Bug 995478 - /etc/sysctl.conf contains no IPv6 parameters
/etc/sysctl.conf contains no IPv6 parameters
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: initscripts (Show other bugs)
6.6
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: initscripts Maintenance Team
qe-baseos-daemons
: Documentation
Depends On:
Blocks: 1243352
  Show dependency treegraph
 
Reported: 2013-08-09 09:43 EDT by Răzvan Sandu
Modified: 2016-11-25 08:05 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1243352 1243508 (view as bug list)
Environment:
Last Closed: 2016-11-09 11:36:12 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Răzvan Sandu 2013-08-09 09:43:42 EDT
Description of problem:

The default /etc/sysctl.conf file provided in the distro contains only IPv4 parameters. There is no reference to IPv6.

For example, if the machine will be used as a router, the paragraph

# Controls IP packet forwarding
net.ipv4.ip_forward = 0 (or 1)

is clearly visible. There is no IPv6 equivalent for this in the file.


Version-Release number of selected component (if applicable):
procps-3.2.8-25.el6.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Install procps package.
2. Look into the /etc/sysctl.conf file


Actual results:
The given parameters are for IPv4 only.

Expected results:
The file should contain equivalent parameters/configuration for IPv6.
Comment 2 RHEL Product and Program Management 2013-10-13 19:16:45 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 3 Jaromír Cápík 2014-11-03 08:37:02 EST
Hello Răzvan.

Even when the sysctl tool itself is a part of the procps packages, the /etc/sysctl.conf config file belongs to the initscripts component. I'm changing the component to initscripts.

Regards,
Jaromir.
Comment 4 Lukáš Nykrýn 2014-11-03 09:01:01 EST
There no such settings because we don't want to modify default kernel values.
Comment 5 Răzvan Sandu 2014-11-03 09:47:16 EST
Hello and thanks,

One that configures a Red Hat system as a router *needs* to have a well documented way to make it "permeable" (IP forwarding) for both IPv4 and IPv6 packets.

So we can't rely on the idea "we don't want to modify default kernel values".

Any suggestions, please?

Răzvan
Comment 6 Lukáš Nykrýn 2014-11-03 09:58:20 EST
That this looks more like a documentation issue.
Comment 7 Jaromír Cápík 2014-11-03 12:26:46 EST
If you only need to know the ipv6 variants of the variables, then I suggest you to type all the variables with 'sysctl -a' and then choose the ones you need to override, so that you could modify your local copy of the sysctl.conf according to your needs.
Comment 8 Jaromír Cápík 2014-11-03 12:30:43 EST
You're probably interested in the following two variables:

net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
Comment 9 Răzvan Sandu 2014-11-06 03:17:06 EST
Thank you, :)


IMHO, it is both a:

- "bug" concerning the maintainer of the stock (default) /etc/sysctl.conf file distributed in RHEL/CentOS/Fedora

- documentation "bug" (Red Hat official guides, etc.)


Since GNU/Linux systems are frequently used as routers or NAT gateways, the file and the docs should clearly state, for both IPv4 and IPv6:

- what kernel parameters make the system "permeable" for IPv4 and IPv6 traffic (i.e. allow the passing of IP packets from one network interface to another)

- the /etc/sysctl.conf file distributed in the official distro image should contain lines and clear comments for those parameters, for both IPv4 and IPv6, even if the lines are commented out by default.


These aspects became even more important in recent times, since new versions of these OSes have the IPv6 functions of the network interfaces *enabled* by default, after installation.


For being useful in practice, all these should integrate smoothly with popular firewall solutions for IPv4 and IPv6, such as firewalld or shorewall (http://shorewall.net/).


Thanks a lot,
Răzvan
Comment 10 Jaromír Cápík 2014-11-06 11:28:10 EST
I see what you mean. The idea of having a pre-filled sysctl.conf file with comments might be a good way how to make the kernel tuning faster/easier/intuitive. That way it could play a role of config file and template at once.
Lukáši, I think we could start at least with the forwarding settings and at your opinion also other variables often overridden by the users. What do you think?
Comment 12 Stephen Wadeley 2015-04-16 05:52:33 EDT
Hello

I believe this subject comes under the heading of:

Reverse Path Forwarding

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Reverse_Path_Forwarding.html


Perhaps I could add a section there.


Thank you
Comment 13 Răzvan Sandu 2015-04-16 10:01:41 EDT
Hello,

Thanks to Stephen for the piece of info in comment no 12.

There are *two* issues in this thread; one of them is only collateral.

The *main* issue here is the lack of parallelism for IPv4 and IPv6 parameters in /etc/sysctl.conf and their default values. Users should be able to configure the system in IPv6 as easy as in IPv4. IMHO, this is not a "documentation bug", but one addresed to the team writing the config files that are distributed by default in the distro. Who wites the /etc/sysctl.conf default file?

The second, which is only collateral - I used it just as an example above - is the necessary IPv6 parameter for making a system "permeable" to IPv6 packets. How should one make a system "permeable" to IPv6 packets?

For the second issue, I think the correct, elegant answer is  available in /usr/share/doc/initscripts-*/sysconfig.txt: one must set
IPV6FORWARDING=yes in /etc/sysconfig/network and that's all. If you agree, *please* mention this in Red Hat manuals, in a more visible place (/usr/share/doc/initscripts-*/sysconfig.txt is too obscure).


Best regards,
Răzvan
Comment 15 Lukáš Nykrýn 2015-04-28 03:18:34 EDT
Problem is that officially initscripts don't know the default settings, it is kernel stuff, in ideal case kernel should ship some /etc/sysctl.d/* confs with commented defaults.
Comment 16 Stephen Wadeley 2015-06-10 09:37:55 EDT
Hello

I would like to summarise this issue.

As per comment 0, if you look in /etc/sysctl.conf you see some values for IPv4 which are overriding the kernel default values. 

 What was meant in comment 4, is that initscripts *itself* does not want to modify the default values. 

As per comment 7 and 8, if the user wants to change the values they can run `sysctl -a` to see what the values currently are, and check the kernel docs for the definitions. For examples, ~]$ less /usr/share/doc/kernel-doc-2.6.32/Documentation/networking/ip-sysctl.txt 


As is being implied in comment 15, initscripts is not the best place to override kernel default values. In an ideal world the kernel would have values widely agreed to be sensible, or patches would be applied by the distro to make changes deemed necessary for that distro. 

Therefore, the feeling is that the "lack of parallelism for IPv4 and IPv6 parameters in /etc/sysctl.conf" should be addressed by removing the need to use that file to change defaults in the kernel, rather than adding IPv6 versions of the current IPv4 settings.


Thank you
Comment 18 Stephen Wadeley 2015-07-15 05:24:59 EDT
I will clone to ask kernel team to consider comment 15 while I review the Deployment Guide to see what improvements I can make.
Comment 19 Stephen Wadeley 2015-07-15 05:29:45 EDT
On second thoughts, to reduce confusion, I will clone for my Docs review and reassign this original bug to kernel team (as the bug history will be easier to follow).

Sorry for the noise.
Comment 20 Stephen Wadeley 2015-07-15 05:42:29 EDT
Hello kernel team

Please consider comment 10 and comment 15

Thank you
Comment 21 Jiri Benc 2016-04-15 11:38:32 EDT
We support several kernel rpms to be installed in parallel to be able to boot different kernel versions. I don't see how the kernel package can write anything to /etc/sysctl.d/ without causing horrendous rpm conflicts. And having the file names in /etc/sysctl.d/ contain kernel version doesn't make sense, either (especially when multiple kernel rpms are installed).

We would need another package to contain this. Creating just a kernel-sysctl package with a single file sounds silly, though. The sysctl.conf file is part of initscripts for this reason; and this is the only place where this can be added.

I don't see anything we can do on the kernel side.

I'm reassigning to initscripts for the initscripts maintainer to decide whether the IPv6 options can be added to sysctl.conf - commented out, of course (i.e. for documentation purposes). I find this very reasonable but I don't know all the limitations there and use cases. If there are reasons this can't be done in initscripts, there's nothing we can do and the bug will have to be closed.
Comment 22 Marcelo Ricardo Leitner 2016-04-15 12:07:21 EDT
To sum on what Jiri just said, re comment #15, for getting the defaults, it's just a matter of dumping current configs (sysctl -a) after a boot without special sysctls applied. If you need documentation is available under Documentation/ folder and pleas feel free to get in touch if you feel needed.

Yet, we are probably not going to have this for RHEL6 anymore at it's just too late for such improvement on it. If Lukas agree, we should close this bug and open a new one targetting RHEL7/systemd instead.
Comment 23 David Kaspar [Dee'Kej] 2016-11-09 11:36:12 EST
Hello,

(In reply to Marcelo Ricardo Leitner from comment #22)
> Yet, we are probably not going to have this for RHEL6 anymore at it's just
> too late for such improvement on it. If Lukas agree, we should close this
> bug and open a new one targetting RHEL7/systemd instead.

I agree on closing this BZ. It's unfortunate, but we're in phase2 of RHEL6 lifecycle. I realize, this is inconvenient, but I fail to see this being a bug.

Also, cloning this for RHEL7 does not make sense as well, because AFAIK lots of initscripts responsibilites have been taken over by systemd. Here's the content of /etc/sysctl.conf from RHEL7:

--------

# Kernel sysctl configuration file
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

Note You need to log in before you can comment on or make changes to this bug.