Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
prevent ipv6 autoconfig on vm host nics
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Tue Jan 05, 2016 5:55 am    Post subject: prevent ipv6 autoconfig on vm host nics Reply with quote

Hi,

Can someone tell me what I'm doing wrong?

I'm trying to donate nics to a guest VM, setting up bridged networks right now. The problem is when I bring up one of the bridges I get an ipv6 address on the host.

The hardware is this: http://www.supermicro.com/products/motherboard/atom/x10/a1srm-ln7f-2758.cfm It has:

  1. 7x Intel e1000 nics.
  2. 16g RAM at the moment.
  3. VT-x
  4. NOT VT-d!


I want:

  1. 1x NIC dedicated to the VM host operating system, which no guest should be able to touch. (I have this)
  2. 2x NICs dedicated to an "outside" firewall/security VM guest.
  3. 4x NICs dedicated to an "inside" firewall/security VM guest (different OS)
  4. IPV6 and/or IPV4 in each network.
  5. The host should not be accessible via any donated NIC.


My config and my results:

  1. /etc/conf.d/net: https://bpaste.net/show/18fdb002584a
  2. ip address list: https://bpaste.net/show/1b6ee8044c27
  3. Note that I only have 2 ports wired right now. One is enp4s0 and the other is enp5s0f0.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Tue Jan 05, 2016 8:37 am    Post subject: Re: prevent ipv6 autoconfig on vm host nics Reply with quote

1clue wrote:
I'm trying to donate nics to a guest VM, setting up bridged networks right now. The problem is when I bring up one of the bridges I get an ipv6 address on the host.

1clue ... add 'enable_ipv6_{iface}="false"' to those interfaces for which you want ipv6 disabled, eg:

/etc/conf.d/net:
enable_ipv6_enp5s0f0="false"

Like other definitions this can be global or card specific.

edit: s/enabled/enable/

HTH & best ... khay


Last edited by khayyam on Tue Jan 05, 2016 7:31 pm; edited 1 time in total
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3103

PostPosted: Tue Jan 05, 2016 5:45 pm    Post subject: Reply with quote

Quote:

NOT VT-d

Too bad PCI passthrough hard depends on this (or AMD's counterpart)
However, you can still bridge TAP interface with ethernet and... not assign any IP at all on the host part. No IP on tap, no IP on bridge, no IP on eth. I imagine you will lose some performance and some security compared to passthrough, but an attacker would have to find an exploitable bug in layer 2 to make use of it... It's a rather narrow attack surface.
One way to prevent IP being assigned to an interface was using "none" as a configuration method. Used to work just fine with openrc.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54096
Location: 56N 3W

PostPosted: Tue Jan 05, 2016 6:44 pm    Post subject: Reply with quote

szatox,

It still works just fine with openRC-0.17.
I can't use PCI passthrough because of a bug in in my Intel 4 port NIC hardware :(
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Tue Jan 05, 2016 7:24 pm    Post subject: Reply with quote

@khayyam,

Code:
enabled_ipv6_enp5s0f0="false"


Does not work. I also put it on br0, nothing. They both still have ipv6 addresses.

@szatox and NeddySeagoon,

I'm using openrc 0.18.4, and "none" does not work:

Code:

# service net.br0 start
 * Bringing up interface enp5s0f0
 *   none ...
 *     nothing provides `none'
 * ERROR: net.enp5s0f0 failed to start
 * ERROR: cannot start net.br0 as net.enp5s0f0 would not start


I've heard complaints for openrc 0.18 on the forums, haven't done anything about it. At any rate if "none" is no longer going to work going forward then I need to figure something else out.

I've tried null with and without quotes, the interfaces come up successfully but they still have ipv6 addresses.

I would also like to get assurance that the guest will be able to get ipv6 addresses here too, and that they will only go to that specific vm.

Thanks.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Tue Jan 05, 2016 7:29 pm    Post subject: Reply with quote

szatox wrote:
Quote:

NOT VT-d

Too bad PCI passthrough hard depends on this (or AMD's counterpart)


Even more too bad that SuperMicro made what would otherwise be a fantastic virtual router host and left out VT-d. The box supports up to 64g RAM, has an 8 core atom processor that routes and compresses faster than my i7 and it has 7x intel nics. Life can be so frustrating.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Tue Jan 05, 2016 7:30 pm    Post subject: Reply with quote

1clue wrote:
Code:
enabled_ipv6_enp5s0f0="false"

Does not work. I also put it on br0, nothing. They both still have ipv6 addresses.

1clue ... that is a typo on my part ... "enable" not "enabled".

/etc/conf.d/net:
enable_ipv6_enp5s0f0="false"

... BTW, it works here using =sys-apps/openrc-0.12.4.

best ... khay
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3103

PostPosted: Wed Jan 06, 2016 12:37 am    Post subject: Reply with quote

1clue, if I get you right you have just bought this board (I recall some topic regarding this stuff). If it's new enough to let the vendor expect more profit from selling more of those, perhaps it would be possible to get a bios update (or whatever firmware they put into the on-board memory now) enabling IOMMU.
I didn't check that hardware, I don't know if it's possible for this particular mobo, but I do know that having a single line in a factory is cheaper than having 2 of them just to limit capabilities, and every building block is used in multiple applications designed with different purposes in mind. There may be a way to enable some nice features.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Wed Jan 06, 2016 8:59 pm    Post subject: Reply with quote

@everyone,

changes:

  1. I just renamed my interfaces so my head doesn't explode. We now have lan0-lan6+enp4s0.
  2. I made just my admin interface and one other nic come up automatically.
  3. I read a bunch of documentation.
  4. I'm pretty much in the same situation as I was before, only I know a little bit more.


@khayyam,
I think that bringing up a bridge with no IP on any part of it is problematic. My bridge and lan0 don't get their IP address until a few seconds after the system boots. There must be some sort of automatic fallback in place.

@szatox,
I "just" bought this board about a year ago. I originally had the plan of doing a VM-based router setup with it, but never had time to get to it. I had been playing with the routing just on the bare metal.

This is the best c2758-based board SuperMicro makes. Or it was a year ago. I don't see any better version of this board. But I downloaded the latest bios update and am trying to figure out which version is on it now. That's a good idea and really worth a try.


  1. /etc/conf.d/net: https://bpaste.net/show/ddf3e8bfd5e5
  2. network: (only br0 up, none of the other bridges: https://bpaste.net/show/8d8f3520590b
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Wed Jan 06, 2016 9:35 pm    Post subject: Reply with quote

Found the bios version from dmidecode. There's a much newer version out now, gotta figure out how to upgrade it.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3103

PostPosted: Fri Jan 08, 2016 8:54 pm    Post subject: Reply with quote

Read the changelog before you flash it :)
In the meantime, a quick and ugly hack you can put into /etc/conf.d/net:

postup () {
if [ "${IFACE}"="br0" ]
then sysctl net.ipv6.conf.br0.disable_ipv6=1
fi
}

Alternatively you can disable ipv6 for all interfaces (replace .br0. with .all. and add to /etc/sysctl.* )and then enable it only on interfaces you want. It's going to become more and more messy as the number of interfaces increases....
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Fri Jan 08, 2016 11:18 pm    Post subject: Reply with quote

Still haven't flashed the bios yet. But my bios version is .6 and the new one is .119.

I did rediscover, however, that it's not SuperMicro I need to aim my angst at regarding the lack of VT-d, it's Intel. This chip does not support it.

I'm beginning to think that I'll need to simply set up iptables to drop everything on these other nics. Or maybe do VLANs?
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Thu Jan 14, 2016 4:36 am    Post subject: Reply with quote

I've tried pretty much every nic and every bridge and it's all the same:

  1. If a cable is connected and I bring the interface up, it will get a global ipv6 and a link-local ipv6 address.
  2. If I bring up brN, then brN behaves as above, and lanN gets a link-local ipv6 address.
  3. lanN will have the same link-local that brN has, it's based on the mac address.
  4. If I bring down lanN then (because of dependencies listed) brN and tapN also come down and all IP addresses related to those vanish.


This is with openrc 0.17, I reverted.

So you guys, please answer these:

  1. If you create the bridge in the host with the settings I've been trying, do you get a link-local on either the bridge or the hardware nic?
  2. If you create the bridge, do you get a global ipv6 on the bridge in spite of settings telling it not to?
  3. If you create the bridge and it does not have an IP of any sort, and then get an IP on a guest VM, does the IP show up on the host?
  4. If you create iptables 'drop everything' rules on a host nic, do those rules apply to the guest?
  5. Am I chasing a ghost?


Maybe I just need to install a VM and try it.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Thu Jan 14, 2016 5:59 am    Post subject: Reply with quote

OK so here's some more info:

I moved the second ethernet cable over to lan2 just in case something was messing with lan0 specifically.


  1. /etc/sysctl.conf is https://bpaste.net/show/eb07bf19d258
  2. cat /proc/sys/net/ipv6/conf/lan2/autoconf returns 1 in spite of the config.
  3. I can get rid of ipv6 on br2, but something is still insisting on an fe80 on lan2.


All the extra stuff in the net.ipv6.conf.lan2 section has exactly the same effect as the two lines in all the other sections.

Is there something in the startup scripts that force net.ipv6.conf.lan2.autoconf to 1? It seems to be that way.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3103

PostPosted: Thu Jan 14, 2016 5:14 pm    Post subject: Reply with quote

I think you missed one important detail from my last post. Look:
Code:
Quad ~ # ifconfig br0 | grep inet
        inet6 fe80::948a:b7ff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>
Quad ~ # sysctl net.ipv6.conf.br0.disable_ipv6=1
net.ipv6.conf.br0.disable_ipv6 = 1
Quad ~ # ifconfig br0 | grep inet
Quad ~ # sysctl net.ipv6.conf.br0.disable_ipv6=0
net.ipv6.conf.br0.disable_ipv6 = 0
Quad ~ # ifconfig br0 | grep inet
        inet6 fe80::948a:b7ff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>
Quad ~ #


You can put this in sysctl to disable ipv6 globally:
Quote:
net.ipv6.conf.all.disable_ipv6=1

And you can toggle ipv6 in postup function as well:
Code:
postup () {
if [ "${IFACE}"="br0" ]
then sysctl net.ipv6.conf.br0.disable_ipv6=1
fi
}

Always in postup, virtual devices don't exist when preup is called so there is no interface the above command could use.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Thu Jan 14, 2016 6:53 pm    Post subject: Reply with quote

Szatox,

I didn't miss it. I set it up that way, tried a few things and then reworked it this way so I could be sure exactly what's happening.

At any rate, it's the ethernet interface itself which has the link-local now. I can't get rid of it.

Any ideas?
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3103

PostPosted: Thu Jan 14, 2016 8:48 pm    Post subject: Reply with quote

I see no IP6 on any interface here until explicitly enabled:
Code:
Quad ~ # brctl show lan0
bridge name   bridge id      STP enabled   interfaces
lan0      8000.00e04ceb8d77   no      eth1
                     wlan0
Quad ~ # ifconfig eth1 | grep ine
Quad ~ # ifconfig lan0 | grep ine
        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255
Quad ~ # ifconfig wlan0 | grep ine
Quad ~ # sysctl net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.all.disable_ipv6 = 0
Quad ~ # ifconfig wlan0 | grep ine
        inet6 fe80::ea94:f6ff:feba:725b  prefixlen 64  scopeid 0x20<link>

Toggling ipv6 on and off:
Code:

Quad ~ # ifconfig | grep inet
        inet6 fe80::948a:b7ff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>
        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::2e0:4cff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        inet XXX.XXX.XXX.XX  netmask 255.255.255.255  destination 10.XX.XX.XX
        inet6 fe80::68e1:62ff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>
        inet 10.0.1.1  netmask 255.255.255.0  broadcast 10.0.1.255
        inet6 fe80::2ce0:e6ff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::ea94:f6ff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>
Quad ~ # sysctl net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
Quad ~ # sysctl net.ipv6.conf.lan0.disable_ipv6=0
net.ipv6.conf.lan0.disable_ipv6 = 0
Quad ~ # ifconfig | grep inet
        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::2e0:4cff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>
        inet 127.0.0.1  netmask 255.0.0.0
        inet XXX.XXX.XXX.XX  netmask 255.255.255.255  destination XX.XX.XX.XX
        inet 10.0.1.1  netmask 255.255.255.0  broadcast 10.0.1.255


Creating new interface with ipv6 disabled for all interfaces:
Code:
Quad ~ # /etc/init.d/net.br0 stop
 * Bringing down interface br0
 *   Destroying bridge br0 ...                                                                                                                         [ ok ]
Quad ~ # /etc/init.d/net.br0 start
 * Bringing up interface br0
 *   Creating bridge br0 ...                                                                                                                           [ ok ]
Quad ~ # ifconfig br0
br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        ether be:f3:XX:XX:XX:XX  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I'd say it works like a charm. :roll: Well, what's wrong with it?
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Thu Jan 14, 2016 9:26 pm    Post subject: Reply with quote

What does the nic have that br0 is part of?

Right now br0 has no ip address, but lan0 does, when it shouldn't.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Thu Jan 14, 2016 11:20 pm    Post subject: Reply with quote

I'm not sure why, but I renamed my enp4s0 control interface and now when I bring up br2 there are no ipv4 or ipv6 addresses.

I think this is solved, I'll play with it a bit.

Only problem is I don't know what changed on any practical level.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum