I looked into the code to figure out where the IPv6 configuration is copied
from for a new namespace.
I came across this function addrconf_init_net. I assume this is the
function that is invoked when a new namespace is created.
Inside this function, I came across this code,
if (IS_ENABLED
<https://elixir.bootlin.com/linux/latest/C/ident/IS_ENABLED>(CONFIG_SYSCTL
<https://elixir.bootlin.com/linux/latest/K/ident/CONFIG_SYSCTL>) &&
!net_eq
<https://elixir.bootlin.com/linux/latest/C/ident/net_eq>(net,
&init_net <https://elixir.bootlin.com/linux/latest/C/ident/init_net>))
{
switch <https://elixir.bootlin.com/linux/latest/C/ident/switch>
(sysctl_devconf_inherit_init_net
<https://elixir.bootlin.com/linux/latest/C/ident/sysctl_devconf_inherit_init_net>)
{
case 1: /* copy from init_net */
memcpy
<https://elixir.bootlin.com/linux/latest/C/ident/memcpy>(all
<https://elixir.bootlin.com/linux/latest/C/ident/all>, init_net
<https://elixir.bootlin.com/linux/latest/C/ident/init_net>.ipv6
<https://elixir.bootlin.com/linux/latest/C/ident/ipv6>.devconf_all
<https://elixir.bootlin.com/linux/latest/C/ident/devconf_all>,
sizeof(ipv6_devconf
<https://elixir.bootlin.com/linux/latest/C/ident/ipv6_devconf>));
memcpy
<https://elixir.bootlin.com/linux/latest/C/ident/memcpy>(dflt
<https://elixir.bootlin.com/linux/latest/C/ident/dflt>, init_net
<https://elixir.bootlin.com/linux/latest/C/ident/init_net>.ipv6
<https://elixir.bootlin.com/linux/latest/C/ident/ipv6>.devconf_dflt
<https://elixir.bootlin.com/linux/latest/C/ident/devconf_dflt>,
sizeof(ipv6_devconf_dflt
<https://elixir.bootlin.com/linux/latest/C/ident/ipv6_devconf_dflt>));
break
<https://elixir.bootlin.com/linux/latest/C/ident/break>;
case 3: /* copy from the current netns */
memcpy
<https://elixir.bootlin.com/linux/latest/C/ident/memcpy>(all
<https://elixir.bootlin.com/linux/latest/C/ident/all>, current
<https://elixir.bootlin.com/linux/latest/C/ident/current>->nsproxy
<https://elixir.bootlin.com/linux/latest/C/ident/nsproxy>->net_ns
<https://elixir.bootlin.com/linux/latest/C/ident/net_ns>->ipv6
<https://elixir.bootlin.com/linux/latest/C/ident/ipv6>.devconf_all
<https://elixir.bootlin.com/linux/latest/C/ident/devconf_all>,
sizeof(ipv6_devconf
<https://elixir.bootlin.com/linux/latest/C/ident/ipv6_devconf>));
memcpy
<https://elixir.bootlin.com/linux/latest/C/ident/memcpy>(dflt
<https://elixir.bootlin.com/linux/latest/C/ident/dflt>,
current
<https://elixir.bootlin.com/linux/latest/C/ident/current>->nsproxy
<https://elixir.bootlin.com/linux/latest/C/ident/nsproxy>->net_ns
<https://elixir.bootlin.com/linux/latest/C/ident/net_ns>->ipv6
<https://elixir.bootlin.com/linux/latest/C/ident/ipv6>.devconf_dflt
<https://elixir.bootlin.com/linux/latest/C/ident/devconf_dflt>,
sizeof(ipv6_devconf_dflt
<https://elixir.bootlin.com/linux/latest/C/ident/ipv6_devconf_dflt>));
break
<https://elixir.bootlin.com/linux/latest/C/ident/break>;
case 0:
case 2:
/* use compiled values */
break
<https://elixir.bootlin.com/linux/latest/C/ident/break>;
}
}
If I set the value of net.core.devconf_inherit_init_net to 1, when a
new namespace is created the values in init_net(which again I assume
is init process' namespace value - global/default namespace)
will be copied into the new namespace. A few lines later, the
following code is present.
dflt <https://elixir.bootlin.com/linux/latest/C/ident/dflt>->disable_ipv6
<https://elixir.bootlin.com/linux/latest/C/ident/disable_ipv6> =
ipv6_defaults
<https://elixir.bootlin.com/linux/latest/C/ident/ipv6_defaults>.disable_ipv6
<https://elixir.bootlin.com/linux/latest/C/ident/disable_ipv6>;
<<<<< This ipv6_defaults.disable_ipv6 comes from the GRUB command line
value of disable_ipv6.
Hence if I enable IPv6 before creating a new namespace, the new
namespace still will have IPv6 disabled, because of the above single
line of code. Is this correct?
net.ipv6.conf.all.disable_ipv6 is used to change the IPv6 state for
all the currently available interfaces.
net.ipv6.conf.default.disable_ipv6 has the default value from
ipv6_defaults.disable_ipv6 i.e. the grub one. If I change this sysctl,
what impact does it have?
Dheeraj
On Tue, Jun 7, 2022 at 4:25 PM Dheeraj Kandula <[email protected]> wrote:
> Thanks a lot Bjorn for pointing this out. I now have IPv6 disabled by
> default in newly created namespaces too.
>
> However, when I enable IPv6 globally it is not enabled inside the already
> created namespaces. Maybe it has to be done explicitly. I will see if this
> behavior is acceptable.
>
> Thanks a lot Bjorn. I really appreciate your time and patience.
>
> Thanks, Marc too for taking the time to respond to my emails.
>
> Dheeraj
>
> On Tue, Jun 7, 2022 at 4:05 PM Bjørn Mork <[email protected]> wrote:
>
>> Dheeraj Kandula <[email protected]> writes:
>>
>> > Thanks Bjørn for the reply. But with the grub command line, IPv6 option
>> is
>> > not available i.e.* net.ipv6.conf.all.disable_ipv6* i.e. net.ipv6
>> itself is
>> > not available.
>> >
>> > $ sudo sysctl net.ipv6
>> > sysctl: cannot stat /proc/sys/net/ipv6: No such file or directory
>>
>> Huh? Did you set ipv6.disable instead og ipv6.disable_ipv6? Those are
>> very different, as documented in the module:
>>
>>
>> bjorn@miraculix:~$ modinfo ipv6
>> name: ipv6
>> filename: (builtin)
>> alias: net-pf-10
>> license: GPL
>> file: net/ipv6/ipv6
>> description: IPv6 protocol stack for Linux
>> author: Cast of dozens
>> parm: disable:Disable IPv6 module such that it is
>> non-functional (int)
>> parm: disable_ipv6:Disable IPv6 on all interfaces (int)
>> parm: autoconf:Enable IPv6 address autoconfiguration on all
>> interfaces (int)
>>
>>
>>
>>
>> Bjørn
>>
>
