udevadm test /sys/class/net/wlan0

for the ugly details. You need to either neutralize the udev rule which runs systemd-sysctl or find where systemd-sysctl pulls the new sysctl settings from - possibly some files in /usr/lib/sysctl.d. Or add a udev rule which overrides them back afterwards. Have fun

Or, if you really care about security, firewall this VM on the host side so that it can only access the VPN gateway, like people do with TOR.

Last edited by mich41 (2017-03-19 12:03:34)

R00KIE · 2017-03-19 14:59:48

That's all good but this thread is getting old and the OP seems to have lost interest. Closing.

Arch Linux

#1 2016-12-11 19:30:43

Using /etc/sysctl.d script to disable ipv6 doesn't seem to work

#2 2016-12-11 21:35:50

Re: Using /etc/sysctl.d script to disable ipv6 doesn't seem to work

#3 2017-03-19 10:23:49

Re: Using /etc/sysctl.d script to disable ipv6 doesn't seem to work

#4 2017-03-19 11:37:14

Re: Using /etc/sysctl.d script to disable ipv6 doesn't seem to work

#5 2017-03-19 14:59:48

Re: Using /etc/sysctl.d script to disable ipv6 doesn't seem to work

Board footer