Discover Centmin Mod today
Register Now

Beta Branch update fix for checkipvsix function + add DISABLE_IPVSIX variable

Discussion in 'Centmin Mod Github Commits' started by eva2000, May 24, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    11:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    update fix for checkipvsix function + add DISABLE_IPVSIX variable

    In 123.09beta01, the checkipvsix function in /inc/cpcheck.inc was used to detect if system had IPv6 support to enable CSF Firewall's IPV6 option. But the check for IPv6 was not completely correct as it only checked for NETWORKING_IPV6=yes in /etc/sysconfig/network. If end users followed official guide to disable IPv6 at https://wiki.centos.org/FAQ/CentOS7#head-8984faf811faccca74c7bcdd74de7467f2fcd8ee, then NETWORKING_IPV6=yes in /etc/sysconfig/network would still exist but IPv6 in fact would of been disabled so would of incorrectly enabled IPV6 option in /etc/csf/csf.conf. This committed update fixes the IPv6 detection to include detecting for:

    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1

    If both = 1, then IPv6 is also considered disabled so IPV6 = '0' set in /etc/csf/csf.conf.

    Additionally, added new override variable DISABLE_IPVSIX='n' which is default which lets IPv6 work if it exists. You can set DISABLE_IPVSIX='y' in persistent config file at /etc/centminmod/custom_config.inc as outlined on official site at http://centminmod.com/upgrade.html#persistent to override defaults to disable system IPv6 support.

    So setting DISABLE_IPVSIX='y', will set

    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1

    and

    IPV6 = '0' set in /etc/csf/csf.conf

    Setting DISABLE_IPVSIX='n' which is default already, will set


    net.ipv6.conf.all.disable_ipv6 = 0
    net.ipv6.conf.default.disable_ipv6 = 0

    and

    IPV6 = '1' set in /etc/csf/csf.conf

    For existing users, updating Centmin Mod 123.09beta01 via centmin.sh menu option 23 submenu option 2, then exiting centmin.sh and re-running centmin.sh will trigger checkipvsix function to auto sync the committed changes.

    Continue reading...

    123.09beta01 branch
     
  2. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    11:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, users using Linux Kernel 4.x i.e. Linode might run into these errors on running centmin.sh - looking into it but there's no harm :)

    Code (Text):
    sysctl -a | awk '/net.ipv6.conf.all.disable_ipv6/ {print $NF}'
    error: "Input/output error" reading key "net.ipv6.conf.all.stable_secret"
    0
    error: "Input/output error" reading key "net.ipv6.conf.default.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.dummy0.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.eth0.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.gre0.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.gre1.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.gretap0.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.ip6_vti0.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.ip6gre0.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.ip6tnl0.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.ip_vti0.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.lo.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.sit0.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.teql0.stable_secret"
    error: "Input/output error" reading key "net.ipv6.conf.tunl0.stable_secret"
    


    edit: fixed https://community.centminmod.com/threads/fix-checkipvsix-function-for-linux-kernel-4-x.11779/
     
    Last edited: May 24, 2017
  3. rdan

    rdan Well-Known Member

    5,451
    1,412
    113
    May 25, 2014
    Ratings:
    +2,206
    Local Time:
    9:15 PM
    Mainline
    10.2
    Mine has:
    Is that fine?
     
  4. rdan

    rdan Well-Known Member

    5,451
    1,412
    113
    May 25, 2014
    Ratings:
    +2,206
    Local Time:
    9:15 PM
    Mainline
    10.2
    I already have:
    On /etc/sysctl.d/101-sysctl.conf

    Is it fine?
     
  5. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    11:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If you have that to disable IPv6 then IPV6="0" in csf.conf is correct result. The routine for you would just duplicate
    Code (Text):
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    

    in both /etc/sysctl.d/101-sysctl.conf and /etc/sysctl.conf right now which would end up with same result = IPv6 disabled system wide. If that is the case, you can remove the duplicates in /etc/sysctl.d/101-sysctl.conf
     
    Last edited: May 25, 2017
  6. rdan

    rdan Well-Known Member

    5,451
    1,412
    113
    May 25, 2014
    Ratings:
    +2,206
    Local Time:
    9:15 PM
    Mainline
    10.2
    What I mean here is there any difference with double and single qoute?
    IPV6 = "0" vs IPV6 = '0'.
     
  7. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    11:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    shouldn't be but use double quotes as that is the pattern used for csf.conf

    my routine will work for both single and double quoted IPV6 variable in /etc/csf/csf.conf
     
  8. rdan

    rdan Well-Known Member

    5,451
    1,412
    113
    May 25, 2014
    Ratings:
    +2,206
    Local Time:
    9:15 PM
    Mainline
    10.2
    I have set DISABLE_IPVSIX='y' set via custom_config before CMM install.

    Now I would like to test and enable back IPV6 support for both the server and nginx side.
    Is setting back DISABLE_IPVSIX='n' on custom_config > run centmin > re-compile Nginx...

    Already enough to enable it back?
     
  9. eva2000

    eva2000 Administrator Staff Member

    55,797
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    11:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    That's what it should do in theory :) In past folks have reported bugs in the process which I have updated and fixed :)