IPv6 not honoring sysctl

Rocky Linux Tech Help
1

So, for some reason I can’t divine, my Rocky Linux 8.9 VM simply will not permit me to disable ipv6 on the loopback interface. I have what I believe are the correct flags in /etc/sysctl.conf, and they are being loaded when I run sysctl -a. Yet, stubbornly, when I run netstat -tan, there my processes are, attaching to an ipv6 address which should not exist:

[root@aarons_host:~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).

# Disable ipv6
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
[root@aarons_host:~]# sysctl -a | egrep disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.enp1s0.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
[root@aarons_host:~]# netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
tcp        0      0 10.16.4.12:53           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:5666            0.0.0.0:*               LISTEN
tcp        0    180 10.16.4.12:22           10.16.4.106:54494       ESTABLISHED
tcp        0      0 10.16.4.12:51846        10.16.4.101:9997        TIME_WAIT
tcp        0      0 10.16.4.12:59732        10.16.4.101:9997        ESTABLISHED
tcp        0      0 10.16.4.12:46910        10.16.4.101:9997        TIME_WAIT
tcp6       0      0 :::111                  :::*                    LISTEN
tcp6       0      0 :::53                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::5666                 :::*                    LISTEN
[root@aarons_host:~]# cat /etc/redhat-release
Rocky Linux release 8.9 (Green Obsidian)

Any ideas? Am I huffing paint? What’s going on?

Thanks.

2

The sysctl options you’ve set tell the OS to not assign an IPv6 address to the network interfaces. You can check this with ip -6 a

The IPv6 network module is still loaded, so applications can bind to :::22 (for example) but the result is that it will only be reachable on IPv4.

1 Like
3

Thank you for your response. It still seems very strange to me that the kernel will let a process bind to an address which doesn’t actually exist in the network stack. If I use the grub method, I assume the module wouldln’t be loaded?

GRUB_CMDLINE_LINUX_DEFAULT=”ipv6. disable=1″

4

I would recommend against completely disabling ipv6 through grub. Doing so may cripple certain software or packages in the base repositories that we ship.

1 Like
5

Understood. I will live with the confounding errors in my log.

-Aaron

6

Well, 0.0.0.0 (INADDR_ANY) and :: (IN6ADDR_ANY) are “special”; they don’t bind to any specific address on the machine, they just listen for the port. So it doesn’t matter if there’s no interface with an address configured, the service still listens.

This turns out to be important and useful behaviour; e.g. now you don’t have an interface with IPv6 but in 5 minutes time you might add one; that listening service will work on the new address without needing restarting.

If you want to stop a service listening on :: and only on 0.0.0.0 then you probably need to change the service config; eg for sshd you can set AddessFamily inet in sshd_config and now it will only listen on IPv4. You’d need to do this for all the services (rpcbind, named, nagios?) you want to stop.

1 Like
7

Yes, that is what I wound up doing, I found this in the process of setting up bind 9 on a couple of systems (new DNS servers), and I was getting errors in the log which reported ‘named[2075]: couldn’t add command channel ::1#953: address not available’, which is what started me down this rabbit-hole. I was able to make the error go away by commenting out ’ listen-on-v6 port 53 { any; };’ in my named.conf.

8

Hi,

since I’m kinda paranoid about IPv6

Summary

(especially that I have to use windows 10 on a daily basis, and don’t even let me start about “iphelper” service (iphlpsvc), “IP Translation Configuration Service” (IpxlatCfgSvc), “Remote Access IPv6 ARP Driver” (wanarp6), “Microsoft IPv6 Protocol Driver” (Tcpip6) - and at least a few more - ALL WITH THE PURPOSE OF OBFUSCATING usage of IPv6 just to steal more data.

Disabling IPv6 (and telemetry in general) in Windows 10 is a real pain (still: doable). Compared to this disabling it COMPLETELY in Rocky, Centos, or Debian is a walk in the park. Since I always document my work (and I started more than 15 years ago, long before Centos 6 ^^) - I’ll allow myself to post a relevant section of it.
NOTE: it’s a general guide, not every part is relevant to Rocky (i.e. rhgb quiet mentioned later).

  1. Check if IPv6 is actually on:
    ip a | grep inet6
    normally you should see something like:
    inet6 ::1/128 scope host
    Good, it means after you turn it off you can be sure it worked ;]

  2. Start from the grub method:
    a) vim /etc/default/grub
    add/modify:
    GRUB_CMDLINE_LINUX="ipv6.disable=1 ipv6.disable_ipv6=1 ipv6.autoconf=0"
    b) At this point I usually also add:
    GRUB_TIMEOUT=1
    c) and remove “rhgb quiet” (non-existent in Rocky 9)
    d) if you know what you’re doing you can also add:
    GRUB_DISABLE_LINUX_PARTUUID=false
    GRUB_DISABLE_OS_PROBER=true
    options b) through d) are completely optional of course.
    e) obvious last step would be:
    grub2-mkconfig -o /boot/grub2/grub.cfg
    HINT: I recently noticed wrong links in /etc in some deployments, I even managed to find a live example on one of my servers (Rocky 9.3, strangely):
    ls -al /etc/grub*
    (...)root root (...) /etc/grub2.cfg -> /boot/efi/EFI/rocky/grub.cfg
    (...)root root (...) /etc/grub2-efi.cfg -> /boot/efi/EFI/rocky/grub.cfg
    I found it on:
    cat /etc/os-release
    NAME="Rocky Linux"
    VERSION="9.3 (Blue Onyx)"
    Not a huge deal, but you might want to check it out. Or not ;]

  3. Then let’s execute sysctl method (check using: sysctl -a | grep ipv6):
    vim /etc/sysctl.d/10-disable_ipv6.conf (we’re creating a new file)
    add:
    # disabling IPv6
    net.ipv6.conf.all.disable_ipv6=1
    net.ipv6.conf.default.disable_ipv6=1
    net.ipv6.conf.lo.disable_ipv6=1
    net.ipv6.conf.ens192.disable_ipv6=1
    reload:
    sysctl -p
    NOTE1: After reboot it may produce warnings in boot.log similar to: “Couldn't write '1' to 'net/ipv6/conf/all/disable_ipv6', ignoring: No such file or directory”.
    In that case just remove /etc/sysctl.d/10-disable_ipv6.conf and reboot.
    NOTE2: “This method may break SSH Xforwarding unless sshd_config contains AddressFamily inet.”

  4. Blacklisting kernel modules now (lsmod | grep ipv6):
    a) vim /etc/modprobe.d/blacklist.conf
    add:
    # kernel blacklist
    blacklist ipv6
    Since blacklisting requires rebuilding initrd anyway - we may just as well do it right (assuming clean - or at least young - installation):
    a) dnf install memstrack binutils biosdevname microcode_ctl - or any other module you want in your initrd
    b) blacklisting some dracut modules while we’re a it (choose whatever you don’t need, NOTE SPACES NEAR >"<:
    vim /etc/dracut.conf.d/omit.conf (we’re creating a new file)
    add:
    # modules manually omitted
    # Omit a space-separated list of dracut modules to call when building the initramfs. Modules are located in /usr/lib/dracut/modules.d.
    omit_dracutmodules+=" busybox bluetooth cifs iscsi nfs "
    NOTE: to list available modules: ls -al /usr/lib/dracut/modules.d/ OR dracut --list-modules
    c) rebuild inird:
    cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.backup
    dracut -f -v --no-compress (–no-compress is of course completely optional)

  5. And finally - turn off IPv6 in config files of various system services/daemons:
    a) /etc/hosts:
    sed -i 's/^[[:space:]]*::/#::/' /etc/hosts (or just manually open the file ^^)
    b) /etc/ssh/sshd_config - as mentioned earlier:
    #AddressFamily any
    AddressFamily inet
    c) /etc/netconfig
    modify:
    #udp6 tpi_clts v inet6 udp - -
    #tcp6 tpi_cots_ord v inet6 tcp - -
    d) /etc/sysconfig/chronyd (if you use it):
    add:
    OPTIONS="-F 2 -4"
    e) /etc/dhcpcd.conf (if you use it):
    add:
    noipv6rs
    noipv6
    f) NetworkManager:
    nmcli connection modify ConnectionName ipv6.method "disabled"
    ip address show

reboot, enjoy your completely IPv6-free system ;]

…should I start talking about Intel ME and what it can do?..maybe not :rofl: :upside_down_face:

Have fun!
Regards
Mike

1 Like
9

I’m not, so I have just the ipv6.method disabled on connections (as my ISP does not support IPv6 yet).

10

My installed service only listens on the udp6 address with “0.0.0.0” setting.
I suspect that it is due to a default setting on rocky 9.
If I have understood correctly, then complete ipv6 deactivation is not intended. Is there an option whether ipv4 or ipv6 is preferred?

11

I tried to reproduce this on “9.4 (Blue Onyx)”.

I’m stuck on point 1, it is possible add the grub parameter ipv6.disable=1 on boot.
If it is entered firmly according to your instructions.

grep ipv6 /etc/default/grub
GRUB_CMDLINE_LINUX="ipv6.disable=1 ipv6.disable_ipv6=1 ipv6.autoconf=0"

grep ipv6 /boot/grub2/grub.cfg
  set kernelopts="root=/dev/mapper/rl-root ro ipv6.disable=1 ipv6.disable_ipv6=1 ipv6.autoconf=0 "

ls -al /etc/grub*
lrwxrwxrwx. 1 root root   22 May  1 23:27 /etc/grub2-efi.cfg -> ../boot/grub2/grub.cfg
lrwxrwxrwx. 1 root root   22 May  1 23:27 /etc/grub2.cfg -> ../boot/grub2/grub.cfg

When I check /proc/cmdline after reboot, the changes are ignored, it is not in the grub boot parameters.

Do I have to configure something else on UEFI or what could be the problem?

12

Look at the /boot/grub2/grub.cfg.
Does it have all the entries that you see on GRUB menu during boot? I bet not.
Does it contain string “bls”? I bet yes.
If I’m on winning streak so far, then look at files in /boot/loader/entries/
Do they look like menu entries? Do they dereference the $kernelopts?
Or, do they have the options you see during boot, explicitly written?

An entry there is written by grubby when new kernel is installed. The grubby reads options from /etc/kernel/cmdline.

Since 9.3 the grub2-mkconfig has had a new option: --update-bls-cmdline 9.3 Release Notes | Red Hat Product Documentation
Only with it does grub2-mkconfig update the BLS entries (and the /etc/kernel/cmdline) based on GRUB_CMDLINE_LINUX.

1 Like
13

Yes, you are in the right path.
I can change the boot parameters with grub2-mkconfig -o /boot/grub2/grub.cfg --update-bls-cmdline.
skipped:

  • 3a currently not known which modules
  • 4c,e (file does not exist)

I added the disabled_ipv6 options to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.enp1s0.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

It looks like disabling it on 9.4 worked.

14

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.