prevent ipv6 autoconfig on vm host nics

[1clue]

Hi,

Can someone tell me what I'm doing wrong?

I'm trying to donate nics to a guest VM, setting up bridged networks right now. The problem is when I bring up one of the bridges I get an ipv6 address on the host.

The hardware is this: http://www.supermicro.com/products/motherboard/atom/x10/a1srm-ln7f-2758.cfm It has:

1. 7x Intel e1000 nics.
   
2. 16g RAM at the moment.
   
3. VT-x
   
4. NOT VT-d!
   

I want:

1. 1x NIC dedicated to the VM host operating system, which no guest should be able to touch. (I have this)
   
2. 2x NICs dedicated to an "outside" firewall/security VM guest.
   
3. 4x NICs dedicated to an "inside" firewall/security VM guest (different OS)
   
4. IPV6 and/or IPV4 in each network.
   
5. The host should not be accessible via any donated NIC.
   

My config and my results:

1. /etc/conf.d/net: https://bpaste.net/show/18fdb002584a
   
2. ip address list: https://bpaste.net/show/1b6ee8044c27
   
3. Note that I only have 2 ports wired right now. One is enp4s0 and the other is enp5s0f0.
   

[khayyam]

[szatox]

[NeddySeagoon]

szatox,

It still works just fine with openRC-0.17.
I can't use PCI passthrough because of a bug in in my Intel 4 port NIC hardware :(
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[1clue]

@khayyam,

[1clue]

[khayyam]

[szatox]

1clue, if I get you right you have just bought this board (I recall some topic regarding this stuff). If it's new enough to let the vendor expect more profit from selling more of those, perhaps it would be possible to get a bios update (or whatever firmware they put into the on-board memory now) enabling IOMMU.
I didn't check that hardware, I don't know if it's possible for this particular mobo, but I do know that having a single line in a factory is cheaper than having 2 of them just to limit capabilities, and every building block is used in multiple applications designed with different purposes in mind. There may be a way to enable some nice features.

[1clue]

@everyone,

changes:

1. I just renamed my interfaces so my head doesn't explode. We now have lan0-lan6+enp4s0.
   
2. I made just my admin interface and one other nic come up automatically.
   
3. I read a bunch of documentation.
   
4. I'm pretty much in the same situation as I was before, only I know a little bit more.
   

@khayyam,
I think that bringing up a bridge with no IP on any part of it is problematic. My bridge and lan0 don't get their IP address until a few seconds after the system boots. There must be some sort of automatic fallback in place.

@szatox,
I "just" bought this board about a year ago. I originally had the plan of doing a VM-based router setup with it, but never had time to get to it. I had been playing with the routing just on the bare metal.

This is the best c2758-based board SuperMicro makes. Or it was a year ago. I don't see any better version of this board. But I downloaded the latest bios update and am trying to figure out which version is on it now. That's a good idea and really worth a try.

1. /etc/conf.d/net: https://bpaste.net/show/ddf3e8bfd5e5
   
2. network: (only br0 up, none of the other bridges: https://bpaste.net/show/8d8f3520590b
   

[1clue]

Found the bios version from dmidecode. There's a much newer version out now, gotta figure out how to upgrade it.

[szatox]

Read the changelog before you flash it
In the meantime, a quick and ugly hack you can put into /etc/conf.d/net:

postup () {
if [ "${IFACE}"="br0" ]
then sysctl net.ipv6.conf.br0.disable_ipv6=1
fi
}

Alternatively you can disable ipv6 for all interfaces (replace .br0. with .all. and add to /etc/sysctl.* )and then enable it only on interfaces you want. It's going to become more and more messy as the number of interfaces increases....

[1clue]

Still haven't flashed the bios yet. But my bios version is .6 and the new one is .119.

I did rediscover, however, that it's not SuperMicro I need to aim my angst at regarding the lack of VT-d, it's Intel. This chip does not support it.

I'm beginning to think that I'll need to simply set up iptables to drop everything on these other nics. Or maybe do VLANs?

[1clue]

I've tried pretty much every nic and every bridge and it's all the same:

1. If a cable is connected and I bring the interface up, it will get a global ipv6 and a link-local ipv6 address.
   
2. If I bring up brN, then brN behaves as above, and lanN gets a link-local ipv6 address.
   
3. lanN will have the same link-local that brN has, it's based on the mac address.
   
4. If I bring down lanN then (because of dependencies listed) brN and tapN also come down and all IP addresses related to those vanish.
   

This is with openrc 0.17, I reverted.

So you guys, please answer these:

1. If you create the bridge in the host with the settings I've been trying, do you get a link-local on either the bridge or the hardware nic?
   
2. If you create the bridge, do you get a global ipv6 on the bridge in spite of settings telling it not to?
   
3. If you create the bridge and it does not have an IP of any sort, and then get an IP on a guest VM, does the IP show up on the host?
   
4. If you create iptables 'drop everything' rules on a host nic, do those rules apply to the guest?
   
5. Am I chasing a ghost?
   

Maybe I just need to install a VM and try it.

[1clue]

OK so here's some more info:

I moved the second ethernet cable over to lan2 just in case something was messing with lan0 specifically.

1. /etc/sysctl.conf is https://bpaste.net/show/eb07bf19d258
   
2. cat /proc/sys/net/ipv6/conf/lan2/autoconf returns 1 in spite of the config.
   
3. I can get rid of ipv6 on br2, but something is still insisting on an fe80 on lan2.
   

All the extra stuff in the net.ipv6.conf.lan2 section has exactly the same effect as the two lines in all the other sections.

Is there something in the startup scripts that force net.ipv6.conf.lan2.autoconf to 1? It seems to be that way.

[szatox]

I think you missed one important detail from my last post. Look:

[1clue]

Szatox,

I didn't miss it. I set it up that way, tried a few things and then reworked it this way so I could be sure exactly what's happening.

At any rate, it's the ethernet interface itself which has the link-local now. I can't get rid of it.

Any ideas?

[szatox]

I see no IP6 on any interface here until explicitly enabled:

[1clue]

What does the nic have that br0 is part of?

Right now br0 has no ip address, but lan0 does, when it shouldn't.

[1clue]

I'm not sure why, but I renamed my enp4s0 control interface and now when I bring up br2 there are no ipv4 or ipv6 addresses.

I think this is solved, I'll play with it a bit.

Only problem is I don't know what changed on any practical level.