Red Hat Bugzilla – Bug 995478
/etc/sysctl.conf contains no IPv6 parameters
Last modified: 2016-11-25 08:05:42 EST
Description of problem:
The default /etc/sysctl.conf file provided in the distro contains only IPv4 parameters. There is no reference to IPv6.
For example, if the machine will be used as a router, the paragraph
# Controls IP packet forwarding
net.ipv4.ip_forward = 0 (or 1)
is clearly visible. There is no IPv6 equivalent for this in the file.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install procps package.
2. Look into the /etc/sysctl.conf file
The given parameters are for IPv4 only.
The file should contain equivalent parameters/configuration for IPv6.
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.
Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Even when the sysctl tool itself is a part of the procps packages, the /etc/sysctl.conf config file belongs to the initscripts component. I'm changing the component to initscripts.
There no such settings because we don't want to modify default kernel values.
Hello and thanks,
One that configures a Red Hat system as a router *needs* to have a well documented way to make it "permeable" (IP forwarding) for both IPv4 and IPv6 packets.
So we can't rely on the idea "we don't want to modify default kernel values".
Any suggestions, please?
That this looks more like a documentation issue.
If you only need to know the ipv6 variants of the variables, then I suggest you to type all the variables with 'sysctl -a' and then choose the ones you need to override, so that you could modify your local copy of the sysctl.conf according to your needs.
You're probably interested in the following two variables:
Thank you, :)
IMHO, it is both a:
- "bug" concerning the maintainer of the stock (default) /etc/sysctl.conf file distributed in RHEL/CentOS/Fedora
- documentation "bug" (Red Hat official guides, etc.)
Since GNU/Linux systems are frequently used as routers or NAT gateways, the file and the docs should clearly state, for both IPv4 and IPv6:
- what kernel parameters make the system "permeable" for IPv4 and IPv6 traffic (i.e. allow the passing of IP packets from one network interface to another)
- the /etc/sysctl.conf file distributed in the official distro image should contain lines and clear comments for those parameters, for both IPv4 and IPv6, even if the lines are commented out by default.
These aspects became even more important in recent times, since new versions of these OSes have the IPv6 functions of the network interfaces *enabled* by default, after installation.
For being useful in practice, all these should integrate smoothly with popular firewall solutions for IPv4 and IPv6, such as firewalld or shorewall (http://shorewall.net/).
Thanks a lot,
I see what you mean. The idea of having a pre-filled sysctl.conf file with comments might be a good way how to make the kernel tuning faster/easier/intuitive. That way it could play a role of config file and template at once.
Lukáši, I think we could start at least with the forwarding settings and at your opinion also other variables often overridden by the users. What do you think?
I believe this subject comes under the heading of:
Reverse Path Forwarding
Perhaps I could add a section there.
Thanks to Stephen for the piece of info in comment no 12.
There are *two* issues in this thread; one of them is only collateral.
The *main* issue here is the lack of parallelism for IPv4 and IPv6 parameters in /etc/sysctl.conf and their default values. Users should be able to configure the system in IPv6 as easy as in IPv4. IMHO, this is not a "documentation bug", but one addresed to the team writing the config files that are distributed by default in the distro. Who wites the /etc/sysctl.conf default file?
The second, which is only collateral - I used it just as an example above - is the necessary IPv6 parameter for making a system "permeable" to IPv6 packets. How should one make a system "permeable" to IPv6 packets?
For the second issue, I think the correct, elegant answer is available in /usr/share/doc/initscripts-*/sysconfig.txt: one must set
IPV6FORWARDING=yes in /etc/sysconfig/network and that's all. If you agree, *please* mention this in Red Hat manuals, in a more visible place (/usr/share/doc/initscripts-*/sysconfig.txt is too obscure).
Problem is that officially initscripts don't know the default settings, it is kernel stuff, in ideal case kernel should ship some /etc/sysctl.d/* confs with commented defaults.
I would like to summarise this issue.
As per comment 0, if you look in /etc/sysctl.conf you see some values for IPv4 which are overriding the kernel default values.
What was meant in comment 4, is that initscripts *itself* does not want to modify the default values.
As per comment 7 and 8, if the user wants to change the values they can run `sysctl -a` to see what the values currently are, and check the kernel docs for the definitions. For examples, ~]$ less /usr/share/doc/kernel-doc-2.6.32/Documentation/networking/ip-sysctl.txt
As is being implied in comment 15, initscripts is not the best place to override kernel default values. In an ideal world the kernel would have values widely agreed to be sensible, or patches would be applied by the distro to make changes deemed necessary for that distro.
Therefore, the feeling is that the "lack of parallelism for IPv4 and IPv6 parameters in /etc/sysctl.conf" should be addressed by removing the need to use that file to change defaults in the kernel, rather than adding IPv6 versions of the current IPv4 settings.
I will clone to ask kernel team to consider comment 15 while I review the Deployment Guide to see what improvements I can make.
On second thoughts, to reduce confusion, I will clone for my Docs review and reassign this original bug to kernel team (as the bug history will be easier to follow).
Sorry for the noise.
Hello kernel team
Please consider comment 10 and comment 15
We support several kernel rpms to be installed in parallel to be able to boot different kernel versions. I don't see how the kernel package can write anything to /etc/sysctl.d/ without causing horrendous rpm conflicts. And having the file names in /etc/sysctl.d/ contain kernel version doesn't make sense, either (especially when multiple kernel rpms are installed).
We would need another package to contain this. Creating just a kernel-sysctl package with a single file sounds silly, though. The sysctl.conf file is part of initscripts for this reason; and this is the only place where this can be added.
I don't see anything we can do on the kernel side.
I'm reassigning to initscripts for the initscripts maintainer to decide whether the IPv6 options can be added to sysctl.conf - commented out, of course (i.e. for documentation purposes). I find this very reasonable but I don't know all the limitations there and use cases. If there are reasons this can't be done in initscripts, there's nothing we can do and the bug will have to be closed.
To sum on what Jiri just said, re comment #15, for getting the defaults, it's just a matter of dumping current configs (sysctl -a) after a boot without special sysctls applied. If you need documentation is available under Documentation/ folder and pleas feel free to get in touch if you feel needed.
Yet, we are probably not going to have this for RHEL6 anymore at it's just too late for such improvement on it. If Lukas agree, we should close this bug and open a new one targetting RHEL7/systemd instead.
(In reply to Marcelo Ricardo Leitner from comment #22)
> Yet, we are probably not going to have this for RHEL6 anymore at it's just
> too late for such improvement on it. If Lukas agree, we should close this
> bug and open a new one targetting RHEL7/systemd instead.
I agree on closing this BZ. It's unfortunate, but we're in phase2 of RHEL6 lifecycle. I realize, this is inconvenient, but I fail to see this being a bug.
Also, cloning this for RHEL7 does not make sense as well, because AFAIK lots of initscripts responsibilites have been taken over by systemd. Here's the content of /etc/sysctl.conf from RHEL7:
# Kernel sysctl configuration file
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0