You are not logged in.
- Topics: Active | Unanswered
#1 2018-10-07 01:18:20
- emwe
- Member
- Registered: 2018-10-07
- Posts: 5
deactivate IPv6 link local addresses "fe80:...."
I already asked this in the german ArchLinux forum and found a solution. If you understand german language you can read it here: https://bbs.archlinux.de/viewtopic.php?id=31985. Although it's working I'm not happy with it because I have to modify kernel parameters therefor.
The purpose of this machine is to serve as a host for virtual machines (firewall and several servers). I have 3 physical ethernet cards installed and 3 openvswitch bridges (wan, lan, dmz) configured. When the virtual machines start later they will spawn vnet* interfaces. For security reasons I want IP v4 and v6 addresses only on the openvswitch bridge interface connected to the lan. All other interfaces must not have any IP addresses. All interfaces are configured with systemd-networkd.
The configuration files for the physical interfaces look like:
[Match]
Name=enp1s0
[Network]
DHCP=no
LinkLocalAddressing=nofor the openvswitch bridge wan and dmz interfaces
[Match]
Name=brwan
[Network]
DHCP=no
BindCarrier=enp1s0
LinkLocalAddressing=nofor the openvswitch lan interface before the virtual machine withthe firewall is started
[Match]
Name=brlan
[Network]
DHCP=no
Address=192.168.3.4/24
Gateway=192.168.3.1
DNS=192.168.3.1
DNS=192.168.178.1
Domains=heimnetz.netz box
NTP=192.168.3.1
NTP=192.168.178.1
NTP=0.de.pool.ntp.org
IPv6PrivacyExtensions=kernel
BindCarrier=enp2s0
LinkLocalAddressing=ipv6
[Address]
AutoJoin=yesafter the firewall is started
[Match]
Name=brlan
[Network]
DHCP=yes
IPv6PrivacyExtensions=kernel
BindCarrier=enp2s0
LinkLocaladdressing=ipv6
[Address]
AutoJoin=yesand finally for the vnet* interfaces spawning with the start of the virtual machines
[Match]
Name=vnet*
[Network]
LinkLocalAddressing=noThe problem is, that the kernel ipv6 module assigns a link local address per default as soon as an interface is coming up.
This can be prevented by modifing the ipv6 module addr_gen_mode parameter.
addr_gen_mode - INTEGER
Defines how link-local and autoconf addresses are generated.0: generate address based on EUI64 (default)
1: do no generate a link-local address, use EUI64 for addresses generated
from autoconf
2: generate stable privacy addresses, using the secret from
stable_secret (RFC7217)
3: generate stable privacy addresses, using a random secret if unset
So in result I now have an file network-interfaces.conf in /etc/sysctl.d
# disable generation of link local addresses for all interfaces but it's not enough you also need to change the default setting
net.ipv6.conf.all.addr_gen_mode=1
# disable default generation of link local addresses
net.ipv6.conf.default.addr_gen_mode=1
# enable generation of link local address for loopback interface
net.ipv6.conf.lo.addr_gen_mode=0
# prefer temporary IPv6 address on interface brlan
net.ipv6.conf.brlan.use_tempaddr=2
# enable generation of link local address for interface brlan
net.ipv6.conf.brlan.addr_gen_mode=0This is working but as already written I'm not happy with this. Modifying kernel parameters is something I do not want to do. Who remembers in 4 or 5 years when moving to e new machine that this was necesary. Also this splits the network configuration into several files in several places. I want to keep the all network configuration stuff in one single file (per interface if necessary).
From the systemd-networkd documentation I learned
LinkLocalAddressing=
Enables link-local address autoconfiguration. Accepts "yes", "no", "ipv4", or "ipv6". Defaults to "ipv6".
"LinkLocalAddressing=no" will prevent the generation of new link local addresses but it does not check if one was assigned from other sources nor deleting it if one is already assigned.
So my question is:
Is there a way to make systemd-networkd aware of the kernel behaviour, check if an link local address was assigned and if so deleting it?
Offline
#2 2018-10-07 11:04:36
- Slithery
- Administrator
- From: Norfolk, UK
- Registered: 2013-12-01
- Posts: 5,776
Offline