# prevent ipv6 autoconfig on vm host nics

## 1clue

Hi,

Can someone tell me what I'm doing wrong?

I'm trying to donate nics to a guest VM, setting up bridged networks right now.  The problem is when I bring up one of the bridges I get an ipv6 address on the host.

The hardware is this:  http://www.supermicro.com/products/motherboard/atom/x10/a1srm-ln7f-2758.cfm  It has:

7x Intel e1000 nics.

16g RAM at the moment.

VT-x

NOT VT-d!

I want:

1x NIC dedicated to the VM host operating system, which no guest should be able to touch. (I have this)

2x NICs dedicated to an "outside" firewall/security VM guest.

4x NICs dedicated to an "inside" firewall/security VM guest (different OS)

IPV6 and/or IPV4 in each network.

The host should not be accessible via any donated NIC. 

My config and my results:

/etc/conf.d/net: https://bpaste.net/show/18fdb002584a

ip address list: https://bpaste.net/show/1b6ee8044c27

Note that I only have 2 ports wired right now.  One is enp4s0 and the other is enp5s0f0.

----------

## khayyam

 *1clue wrote:*   

> I'm trying to donate nics to a guest VM, setting up bridged networks right now.  The problem is when I bring up one of the bridges I get an ipv6 address on the host.

 

1clue ... add 'enable_ipv6_{iface}="false"' to those interfaces for which you want ipv6 disabled, eg:

```
enable_ipv6_enp5s0f0="false"
```

Like other definitions this can be global or card specific.

edit: s/enabled/enable/

HTH & best ... khayLast edited by khayyam on Tue Jan 05, 2016 7:31 pm; edited 1 time in total

----------

## szatox

 *Quote:*   

> 
> 
> NOT VT-d

 

Too bad PCI passthrough hard depends on this (or AMD's counterpart)

However, you can still bridge TAP interface with ethernet and... not assign any IP at all on the host part. No IP on tap, no IP on bridge, no IP on eth. I imagine you will lose some performance and some security compared to passthrough, but an attacker would have to find an exploitable bug in layer 2 to make use of it... It's a rather narrow attack surface.

One way to prevent IP being assigned to an interface was using "none" as a configuration method. Used to work just fine with openrc.

----------

## NeddySeagoon

szatox,

It still works just fine with openRC-0.17.

I can't use PCI passthrough because of a bug in in my Intel 4 port NIC hardware  :(

----------

## 1clue

@khayyam,

```
enabled_ipv6_enp5s0f0="false"
```

Does not work.  I also put it on br0, nothing.  They both still have ipv6 addresses.

@szatox and NeddySeagoon,

I'm using openrc 0.18.4, and "none" does not work:

```

# service net.br0 start

 * Bringing up interface enp5s0f0

 *   none ...

 *     nothing provides `none'

 * ERROR: net.enp5s0f0 failed to start 

 * ERROR: cannot start net.br0 as net.enp5s0f0 would not start 

```

I've heard complaints for openrc 0.18 on the forums, haven't done anything about it.  At any rate if "none" is no longer going to work going forward then I need to figure something else out.

I've tried null with and without quotes, the interfaces come up successfully but they still have ipv6 addresses.

I would also like to get assurance that the guest will be able to get ipv6 addresses here too, and that they will only go to that specific vm.

Thanks.

----------

## 1clue

 *szatox wrote:*   

>  *Quote:*   
> 
> NOT VT-d 
> 
> Too bad PCI passthrough hard depends on this (or AMD's counterpart)
> ...

 

Even more too bad that SuperMicro made what would otherwise be a fantastic virtual router host and left out VT-d.  The box supports up to 64g RAM, has an 8 core atom processor that routes and compresses faster than my i7 and it has 7x intel nics.  Life can be so frustrating.

----------

## khayyam

 *1clue wrote:*   

> 
> 
> ```
> enabled_ipv6_enp5s0f0="false"
> ```
> ...

 

1clue ... that is a typo on my part ... "enable" not "enabled".

```
enable_ipv6_enp5s0f0="false"
```

... BTW, it works here using =sys-apps/openrc-0.12.4.

best ... khay

----------

## szatox

1clue, if I get you right you have just bought this board (I recall some topic regarding this stuff). If it's new enough to let the vendor expect more profit from selling more of those, perhaps it would be possible to get a bios update (or whatever firmware they put into the on-board memory now) enabling IOMMU.

I didn't check that hardware, I don't know if it's possible for this particular mobo, but I do know that having a single line in a factory is cheaper than having 2 of them just to limit capabilities, and every building block is used in multiple applications designed with different purposes in mind. There may be a way to enable some nice features.

----------

## 1clue

@everyone,

changes:

I just renamed my interfaces so my head doesn't explode.  We now have lan0-lan6+enp4s0.

I made just my admin interface and one other nic come up automatically.

I read a bunch of documentation.

I'm pretty much in the same situation as I was before, only I know a little bit more.

@khayyam,

I think that bringing up a bridge with no IP on any part of it is problematic.  My bridge and lan0 don't get their IP address until a few seconds after the system boots.  There must be some sort of automatic fallback in place.

@szatox,

I "just" bought this board about a year ago.  I originally had the plan of doing a VM-based router setup with it, but never had time to get to it.  I had been playing with the routing just on the bare metal.

This is the best c2758-based board SuperMicro makes.  Or it was a year ago.  I don't see any better version of this board.  But I downloaded the latest bios update and am trying to figure out which version is on it now.  That's a good idea and really worth a try.

/etc/conf.d/net: https://bpaste.net/show/ddf3e8bfd5e5

network:  (only br0 up, none of the other bridges: https://bpaste.net/show/8d8f3520590b

----------

## 1clue

Found the bios version from dmidecode.  There's a much newer version out now, gotta figure out how to upgrade it.

----------

## szatox

Read the changelog before you flash it  :Smile: 

In the meantime, a quick and ugly hack you can put into /etc/conf.d/net:

postup () {

if [ "${IFACE}"="br0" ]

then sysctl net.ipv6.conf.br0.disable_ipv6=1

fi

}

Alternatively you can disable ipv6 for all interfaces (replace .br0. with .all. and add to /etc/sysctl.* )and then enable it only on interfaces you want. It's going to become more and more messy as the number of interfaces increases....

----------

## 1clue

Still haven't flashed the bios yet.  But my bios version is .6 and the new one is .119.

I did rediscover, however, that it's not SuperMicro I need to aim my angst at regarding the lack of VT-d, it's Intel.  This chip does not support it.

I'm beginning to think that I'll need to simply set up iptables to drop everything on these other nics.  Or maybe do VLANs?

----------

## 1clue

I've tried pretty much every nic and every bridge and it's all the same:

If a cable is connected and I bring the interface up, it will get a global ipv6 and a link-local ipv6 address.

If I bring up brN, then brN behaves as above, and lanN gets a link-local ipv6 address.

lanN will have the same link-local that brN has, it's based on the mac address.

If I bring down lanN then (because of dependencies listed) brN and tapN also come down and all IP addresses related to those vanish.

This is with openrc 0.17, I reverted.

So you guys, please answer these:

If you create the bridge in the host with the settings I've been trying, do you get a link-local on either the bridge or the hardware nic?

If you create the bridge, do you get a global ipv6 on the bridge in spite of settings telling it not to?

If you create the bridge and it does not have an IP of any sort, and then get an IP on a guest VM, does the IP show up on the host?

If you create iptables 'drop everything' rules on a host nic, do those rules apply to the guest?

Am I chasing a ghost?

Maybe I just need to install a VM and try it.

----------

## 1clue

OK so here's some more info:

I moved the second ethernet cable over to lan2 just in case something was messing with lan0 specifically.

/etc/sysctl.conf is https://bpaste.net/show/eb07bf19d258

cat /proc/sys/net/ipv6/conf/lan2/autoconf returns 1 in spite of the config.

I can get rid of ipv6 on br2, but something is still insisting on an fe80 on lan2.

All the extra stuff in the net.ipv6.conf.lan2 section has exactly the same effect as the two lines in all the other sections.

Is there something in the startup scripts that force net.ipv6.conf.lan2.autoconf to 1?  It seems to be that way.

----------

## szatox

I think you missed one important detail from my last post. Look:

```
Quad ~ # ifconfig br0 | grep inet

        inet6 fe80::948a:b7ff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>

Quad ~ # sysctl net.ipv6.conf.br0.disable_ipv6=1

net.ipv6.conf.br0.disable_ipv6 = 1

Quad ~ # ifconfig br0 | grep inet

Quad ~ # sysctl net.ipv6.conf.br0.disable_ipv6=0

net.ipv6.conf.br0.disable_ipv6 = 0

Quad ~ # ifconfig br0 | grep inet

        inet6 fe80::948a:b7ff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>

Quad ~ # 

```

You can put this in sysctl to disable ipv6 globally:

 *Quote:*   

> net.ipv6.conf.all.disable_ipv6=1

 

And you can toggle ipv6 in postup function as well:

```
postup () {

if [ "${IFACE}"="br0" ]

then sysctl net.ipv6.conf.br0.disable_ipv6=1

fi

} 
```

Always in postup, virtual devices don't exist when preup is called so there is no interface the above command could use.

----------

## 1clue

Szatox,

I didn't miss it.  I set it up that way, tried a few things and then reworked it this way so I could be sure exactly what's happening.

At any rate, it's the ethernet interface itself which has the link-local now. I can't get rid of it.

Any ideas?

----------

## szatox

I see no IP6 on any interface here until explicitly enabled:

```
Quad ~ # brctl show lan0

bridge name   bridge id      STP enabled   interfaces

lan0      8000.00e04ceb8d77   no      eth1

                     wlan0

Quad ~ # ifconfig eth1 | grep ine

Quad ~ # ifconfig lan0 | grep ine

        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255

Quad ~ # ifconfig wlan0 | grep ine

Quad ~ # sysctl net.ipv6.conf.all.disable_ipv6=0

net.ipv6.conf.all.disable_ipv6 = 0

Quad ~ # ifconfig wlan0 | grep ine

        inet6 fe80::ea94:f6ff:feba:725b  prefixlen 64  scopeid 0x20<link>

```

Toggling ipv6 on and off:

```

Quad ~ # ifconfig | grep inet

        inet6 fe80::948a:b7ff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>

        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255

        inet6 fe80::2e0:4cff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        inet XXX.XXX.XXX.XX  netmask 255.255.255.255  destination 10.XX.XX.XX

        inet6 fe80::68e1:62ff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>

        inet 10.0.1.1  netmask 255.255.255.0  broadcast 10.0.1.255

        inet6 fe80::2ce0:e6ff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>

        inet6 fe80::ea94:f6ff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>

Quad ~ # sysctl net.ipv6.conf.all.disable_ipv6=1

net.ipv6.conf.all.disable_ipv6 = 1

Quad ~ # sysctl net.ipv6.conf.lan0.disable_ipv6=0

net.ipv6.conf.lan0.disable_ipv6 = 0

Quad ~ # ifconfig | grep inet

        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255

        inet6 fe80::2e0:4cff:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>

        inet 127.0.0.1  netmask 255.0.0.0

        inet XXX.XXX.XXX.XX  netmask 255.255.255.255  destination XX.XX.XX.XX

        inet 10.0.1.1  netmask 255.255.255.0  broadcast 10.0.1.255

```

Creating new interface with ipv6 disabled for all interfaces:

```
Quad ~ # /etc/init.d/net.br0 stop

 * Bringing down interface br0

 *   Destroying bridge br0 ...                                                                                                                         [ ok ]

Quad ~ # /etc/init.d/net.br0 start

 * Bringing up interface br0

 *   Creating bridge br0 ...                                                                                                                           [ ok ]

Quad ~ # ifconfig br0

br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500

        ether be:f3:XX:XX:XX:XX  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

I'd say it works like a charm.  :Rolling Eyes:   Well, what's wrong with it?

----------

## 1clue

What does the nic have that br0 is part of?

Right now br0 has no ip address, but lan0 does, when it shouldn't.

----------

## 1clue

I'm not sure why, but I renamed my enp4s0 control interface and now when I bring up br2 there are no ipv4 or ipv6 addresses.

I think this is solved, I'll play with it a bit.

Only problem is I don't know what changed on any practical level.

----------

