-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dist/tools/sliptty/start_network.sh: IPv6 connectivity is broken on PC #14689
Comments
The reason that forwarding is activated for all interfaces is that confusingly the Linux kernel doesn't allow enabling IPv6 routing for independent interfaces. To get any forwarding at all, The It's a hard problem to solve in a script because some knowledge about the network topology (which interface is the uplink?) is required. Suggestions are certainly welcome. |
Surely this script should work in line with all of the other On systems with a poorly configured firewall, this script poses a serious risk in it's current state. It also breaks access to a fair amount of the internet. Related to the inconsistency between scripts: #14618 |
Then the other scripts are wrong at least for Linux. @benemorius is right (and the linked doc backs him). While the variable exists for single interfaces, on Linux only setting |
I acknowledge this. :)
As it stands, changing this will break IPv6 connectivity on the other scripts too. As about a third of users have IPv6 these days, this will likely cause problems for more people. Additionally, the other scripts use Layer 2 ethernet interfaces ( Enabling forwarding on all interfaces on these scripts is likely to break things for a number of users, including myself and others doing work on RIOT at my University. I think it would be a massive shame to spread this issue to other scripts. Side note: Theoretically you could enable forwarding for all interfaces, and set |
See #10477 (comment). |
You could just configure the forwarding according to the uplink. |
My main concern with this is that often the first experience of RIOT that someone has is using one of the example programs, e.g It would be a massive shame if the examples were no longer as simple to use as |
I don't experience any broken connectivity when using this script, so I am not clear on what you mean by that. Please clarify. |
As mentioned previously by myself further up in the issue, when IPv6 forwarding is enabled on an interface, Linux will by default ignore RAs on that interface. This means that IPv6 connectivity to the wider internet is lost when forwarding is enabled and no further action is taken (i.e I noticed this issue as my SSH connection to a server dropped when this script was ran. My laptop had dropped the IPv6 default route from my router as it was ignoring RAs, later I lost the IPv6 address too (also due to lack of RA). |
Ah sorry, I did not read carefully enough 😕. Fact is, for a border router (what this script effectively wants to enable) forwarding capabilities are required, especially if one wants to use it as e.g. @benpicco does in #14676 (as said: RAdvD requires forwarding to be enabled, not sure if it is happy with "enabling" forwarding only on the operating interface is enough). As in my desired fix for #14618 everything those script do could be configured via CLI parameter how about this: only enable forwarding when a |
This sounds like a good solution to me. 👍 It could potentially be nice to warn if a layer 3 interface (SLIP or similar) is used without the -f option being given. This would hopefully allow users to be able to work out why packets aren't being forwarded across the interface, although that is more in scope of #14618. |
@miri64 do you have any near plans to address this? It's not been high on my list but I can do it. I think your proposed solution is fine, and better then current master. |
@benemorius I work on it whenever I find some time. First step ( |
Description
dist/tools/sliptty/start_network.sh
enables forwarding on all interfaces when running.By default, Linux will ignore RAs on interfaces with forwarding enabled unless
net.ipv6.conf.<interface>.accept_ra=2
. This is sensible for security on routers.It thus ignores RAs on my uplink interface and breaks connectivity.
Interestingly, this seems to be partially acknowledged in the script, as it sets the appropriate sysctl for the
tun
interface. See hereArguably, enabling forwarding on all interfaces is very dangerous and potentially a security issue for users that are unfamiliar with Linux routing.
I am unsure of the best approach to take to fix this, as it is not clear why forwarding is activated for all interfaces!
The text was updated successfully, but these errors were encountered: