Way back on Thu, 25 Jul 2024 15:32:01 -0000 (UTC), mlelstv%serpens.de@localhost (Michael van Elst) wrote:
Subject: Re: Is it possible to completely disable ipv6 in NetBSD 10
>
> will.senn%gmail.com@localhost (Will Senn) writes:
> >
> > How can I turn it off for netbsd? Is it possible on a nic by nic basis
> > or a sysctl?
So, I'm finally having to do the same thing for some of my local test
hosts that are now running kernels with IPv6 enabled. (Most of my
private NetBSD hosts run builds with MKINET6=no and USE_INET6=no.)
> You can control this with the ndp command.
>
> ndp -i $interface disabled
>
> will disable IPv6 operation on that interface.
That doesn't quite do the trick.
There is still an IPv6 link-local address configured on the interface,
and even though it is marked as "TENTATIVE", this doesn't stop some
applications, such as X11 clients, from trying to use IPv6 to contact
hosts that also have AAAA address records _and_ are on the same subnet.
(for example I think mDNS will answer with IPv6 address records for
local hosts, though I haven't been able to see that for sure yet) Note
that for non-local hosts the lack of a non-local IPv6 address, and with
no IPv6 route, will cause the application to immediately notice that the
IPv6 address is unreachable and it will retry with any IPv4 address also
available for the same hostname)
Eventually most(all?) applications might give up on trying to make an
IPv6 connection and will then try the A address and make an IPv4
connection, but this takes upwards of a minute (50 seconds last time I
timed it), and that's simply not usable. X11 clients may still be
rejected if they then try to use the wrong auth key though.
I tried adding 'ip6addrctl=YES ip6addrctl_policy="ipv4_prefer"' to
/etc/rc.conf, and while that improves the situation, it does not improve
it enough -- there is often still a far longer than desired delay before
clients give up on trying IPv6 (around 6-10 seconds), and I think the
xauth problem may still rear its ugly head. Maybe this can be fixed,
but I think there's a better fix. (This ip6addrctl tool is still too
little documented too -- I only found it by accident when updating
rc.conf(5)!)
So, the only firm fix I've found that eliminates all problems and delays
is to (also) delete the inet6 link-local address (and any other inet6
address that might have been set, e.g. by dhcpcd). (You don't actually
have to disable NDP on the interface if it doesn't have any inet6
addresses, but to be entirely sure, and maybe to avoid other issues....)
So I propose the following, based on initial hints given long ago by
kre, and then we need only document "ip6mode=off" as a solution to the
often complained about "IPv6 is not working" issue. Ideally something
could be done in sysinst to test for working IPv6 and for it to then do
the same so as to prevent the also all too common "NetBSD takes hours to
install" complaints.
(Kre's original idea of having a net.inet6.disabled sysctl would perhaps
be preferable, and vastly simpler!)
--- etc/rc.d/network.~1.85.~ 2021-03-07 15:43:39.000000000 -0800
+++ etc/rc.d/network 2025-11-13 12:59:16.410571663 -0800
--- network.~1.85.~ 2021-03-07 15:43:39.000000000 -0800
+++ network 2025-11-13 13:45:05.350724080 -0800
@@ -30,7 +30,7 @@
have_inet6()
{
- /sbin/ifconfig lo0 inet6 >/dev/null 2>&1
+ [ $ip6mode != "off" ] && /sbin/ifconfig lo0 inet6 >/dev/null 2>&1
}
network_start()
@@ -43,14 +43,14 @@
network_start_domainname
network_start_loopback
have_inet6 &&
- network_start_ipv6_route
+ network_start_ipv6_route
[ "$net_interfaces" != NO ] &&
- network_start_interfaces
+ network_start_interfaces
network_start_aliases
network_start_defaultroute
network_start_defaultroute6
have_inet6 &&
- network_wait_dad
+ network_wait_dad
network_start_resolv
network_start_local
}
@@ -345,6 +345,22 @@
;;
esac
done
+ if [ $ip6mode = "off" ]; then
+ # disable IPv6 and remove the automatically added
+ # "link-local" address as well as any other inet6
+ # address that might already have been installed.
+ #
+ # Note dhcpcd should only be used with "-4" in this mode!
+ #
+ # this is necessary to prevent the likes of X11 clients
+ # from trying to use IPv6 to connect to a neighbouring
+ # server!
+ #
+ /usr/sbin/ndp -i $int disabled >/dev/null
+ for lladdr in $(/sbin/ifconfig $int | awk '$1 == "inet6" {print $2}'); do
+ /sbin/ifconfig $int inet6 delete $lladdr
+ done
+ fi
configured_interfaces="$configured_interfaces $int"
done
echo "."
--- share/man/man5/rc.conf.5.~1.190.~ 2021-03-07 17:13:02.000000000 -0800
+++ share/man/man5/rc.conf.5 2025-11-13 13:07:27.354236492 -0800
@@ -854,12 +854,15 @@
By setting
.Sy ip6mode
to
+.Ql off ,
.Ql router ,
.Ql host ,
or
.Ql autohost ,
you can configure your node as a router,
a non-autoconfigured host, or an autoconfigured host.
+You can also entirely disable IPv6 (also set
+.Sy dhcpcd_flags = Dq -4 ) .
Invalid values will be ignored, and the node will be configured as
a non-autoconfigured host.
.It Sy ip6uniquelocal
BTW, I think the IPv6 documentation at https://www.netbsd.org/docs/network/ipv6/
tries a little too hard to make a firm distinction between "routers" and
"hosts" without admitting that "routers" are also "hosts".
--
Greg A. Woods <gwoods%acm.org@localhost>
Kelowna, BC +1 250 762-7675 RoboHack <woods%robohack.ca@localhost>
Planix, Inc. <woods%planix.com@localhost> Avoncote Farms <woods%avoncote.ca@localhost>
Attachment:
pgpH1c70IMnwt.pgp
Description: OpenPGP Digital Signature