Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=179072
Dave Malcolm <dmalcolm(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dmalcolm(a)redhat.com
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=250919
--- Comment #45 from Peter Bieringer <pb(a)bieringer.de> 2011-04-28 16:18:13 EDT ---
Regarding https://bugzilla.redhat.com/show_bug.cgi?id=250919#c43
using udev for setting the sysctl toggle for IPv6 privacy won't work on Fedora
14 out-of-the-box:
the IPv6 module is loaded by initial RAM disk *after* udev initialization,
means if e.g. an udev rule like following
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*",
RUN+="sysctl net.ipv6.conf.%k.use_tempaddr=2"
won't work.
The only workaround I found was:
- create a new RAM disk with "--with ipv6"
- extend boot option with "rdloaddriver=ipv6"
- use full qualified path for sysctl
So udev initialization is imho no option at all for setting IPv6 privacy,
especially, if this should be controllable per device.
If one would use the udev mechanism for per interface settings, each time a new
RAM disk must be created...
Imho, ifcfg-INTERFACE would be still a good location for such interface
settings to keep configuration in one place.
Regarding https://bugzilla.redhat.com/show_bug.cgi?id=250919#c44
In an extended version of ifup-ipv6 (on deepspace6), another "privacy" mode is
supported, which is based on setting a random private MAC address on the
interface before bringing up. Therefore the intention of using "rfc3041" as
method was that IPV6_PRIVACY should be flexible to support others than the RFC
3041 one.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=124246
Paul Baumgardner <pbaumgar(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pbaumgar(a)redhat.com
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=250919
--- Comment #44 from Pekka Savola <pekkas(a)netcore.fi> 2011-04-28 13:15:29 EDT ---
FWIW, now that the specification has been superseded by RFC4941, the variable
name is a bit unfortunate.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=250919
--- Comment #43 from Bill Nottingham <notting(a)redhat.com> 2011-04-28 12:31:56 EDT ---
So, a configuration variable whose paradigm is:
switch foo
rfc3041)
rfc9491)
<do something>
*)
<error>
As stated in comment #8, that's awful.
Realistically, things like this don't belong in the ifup path, they belong in
the udev path. But people seem highly opposed to that sort of change.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=250919
Peter Bieringer <pb(a)bieringer.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #495410|0 |1
is patch| |
Attachment #495410|application/octet-stream |text/plain
mime type| |
--- Comment #42 from Peter Bieringer <pb(a)bieringer.de> 2011-04-28 02:13:30 EDT ---
Comment on attachment 495410
--> https://bugzilla.redhat.com/attachment.cgi?id=495410
Patch for F14 to ifup-ipv6 and ifup-eth to enable proper working rfc3041
support
RFC3041 is enabled, if ifcfg-INTERFACE contains:
IPV6INIT=yes
IPV6_PRIVACY="rfc3041"
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=250919
Peter Bieringer <pb(a)bieringer.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #160800|0 |1
is obsolete| |
Attachment #161110|0 |1
is obsolete| |
--- Comment #41 from Peter Bieringer <pb(a)bieringer.de> 2011-04-28 02:12:19 EDT ---
Created attachment 495410
--> https://bugzilla.redhat.com/attachment.cgi?id=495410
Patch for F14 to ifup-ipv6 and ifup-eth to enable proper working rfc3041
support
Patch 161111 is still valid
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=250919
--- Comment #40 from Peter Bieringer <pb(a)bieringer.de> 2011-04-27 14:20:25 EDT ---
Background of this still existing issue is the provided workaround:
ifdown eth0
sysctl net.ipv6.conf.eth0.use_tempaddr=2
ifup eth0
which has 2 requirements if this should be reboot-safe and working
1. IPv6 module must be loaded
=> otherwise, net.ipv6.conf.* doesn't exist at all
2. Device must exist
=> otherwise, per interface sysctl doesn't exist
3. Interface must down
=> otherwise, the toggle isn't recognized
which means at least on Fedora 14, that following key must exist in
/etc/sysctl.conf:
sysctl net.ipv6.conf.all.use_tempaddr=2
to enable IPv6 privacy...so in theory currently and in the past working...until
dracut puts the IPv6 module into RAMdisk.
nowadays this "all" approach is no longer working (I assume, during loading
IPv6 module in early state and interfaces are configured by udev earlier than
the default "all" is changed), each interface must be
specified directly in /etc/sysctl.conf, like
sysctl net.ipv6.conf.eth0.use_tempaddr=2
BTW: as seen in the old entries for that bug, there is a initscripts extension
available, which creates a hook in ifup to apply (if configured) first the
sysctl *before* bringing interface up. Unfortunately, this extension was never
taken over into upstream :-(
I think the current mechanism is still strange and there are 3 options which
can proper solve this:
1) integrate ifup-ipv6 into ifup and adjust systl *before* bringing interface
up
2) integrate hooks for something like ifup-ipv6-PRE into ifup
3) extend IPv6 implementation in kernel that IPv6 privacy can be
enabled/disabled on an running interface, not requiring interface down/up
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=250919
--- Comment #39 from Bill C. Riemers <briemers(a)redhat.com> 2011-04-27 12:48:07 EDT ---
(In reply to comment #37)
> Bill, have you tried designating the original inet6 address as deprecated,
> so as to avoid its use as a source address:
>
> ip -6 addr change 2001:470:1d:1c6:f2de:f1ff:fe05:8579/64 dev eth0 preferred_lft
> 0
That probably would not be a very practical approach. As if the "perminent"
ipv6 address is actually something that updates frequently this setting would
be lost. For example, if you were using a anycast 6to4 tunnel with a dynamic
ipv4 address, your "permanent" address would change whenever your IPv4 address
changed.
use_tempaddr=2 definitely seems like the way to do it correctly. There is
still the unknown, do I need to manually set firewall rules that block incoming
connection requests on the temporary address? If so what is the best way to
do that?
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.