Ubuntu
network-manager package

use_tempaddr is *still* not set properly for default eth0 connections

Bug #990011 reported by Mathieu Trudel-Lapierre
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Fix Released
Medium
Mathieu Trudel-Lapierre
Precise
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
Only affects IPv6 connections, but we established that the default should be to maintain our users' privacy on IPv6 connections; we want all IPv6 external connections to be established using temporary, dynamic addresses.

[Development Fix]
Very minor patch to threat an unknown value (-1) as (2), aka, enabling and preferring privacy extensions. Patch is attached.

[Stable Fix]
See "Development fix".

[Test case]
Connect a wire to your system. With NetworkManager running, the value returned by 'sysctl net.ipv6.conf.eth0.use_tempaddr' should be 2 at all times unless configured otherwise (though the default is set to 2 by default). Without the patch, the value is reset to 0 when NetworkManager is running, and correctly set to 2 when NetworkManager is stopped (since it reverts the value to the value when NM started).

[Regression Potential]
Low, impact may be failing connections in case of issues with the privacy extensions system in the Linux kernel.

----

The use_tempaddr sysctl defaults to 0 in NetworkManager if it's not set elsewhere, such as it is the case for the default NM-created, automatic wired connection. That connection is never "completed" (because it's internal magic), and nm_backend_ipv6_use_tempaddr() doesn't have a chance of returning a valid system-wide default value since the function it calls, nm_generic_ipv6_use_tempaddr() only checks in /etc/sysctl.conf and /lib/sysctl.d/sysctl.conf for a system default value.

(Regardless, this wouldn't work since we generate a setting based on a number of files in /etc/sysctl.d)

Change the behavior slightly to default to a string of -1 as a default value in nm-system.c; then make sure that if that value is never changed by the result of nm_backend_ipv6_use_tempaddr(), we just don't touch that sysctl at all.

See original description
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :
description: updated
Changed in network-manager (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Revision history for this message
Stéphane Graber (stgraber) wrote :

Change looks good and matches what we said we'd do at UDS, what NM does for all new connections and what's currently happening for all non-NM connections.

Please upload to precise-proposed :)

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Uploaded, waiting for approval.

Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Mathieu, or anyone else affected,

Accepted network-manager into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in network-manager (Ubuntu Precise):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Yeah, it works for me, but I also did the patch and tested it before submitting it.

Stéphane, wanna counter-check just to be safe? :)

Revision history for this message
Stéphane Graber (stgraber) wrote :

Diff looks sane and is behaving as expected here (not running the -proposed package but a custom build on top of the -proposed package, only added patch here is the RDNSS change, so shouldn't impact the result).

Mathieu Trudel-Lapierre (cyphermox)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 0.9.4.0-0ubuntu4

---------------
network-manager (0.9.4.0-0ubuntu4) precise-proposed; urgency=low

  * debian/patches/quit_dhclient_on_exit.patch: make sure we kill dhclient when
    we are stopping. (LP: #963106)
  * debian/patches/lp949743_ensure_remoteconnection_disconnects_494f0a2.patch:
    make sure NMRemoteConnection objects have their signals disconnected.
    (LP: #949743)
  * debian/patches/lp990011_use_tempaddr_sysctl_default.patch: *really* fix the
    use_tempaddr sysctl to properly be set to 2 on the wired interface.
    (LP: #990011)
 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 27 Apr 2012 18:13:56 -0400

Changed in network-manager (Ubuntu):
status: In Progress → Fix Released
Changed in network-manager (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Jeroen Dekkers (dekkers) wrote :

This patch changes the way how existing installations get their IPv6 address which is something that really shouldn't be done in an update to an LTS release in my opinion. Even worse it completely overrules configuration in /etc/sysctl.d/10-ipv6-privacy.conf and if you change the configuration on a running system network-manager changes it back within a second! For example

runge:~# sysctl -w net.ipv6.conf.eth0.use_tempaddr=0
net.ipv6.conf.eth0.use_tempaddr = 0

wait a few seconds while network-manager says something about disconnected wired interface

runge:~# sysctl net.ipv6.conf.eth0.use_tempaddr
net.ipv6.conf.eth0.use_tempaddr = 2

Network-manager shouldn't overrule the system configuration, especially when network-manager currently has no toggle for privacy extensions. If you think changing the default is okay in a stable update (I really don't), at least it should be done in a way that makes it possible to easily go back to the previous behaviour. Given that the sysctl default is already what we want as default, I don't see why NM has to explicitly set it again and if it doesn't do that it would be possible to change the configuration in /etc/sysctl.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

It doesn't overrule it. Please make sure you set net.ipv6.conf.default.use_tempaddr to 0 in 10-ipv6-privacy.conf (or in /etc/sysctl.conf, etc.) if you want it to not be set. Alternatively, you may want to set "ip6-privacy=0" in the configuration file for your connection (under /etc/NetworkManager/system-connections/).

This isn't changing the value in a default release. The issue was that for default automatically generated connections for wired devices, NM was trying to be clever and reading a file we don't actually keep the ipv6 use_tempaddr setting in, and thus always setting it to 0.

If you're running into problems with this, please make sure you file a separate bug and define all the information specific to your system, such as what is set in /etc/sysctl.conf and /etc/sysctl.d/10-ipv6-privacy.conf, as well as whatever connection file might be relevant (in case the values are set in there). Then refer to your new bug here so we can look into it ASAP.

Revision history for this message
Darren Salt (dsalt) wrote :

Those using /etc/network/interfaces can set it per-interface by using the ‘privext‘ option.
(Assumes the presence of ifupdown ≥ 0.7~alpha5.)

Also, who's to say that the interface name is necessarily eth0? I've had reason to do that to sit0… setting via /etc/sysctl*, I'd likely use ‘all’ or ‘default’ instead of ‘eth0’.

(Random browsing FTW)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.