Bug#815586: does its own RA handling and is doing it wrong
Marc Haber
mh+debian-packages at zugschlus.de
Mon Feb 22 18:33:42 GMT 2016
Package: systemd
Version: 229-1
Severity: normal
I have a host that is hosting a number of KVM virtual machines. It has
eth0 to the Internet. The virtual machines connect to br0, and the
host is routing between br0 and eth0. Both host and VMs are fully IPv6
enabled. Network configuration is done with systemd-networkd. For the
Ethernet, router advertisements should be processed; the Bridge has
static configuration. radvd is running on br0 to allow VMs to learn
IPv6 prefixes and routes.
[5/505]mh at fan:/etc/systemd/network$ cat eth0.network
[Match]
Name=eth0
[Network]
DHCP=yes
IPForward=yes
DNS=192.168.181.53
DNS=192.168.251.53
DNS=fec0:0:0:ffff::1
Domains=zugschlus.de ka51.zugschlus.de
IPv6AcceptRouterAdvertisements=1
[Address]
Address=2a01:238:4071:3282::1d:100/64
[Address]
Address=2a01:238:4071:3282::1d:250/128
[Address]
Address=192.168.182.250/32
[6/506]mh at fan:/etc/systemd/network$ cat br0.netdev
[NetDev]
Name=br0
kind=bridge
[7/507]mh at fan:/etc/systemd/network$ cat br0.network
[Match]
Name=br0
[Network]
Address=192.168.29.254/24
DHCP=no
IPForward=yes
[Address]
Address=2a01:238:4071:328d::1d:100/64
[Address]
Address=2a01:238:4071:328d::1d:153/64
[Address]
Address=fec0:0:0:ffff::1/128
[Address]
Address=fec0:0:0:ffff::2/128
[Address]
Address=fec0:0:0:ffff::3/128
[8/508]mh at fan:/etc/systemd/network$
[13/513]mh at fan:~$ cat /etc/radvd.conf
interface br0 {
AdvSendAdvert on;
MinRtrAdvInterval 600;
MaxRtrAdvInterval 1200;
prefix 2a01:238:4071:328d::/64 {
DeprecatePrefix on;
};
RDNSS 2a01:238:4071:328d::1d:153 {
AdvRDNSSLifetime 1200;
};
};
mh at fan:~$
With older systemd, this resulted in a working configuration:
mh at fan:/etc/systemd/network$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 54:04:a6:82:21:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.182.250/32 brd 192.168.182.250 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.182.29/24 brd 192.168.182.255 scope global dynamic eth0
valid_lft 13813sec preferred_lft 13813sec
inet6 2a01:238:4071:3282:5604:a6ff:fe82:2100/64 scope global mngtmpaddr dynamic
valid_lft 86013sec preferred_lft 14013sec
inet6 2a01:238:4071:3282::1d:250/128 scope global
valid_lft forever preferred_lft forever
inet6 2a01:238:4071:3282::1d:100/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5604:a6ff:fe82:2100/64 scope link
valid_lft forever preferred_lft forever
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether c6:f4:98:dc:5e:21 brd ff:ff:ff:ff:ff:ff
inet 192.168.29.254/24 brd 192.168.29.255 scope global br0
valid_lft forever preferred_lft forever
inet6 2a01:238:4071:328d::1d:153/64 scope global
valid_lft forever preferred_lft forever
inet6 2a01:238:4071:328d::1d:100/64 scope global
valid_lft forever preferred_lft forever
inet6 fec0:0:0:ffff::3/128 scope site
valid_lft forever preferred_lft forever
inet6 fec0:0:0:ffff::2/128 scope site
valid_lft forever preferred_lft forever
inet6 fec0:0:0:ffff::1/128 scope site
valid_lft forever preferred_lft forever
inet6 fe80::c4f4:98ff:fedc:5e21/64 scope link
valid_lft forever preferred_lft forever
4: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UNKNOWN group default qlen 1000
link/ether 1e:75:76:3b:aa:88 brd ff:ff:ff:ff:ff:ff
inet6 fe80::1c75:76ff:fe3b:aa88/64 scope link
valid_lft forever preferred_lft forever
mh at fan:/etc/systemd/network$ ip -6 r
2a01:238:4071:3282::1d:250 dev eth0 proto kernel metric 256 pref medium
2a01:238:4071:3282::/64 dev eth0 proto kernel metric 256 pref medium
2a01:238:4071:328d::/64 dev br0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev dummy0 proto kernel metric 256 pref medium
fe80::/64 dev br0 proto kernel metric 256 pref medium
fec0:0:0:ffff::1 dev br0 proto kernel metric 256 pref medium
fec0:0:0:ffff::2 dev br0 proto kernel metric 256 pref medium
fec0:0:0:ffff::3 dev br0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 proto ra metric 1024 expires 1411sec hoplimit 64 pref high
mh at fan:/etc/systemd/network$
Systemd 229 implements its own IPv6 Router Advertisement processing,
which is - unfortunately - severely flawed. Having
IPv6AcceptRouterAdvertisements=1 results in the following, not working
configuration:
mh at fan:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 54:04:a6:82:21:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.182.250/32 brd 192.168.182.250 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.182.29/24 brd 192.168.182.255 scope global dynamic eth0
valid_lft 12417sec preferred_lft 12417sec
inet6 2a01:238:4071:328d:5604:a6ff:fe82:2100/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 86387sec preferred_lft 14387sec
inet6 2a01:238:4071:3282:5604:a6ff:fe82:2100/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 86252sec preferred_lft 14252sec
inet6 2a01:238:4071:3282::1d:250/128 scope global
valid_lft forever preferred_lft forever
inet6 2a01:238:4071:3282::1d:100/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5604:a6ff:fe82:2100/64 scope link
valid_lft forever preferred_lft forever
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether c6:f4:98:dc:5e:21 brd ff:ff:ff:ff:ff:ff
inet 192.168.29.254/24 brd 192.168.29.255 scope global br0
valid_lft forever preferred_lft forever
inet6 2a01:238:4071:328d::1d:153/64 scope global
valid_lft forever preferred_lft forever
inet6 2a01:238:4071:328d::1d:100/64 scope global
valid_lft forever preferred_lft forever
inet6 fec0:0:0:ffff::3/128 scope site
valid_lft forever preferred_lft forever
inet6 fec0:0:0:ffff::2/128 scope site
valid_lft forever preferred_lft forever
inet6 fec0:0:0:ffff::1/128 scope site
valid_lft forever preferred_lft forever
inet6 fe80::c4f4:98ff:fedc:5e21/64 scope link
valid_lft forever preferred_lft forever
4: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UNKNOWN group default qlen 1000
link/ether 96:b4:30:70:4d:75 brd ff:ff:ff:ff:ff:ff
inet6 fe80::94b4:30ff:fe70:4d75/64 scope link
valid_lft forever preferred_lft forever
mh at fan:~$
mh at fan:/etc/systemd/network$ ip -6 r
2a01:238:4071:3282::1d:250 dev eth0 proto kernel metric 256 pref medium
2a01:238:4071:3282::/64 dev eth0 proto kernel metric 256 pref medium
2a01:238:4071:328d::/64 dev br0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev dummy0 proto kernel metric 256 pref medium
fe80::/64 dev br0 proto kernel metric 256 pref medium
fec0:0:0:ffff::1 dev br0 proto kernel metric 256 pref medium
fec0:0:0:ffff::2 dev br0 proto kernel metric 256 pref medium
fec0:0:0:ffff::3 dev br0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 proto ra metric 1024 expires 1411sec hoplimit 64 pref high
default via fe80::c4f4:98ff:fedc:5e21 dev eth0 proto ra metric 1024 pref medium
mh at fan:/etc/systemd/network$
Setting IPv6AcceptRouterAdvertisements=0 fixes the issue at the cost
of having to manually fiddle again in /proc to get the desired
behavior of accepting router advertisements on and only on eth0.
In a nutshell: with IPv6AcceptRouterAdvertisements=1, it looks like
networks handles incoming router advertisements itself, and it's doing
things wrong.
Bug 1: It accepts and handles the RA sent out by the locally running
radvd on br0.
Bug 2: It then configures the IP addresses and routes derived from
this RA on the wrong Interface, eth0.
This results in IP adresses from the wrong prefix being configured on
eth0, and, catastrophically, a second, incorrect default route is
being configured.
Remedy:
(1) Configure IP addresses and routes learned on one interface on this
interface and not on an arbitrary other interface. This is especially
important if the gateway address learned is link local, as this is
commonly the case in IPv6
(2) Ignore RAs coming in from the local host.
If this were my package, this bug report would have an RC severity as
this regression breaks IPv6 networking for many non-trivial network
setups. Feel free to ramp up the severity accordingly. I would suggest
"serious".
Greetings
Marc
More information about the Pkg-systemd-maintainers
mailing list