NetworkManager, IPv6, and sysctl.conf

Following this closed topic:
https://forums.opensuse.org/t/sysctl-conf-still-being-ignored-on-boot
I did a lot of what is on this thread with same issues. I did manage to figure it out in my case. I created a config file in ‘/etc/sysctl.d/ipv6.conf’ with the following settings:

# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

This doesn’t stop the IPv6 from enabling on the network adapter. Run command nmcli to show your network adapters and disable IPv6 on adapters. The NetworkManager has the ethernet device set to ‘auto’ and seems to override and enable IPv6.

# nmcli connection show
NAME   UUID                                  TYPE      DEVICE
ens33  275a9ddd-63ef-3194-b8fa-0d3896225367  ethernet  ens33
lo     dc0b56e4-ba10-4486-8c60-c7032502f44c  loopback  lo

# nmcli connection modify ens33 ipv6.method "disabled"

 # cat /etc/NetworkManager/system-connections/ens33.nmconnection
[connection]
id=ens33
uuid=275a9ddd-63ef-3194-b8fa-0d3896225367
type=ethernet
interface-name=ens33
timestamp=1709331243

[ethernet]

[ipv4]
method=auto

[ipv6]
method=disabled

[proxy]

If you land on this post an no others, hope this helps the suffering on this item

I remember being vaguely surprised that my kernel.sysrq param in sysctl.conf wasn’t being read. Had to go through Yast and /etc/sysconfig.

Perhaps reading sysctl is disabled by Suse? That would be strange.

Personally, I have a struggle with this… even trying to “force it” by creating my own service in systemd and setting

After=network-online.target

But it doesn’t work. so I manually start that exact service after I login for the first time. I’m at a loss for making this happen. Full service unit below (below might look insane, it works, just me trying various things to make things work and failing):

[Unit]
Description=Bridge configuration
After=network-online.target

[Service]
WorkingDirectory=/root
User=root
Type=oneshot
ExecStart=/bin/bash -c "/bin/echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables"
ExecStart=/bin/bash -c "/bin/echo 0 > /proc/sys/net/bridge/bridge-nf-call-ip6tables"
ExecStart=/bin/bash -c "/bin/echo 0 > /proc/sys/net/bridge/bridge-nf-call-arptables"


[Install]
WantedBy=multi-user.target

@cjcox if you create a file in /etc/sysctl.d/ it should be read, works for me on Tumbleweed and MicroOS (kubernetes configuration)…

cat /etc/sysctl.d/98-host.conf
...
...
net.ipv4.ip_unprivileged_port_start=80

sysctl net.ipv4.ip_unprivileged_port_start
net.ipv4.ip_unprivileged_port_start = 80

@cjcox in your case;

net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-arptables = 0

Mine is Leap 15.5, doesn’t work there.

@cjcox perhaps different property, if you check with sysctl -a | grep -E "iptable|arp|

My point is the settings don’t take via sysctl.conf or sysctl.d/file etc. or even with a systemd service. But if I do it after I login… then ok. But because direction is lost on this… here are the lines in my sysctl.conf:

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

And at the same time, here are the redudant lines in my /etc/sysctl.d/00-bridge-settings.conf:

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

However, with all of that and the enablement of my systemd unit… .all the values are at “1” on boot.

@cjcox I wonder if the modules are not loaded when things run?

Unknown, it’s not a huge deal… just an observation (minor frustration). Won’t affect the vast majority of users.

Because those settings do not exist until br_netfilter module is loaded and this module is not loaded by default, so is not present during standard sysctl processing on boot.

Makes sense, so, while I know Lennart “there is no valid use case” P doesn’t allow any sort of “final” start, do you know of a place to put the unit file sequence wise?

Shouldn’t loading the module as per @arvidjaar 's suggestion work?

[Unit]
Description=Bridge configuration
After=network-online.target

[Service]
WorkingDirectory=/root
User=root
Type=oneshot
ExecStartPre=/usr/sbin/modprobe br_netfilter
ExecStart=/bin/bash -c "/bin/echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables"
ExecStart=/bin/bash -c "/bin/echo 0 > /proc/sys/net/bridge/bridge-nf-call-ip6tables"
ExecStart=/bin/bash -c "/bin/echo 0 > /proc/sys/net/bridge/bridge-nf-call-arptables"

[Install]
WantedBy=multi-user.target

This custom service is a hack, systemd can do this natively.
You can enable the module to be loaded on boot using modules-load.d(5) and it will be loaded in time before sysctl settings from /etc/sysctl.d are applied.

Find out what loads this module, order your unit after this point.

You can also add udev rule that runs when module is loaded. You can add modprobe install statement which runs sysctl after module is loaded.

Or you can force load this module early as mentioned by @crameleon .

I use NFS, so I made it dependent on that (After=) and that worked. Not sure why inbetween (that is after network) (the thing before NFS) didn’t work, but ok.

I’ll investigate… because it would be nice if it "worked’ like it’s supposed to.

@cjcox I setup some Leap 15.5 vm’s here and used the following sysctl conf to disable ipv6;

/etc/sysctl.d/70-kubernetes.conf

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

To disable on the fly, use echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

This isn’t about disabling ipv6.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.