Package: systemd Version: 229-1 Severity: normal I have a host that is hosting a number of KVM virtual machines. It has eth0 to the Internet. The virtual machines connect to br0, and the host is routing between br0 and eth0. Both host and VMs are fully IPv6 enabled. Network configuration is done with systemd-networkd. For the Ethernet, router advertisements should be processed; the Bridge has static configuration. radvd is running on br0 to allow VMs to learn IPv6 prefixes and routes.
[5/505]mh@fan:/etc/systemd/network$ cat eth0.network [Match] Name=eth0 [Network] DHCP=yes IPForward=yes DNS=192.168.181.53 DNS=192.168.251.53 DNS=fec0:0:0:ffff::1 Domains=zugschlus.de ka51.zugschlus.de IPv6AcceptRouterAdvertisements=1 [Address] Address=2a01:238:4071:3282::1d:100/64 [Address] Address=2a01:238:4071:3282::1d:250/128 [Address] Address=192.168.182.250/32 [6/506]mh@fan:/etc/systemd/network$ cat br0.netdev [NetDev] Name=br0 kind=bridge [7/507]mh@fan:/etc/systemd/network$ cat br0.network [Match] Name=br0 [Network] Address=192.168.29.254/24 DHCP=no IPForward=yes [Address] Address=2a01:238:4071:328d::1d:100/64 [Address] Address=2a01:238:4071:328d::1d:153/64 [Address] Address=fec0:0:0:ffff::1/128 [Address] Address=fec0:0:0:ffff::2/128 [Address] Address=fec0:0:0:ffff::3/128 [8/508]mh@fan:/etc/systemd/network$ [13/513]mh@fan:~$ cat /etc/radvd.conf interface br0 { AdvSendAdvert on; MinRtrAdvInterval 600; MaxRtrAdvInterval 1200; prefix 2a01:238:4071:328d::/64 { DeprecatePrefix on; }; RDNSS 2a01:238:4071:328d::1d:153 { AdvRDNSSLifetime 1200; }; }; mh@fan:~$ With older systemd, this resulted in a working configuration: mh@fan:/etc/systemd/network$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 54:04:a6:82:21:00 brd ff:ff:ff:ff:ff:ff inet 192.168.182.250/32 brd 192.168.182.250 scope global eth0 valid_lft forever preferred_lft forever inet 192.168.182.29/24 brd 192.168.182.255 scope global dynamic eth0 valid_lft 13813sec preferred_lft 13813sec inet6 2a01:238:4071:3282:5604:a6ff:fe82:2100/64 scope global mngtmpaddr dynamic valid_lft 86013sec preferred_lft 14013sec inet6 2a01:238:4071:3282::1d:250/128 scope global valid_lft forever preferred_lft forever inet6 2a01:238:4071:3282::1d:100/64 scope global valid_lft forever preferred_lft forever inet6 fe80::5604:a6ff:fe82:2100/64 scope link valid_lft forever preferred_lft forever 3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether c6:f4:98:dc:5e:21 brd ff:ff:ff:ff:ff:ff inet 192.168.29.254/24 brd 192.168.29.255 scope global br0 valid_lft forever preferred_lft forever inet6 2a01:238:4071:328d::1d:153/64 scope global valid_lft forever preferred_lft forever inet6 2a01:238:4071:328d::1d:100/64 scope global valid_lft forever preferred_lft forever inet6 fec0:0:0:ffff::3/128 scope site valid_lft forever preferred_lft forever inet6 fec0:0:0:ffff::2/128 scope site valid_lft forever preferred_lft forever inet6 fec0:0:0:ffff::1/128 scope site valid_lft forever preferred_lft forever inet6 fe80::c4f4:98ff:fedc:5e21/64 scope link valid_lft forever preferred_lft forever 4: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UNKNOWN group default qlen 1000 link/ether 1e:75:76:3b:aa:88 brd ff:ff:ff:ff:ff:ff inet6 fe80::1c75:76ff:fe3b:aa88/64 scope link valid_lft forever preferred_lft forever mh@fan:/etc/systemd/network$ ip -6 r 2a01:238:4071:3282::1d:250 dev eth0 proto kernel metric 256 pref medium 2a01:238:4071:3282::/64 dev eth0 proto kernel metric 256 pref medium 2a01:238:4071:328d::/64 dev br0 proto kernel metric 256 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev dummy0 proto kernel metric 256 pref medium fe80::/64 dev br0 proto kernel metric 256 pref medium fec0:0:0:ffff::1 dev br0 proto kernel metric 256 pref medium fec0:0:0:ffff::2 dev br0 proto kernel metric 256 pref medium fec0:0:0:ffff::3 dev br0 proto kernel metric 256 pref medium default via fe80::1 dev eth0 proto ra metric 1024 expires 1411sec hoplimit 64 pref high mh@fan:/etc/systemd/network$ Systemd 229 implements its own IPv6 Router Advertisement processing, which is - unfortunately - severely flawed. Having IPv6AcceptRouterAdvertisements=1 results in the following, not working configuration: mh@fan:~$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 54:04:a6:82:21:00 brd ff:ff:ff:ff:ff:ff inet 192.168.182.250/32 brd 192.168.182.250 scope global eth0 valid_lft forever preferred_lft forever inet 192.168.182.29/24 brd 192.168.182.255 scope global dynamic eth0 valid_lft 12417sec preferred_lft 12417sec inet6 2a01:238:4071:328d:5604:a6ff:fe82:2100/64 scope global mngtmpaddr noprefixroute dynamic valid_lft 86387sec preferred_lft 14387sec inet6 2a01:238:4071:3282:5604:a6ff:fe82:2100/64 scope global mngtmpaddr noprefixroute dynamic valid_lft 86252sec preferred_lft 14252sec inet6 2a01:238:4071:3282::1d:250/128 scope global valid_lft forever preferred_lft forever inet6 2a01:238:4071:3282::1d:100/64 scope global valid_lft forever preferred_lft forever inet6 fe80::5604:a6ff:fe82:2100/64 scope link valid_lft forever preferred_lft forever 3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether c6:f4:98:dc:5e:21 brd ff:ff:ff:ff:ff:ff inet 192.168.29.254/24 brd 192.168.29.255 scope global br0 valid_lft forever preferred_lft forever inet6 2a01:238:4071:328d::1d:153/64 scope global valid_lft forever preferred_lft forever inet6 2a01:238:4071:328d::1d:100/64 scope global valid_lft forever preferred_lft forever inet6 fec0:0:0:ffff::3/128 scope site valid_lft forever preferred_lft forever inet6 fec0:0:0:ffff::2/128 scope site valid_lft forever preferred_lft forever inet6 fec0:0:0:ffff::1/128 scope site valid_lft forever preferred_lft forever inet6 fe80::c4f4:98ff:fedc:5e21/64 scope link valid_lft forever preferred_lft forever 4: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UNKNOWN group default qlen 1000 link/ether 96:b4:30:70:4d:75 brd ff:ff:ff:ff:ff:ff inet6 fe80::94b4:30ff:fe70:4d75/64 scope link valid_lft forever preferred_lft forever mh@fan:~$ mh@fan:/etc/systemd/network$ ip -6 r 2a01:238:4071:3282::1d:250 dev eth0 proto kernel metric 256 pref medium 2a01:238:4071:3282::/64 dev eth0 proto kernel metric 256 pref medium 2a01:238:4071:328d::/64 dev br0 proto kernel metric 256 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev dummy0 proto kernel metric 256 pref medium fe80::/64 dev br0 proto kernel metric 256 pref medium fec0:0:0:ffff::1 dev br0 proto kernel metric 256 pref medium fec0:0:0:ffff::2 dev br0 proto kernel metric 256 pref medium fec0:0:0:ffff::3 dev br0 proto kernel metric 256 pref medium default via fe80::1 dev eth0 proto ra metric 1024 expires 1411sec hoplimit 64 pref high default via fe80::c4f4:98ff:fedc:5e21 dev eth0 proto ra metric 1024 pref medium mh@fan:/etc/systemd/network$ Setting IPv6AcceptRouterAdvertisements=0 fixes the issue at the cost of having to manually fiddle again in /proc to get the desired behavior of accepting router advertisements on and only on eth0. In a nutshell: with IPv6AcceptRouterAdvertisements=1, it looks like networks handles incoming router advertisements itself, and it's doing things wrong. Bug 1: It accepts and handles the RA sent out by the locally running radvd on br0. Bug 2: It then configures the IP addresses and routes derived from this RA on the wrong Interface, eth0. This results in IP adresses from the wrong prefix being configured on eth0, and, catastrophically, a second, incorrect default route is being configured. Remedy: (1) Configure IP addresses and routes learned on one interface on this interface and not on an arbitrary other interface. This is especially important if the gateway address learned is link local, as this is commonly the case in IPv6 (2) Ignore RAs coming in from the local host. If this were my package, this bug report would have an RC severity as this regression breaks IPv6 networking for many non-trivial network setups. Feel free to ramp up the severity accordingly. I would suggest "serious". Greetings Marc