networking.enableIPv6 is broken

[Qubasa]

Describe the bug
The option

networking.enableIPv6 = false;

Still allows ipv6 connections and ips on my wifi interface, this is a big security concern for people that use a vpn
service which only can route ipv4 and then your ipv6 leaks out.
Nixos source

The strange thing is that if I do a

$ sysctl net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1
 $ sysctl net.ipv6.conf.default.disable_ipv6
net.ipv6.conf.default.disable_ipv6 = 1

it reports that all settings are set correctly. The weird thing is
only through a

 $ echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

it starts to ignore ipv6 if I instead execute a

$ sysctl -w net.ipv6.conf.default.disable_ipv6=1 

it still accepts ipv6 ips.

I also tried to set the interface in question explicitly with

boot.kernel.sysctl = {
    "net.ipv6.conf.wlp4s0.disable_ipv6" = true;
 };

but without success.

Wifi pci device:

04:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. RTL8822BE 802.11a/b/g/n/ac WiFi adapter

Drivers for that device:

rtwpci             
rtw88

Metadata

- system: `"x86_64-linux"`
 - host os: `Linux 5.5.19-hardened, NixOS, 20.03.1822.5adf2a6c116 (Markhor)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.4`
 - channels(root): `"nixos-20.03.1822.5adf2a6c116, nixos-unstable-20.09pre225264.683c68232e9"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[Qubasa]

A temporary fix that works for me is:

  # Fixing IPv6 bug
  networking.networkmanager.dispatcherScripts = [{
    source = pkgs.writeText "upHook" ''
      if [ "$2" != "up" ]; then
        logger "exit: event $2 != up"
        exit
      fi
      echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
    '';
    type = "basic";
  }];

[flokli]

You're working against networkmanager itself here - I assume it sets the required sysctl's when you don't explicitly disable IPv6 for that connection.

Also, this is explained here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/disabling-ipv6-on-a-system-that-uses-networkmanager_configuring-and-managing-networking

I propose disabling it for the specific network manager connections before you connect to them (instead of disabling it globally), and in the long-term, ask the IT department to actually fix the problem instead of telling people to disable IPv6 ;-)

[Qubasa]

If that's the case then the option networking.enableIPv6 would have to be reworked.
I am looking at the network manager documentation but can't find anything to disable ipv6
Do you have an Idea? @flokli

It's a paid (and very cheap) one so that won't do.

[flokli]

Yeah, networking.enableIPv6 is just setting some sysctl values and hopes nothing else sets them back - which seems to be problematic in the case of both NetworkManager or networkd.

I don't think replacing it with a more drastical footgun (kernel module blacklisting, kernel cmdline) that also doesn't really work in all cases, or can possibly break other stuff would be an improvement either. Same goes for trying to patch around every possible userland that will set this too.

IMHO, if someone decides to disable IPv6, this should really be a sentient decision, taking into consideration the rest of the system configuration.

The manual already explains how to archieve "disabling IPv6" for an individual interface - I'd be inclined to remove the global enableIPv6 NixOS module option (as it doesn't reliably work anyway), document the "all interfaces" sysctl in the current "single interface" section, and mention userland, with the examples of networkd and NetworkManager can set these back, while refering to their docs on how to disable IPv6 in these cases. WDYT?

[flokli]

PR that might fix this: #101249.

Could you test it and report feedback there?

[Izorkin]

@luis-hebendanz check with this variant:

boot.kernelParams = ["ipv6.disable=1"];

[flokli]

@Izorkin Wait wait, I don't understand. What's the point of #101249, if we just ask people to disable IPv6 in their kernel (what boot.kernelParams does)?

[Izorkin]

@flokli my PR disables this warnings on DHCPD servers:

dhcpcd[116395]: dev: loaded udev
dhcpcd[116395]: DUID 00:04:80:ae:ba:...
dhcpcd[116395]: eno1: IAID 67:...
dhcpcd[116395]: ipv6_addaddr1: Permission denied
dhcpcd[116395]: eno1: adding address fe80::21e:...

boot.kernelParams = ["ipv6.disable=1"]; - disables the whole IPv6 stack - https://wiki.archlinux.org/index.php/IPv6#Disable_functionality

[flokli]

Yeah, but what's the point of networking.enableIPv6 if it only disables it for dhcpcd, and not NetworkManager?

[Izorkin]

With my Pr networking.enableIPv6 disable ipv6 to dhcpcd + NetworkManager.

[flokli]

@Izorkin so #101249 (comment) isn't true?

@luis-hebendanz, can you verify that PR fixes your issue then, without disabling the whole stack in kernel (which also requires a reboot on every change)

[Izorkin]

Possible solution:

diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index e5bd5775368..5d82dc5e128 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -1067,6 +1067,9 @@ in
       ++ optional hasSits "sit"
       ++ optional hasBonds "bonding";

+    boot.kernelParams = [ ]
+      ++ optional (!cfg.enableIPv6) "ipv6.disable=1";
+
     boot.extraModprobeConfig =
       # This setting is intentional as it prevents default bond devices
       # from being created.

[Izorkin]

@flokli pr #101249 not fixed this error.

[stale]

I marked this as stale due to inactivity. → More info

[AleXoundOS]

If not changing the behavior of networking.enableIPv6 I think it should be renamed to reflect what it really does. The kernelParams solution looks more robust but it's not clear if there are any implications of it. Personally I use a combination of boot.kernelParams = [ "ipv6.disable=1" ] and networking.enableIPv6 = false.

[stale]

I marked this as stale due to inactivity. → More info

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/long-loading-in-firefox/25055/5

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/disabling-ipv6-enableipv6-and-kernelparams/39630/1