Hey, that actually means there's something sane to do with bug 199862.

Created attachment 407819 [details]
patch of concept

Of course the patch isn't perfect but it could work if the first number on e.g. eth0:1 is *the* number to be treated with RFC 3484.
Please have a look and improve.

This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Bill, I'd like to see this one go somewhere, especially for sit devices such as sit1.  I'd prefer to not have services running on the IPV6 routing machine to appear to come from the tunnel endpoint.

I tried to do the following in /sbin/ifup-local, with no success:

case "${DEVICE}" in
  sit[1-9])
    # Depreciate IPv6 tunnel endpoint addresses
    /usr/sbin/ip -6 addr change ${IPV6ADDR} dev ${DEVICE} preferred_lft 0 ;;
  *) ;;
esac

Why not just:
diff --git a/sysconfig/network-scripts/ifup-ipv6 b/sysconfig/network-scripts/ifup-ipv6
index 331073a..b97c9e9 100755
--- a/sysconfig/network-scripts/ifup-ipv6
+++ b/sysconfig/network-scripts/ifup-ipv6
@@ -136,6 +136,7 @@ fi
 if [ -n "$IPV6ADDR_SECONDARIES" ]; then
 	for ipv6addr in $IPV6ADDR_SECONDARIES; do
 		ipv6_add_addr_on_device $DEVICE $ipv6addr
+		ip -6 addr change $ipv6addr dev "$DEVICE" preferred_lft 0
 	done
 fi

?

Are these non-secondary addresses you want to blacklist?

Well, I want to have an auto-configured ('normal') ipv6 on eth0, but also at least one varying deprecated address that I can specifically bind certain services to.
Preferably using privacy via rfc3041 but can that wok per IP instead of per interface?

My ISP uses PD to give me a /80 prefix that may vary over time.
So I want to be able to cope with that too.

See https://bugzilla.redhat.com/show_bug.cgi?id=626514 for the work on dhclient for ipv6.
Next is integration with the distro, scripts et al.

(In reply to comment #6)
> Why not just:
> diff --git a/sysconfig/network-scripts/ifup-ipv6
> b/sysconfig/network-scripts/ifup-ipv6
> index 331073a..b97c9e9 100755
> --- a/sysconfig/network-scripts/ifup-ipv6
> +++ b/sysconfig/network-scripts/ifup-ipv6
> @@ -136,6 +136,7 @@ fi
>  if [ -n "$IPV6ADDR_SECONDARIES" ]; then
>  	for ipv6addr in $IPV6ADDR_SECONDARIES; do
>  		ipv6_add_addr_on_device $DEVICE $ipv6addr
> +		ip -6 addr change $ipv6addr dev "$DEVICE" preferred_lft 0
>  	done
>  fi
> 
> ?
> 
> Are these non-secondary addresses you want to blacklist?

Bill, in my case, yes, they are not secondary addresses.  The address I would like to depreciate is my tunnel endpoint of a sit1 address from Hurricane Electric (for IPv6 transport) so that services running on the same machine running the sit1 interface don't send outbound traffic that appears to come from the tunnel endpoint.

Ideally, it would be nice to have a way in the ifcfg-* files to specify some of these additional options that would be fed to the ip command.

Something like (with the # delimiter):

IPV6ADDR="2001:470:1f10:a4::2#preferred_lft "0


Or, just make sure that ifup-post is called for any and all interfaces, and we can all customize it there.

Bill's patch from comment 6 works for my case; Anthony's case is different.

Any progress?
 I like the secondaries patch very much, can it be in the next release?

This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Loads of bugzilla emails won't help.

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

For the secondaries I expect we can agree those are not prefered to be used for some magic source-selection (which in the end would use the last added IPv6-address), right?

So imho doing the addition to ifup-ipv6 as of "Bill Nottingham 2012-08-20 11:40:06 EDT" might imho be a good thing.

This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Created attachment 965061 [details]
Patch to allow preferred IPv6 source address in /etc/sysconfig/network

I have multiple interfaces with a number of secondaries, of which one should be the source address for client connections from this machine.

The attached patch (created on F20) allows me to select an address to my choice by setting IPV6ADDR_PREFERRED within the /etc/sysconfig/network file 

Pieter

Thanks

(In reply to Pieter D.J. Krul from comment #16)
> Created attachment 965061 [details]
> Patch to allow preferred IPv6 source address in /etc/sysconfig/network

Are you sure that the patch is correct? ipv6_add_addr_on_device only takes two arguments.

Hi Lukáš, 

IMHO ipv6_add_addr_on_device() has not been updated since 2006, nor has the manpage for ip-address(1). The syntax for 'ip' at this moment is:

ip addr {add|change|replace} IFADDR dev STRING [ LIFETIME ] [ CONFFLAG-LIST ]
  CONFFLAG-LIST := [ CONFFLAG-LIST ] CONFFLAG
    CONFFLAG  := [ home | nodad | mngtmpaddr | noprefixroute ]
  LIFETIME := [ valid_lft LFT ] [ preferred_lft LFT ]
    LFT := forever | SECONDS

So, no, the patch was not complete, and results may have come from previous 'ip add change'-commands.

inet6 2a01:7c8:aab5:116:de7e:c7ed:baad:b10c/48 scope global 
  valid_lft forever preferred_lft 95454sec
inet6 2a01:7c8:aab5:116::443/48 scope global 
  valid_lft forever preferred_lft forever
inet6 2a01:7c8:aab5:116::80/48 scope global 
  valid_lft forever preferred_lft forever

The other day I stumbled several UNIX System V books, which reminded me of playing around with SunOS and early RHL versions, with our dearly beloved Ulrich Drepper as bonding instrument for the solution, just as both RFC 6724 and obsoleted RFC 3484 hold the answer. 

In SunOS there was /etc/networks, and we have glibc:

From getaddrinfo(3):
       Given  node  and service, which identify an Internet host and a service,
       getaddrinfo() returns one or more addrinfo structures, each of which con‐
       tains an Internet address that can be specified in a call to bind(2) or
       connect(2). 
       [..]
       Normally, the application should try using the addresses in the order in 
       which they are returned. The sorting function used within getaddrinfo() 
       is defined in RFC 3484; the order can be tweaked for a particular 
       system by  editing  /etc/gai.conf

So, see also gai.conf(5) and the example that comes with glibc-common.

An example gai.conf comes i
       (available since glibc 2.5).

Created attachment 968814 [details]
Concept script to modify kernel address selection labels from userland

Concept script that I use to force an IPv6 source address selection from userland, which, AFAIK satisfies both RFC 3484 / 6724, and the current state of the kernel stuff. Please verify that your $PATH points to the correct ip(1), located in /usr/sbin. Any comments regarding implementation would be appreciated.

This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

If I see the initscripts in F21 right there is still no solution shipped yet, right? Since here are also some thoughts and patches included in this bug, could we update it to F21 maybe?

This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.