Beta Branch update fix for checkipvsix function + add DISABLE_IPVSIX variable

update fix for checkipvsix function + add DISABLE_IPVSIX variable

In 123.09beta01, the checkipvsix function in /inc/cpcheck.inc was used to detect if system had IPv6 support to enable CSF Firewall's IPV6 option. But the check for IPv6 was not completely correct as it only checked for NETWORKING_IPV6=yes in /etc/sysconfig/network. If end users followed official guide to disable IPv6 at https://wiki.centos.org/FAQ/CentOS7#head-8984faf811faccca74c7bcdd74de7467f2fcd8ee, then NETWORKING_IPV6=yes in /etc/sysconfig/network would still exist but IPv6 in fact would of been disabled so would of incorrectly enabled IPV6 option in /etc/csf/csf.conf. This committed update fixes the IPv6 detection to include detecting for:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

If both = 1, then IPv6 is also considered disabled so IPV6 = '0' set in /etc/csf/csf.conf.

Additionally, added new override variable DISABLE_IPVSIX='n' which is default which lets IPv6 work if it exists. You can set DISABLE_IPVSIX='y' in persistent config file at /etc/centminmod/custom_config.inc as outlined on official site at http://centminmod.com/upgrade.html#persistent to override defaults to disable system IPv6 support.

So setting DISABLE_IPVSIX='y', will set

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

and

IPV6 = '0' set in /etc/csf/csf.conf

Setting DISABLE_IPVSIX='n' which is default already, will set

---

net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0

and

IPV6 = '1' set in /etc/csf/csf.conf

For existing users, updating Centmin Mod 123.09beta01 via centmin.sh menu option 23 submenu option 2, then exiting centmin.sh and re-running centmin.sh will trigger checkipvsix function to auto sync the committed changes.

Continue reading...

123.09beta01 branch

• Branch: https://github.com/centminmod/centminmod/tree/123.09beta01
• Commit History: https://github.com/centminmod/centminmod/commits/123.09beta01

 

FYI, users using Linux Kernel 4.x i.e. Linode might run into these errors on running centmin.sh - looking into it but there's no harm

Code (Text):

sysctl -a | awk '/net.ipv6.conf.all.disable_ipv6/ {print $NF}'
error: "Input/output error" reading key "net.ipv6.conf.all.stable_secret"
0
error: "Input/output error" reading key "net.ipv6.conf.default.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.dummy0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.eth0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.gre0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.gre1.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.gretap0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.ip6_vti0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.ip6gre0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.ip6tnl0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.ip_vti0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.lo.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.sit0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.teql0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.tunl0.stable_secret"

edit: fixed https://community.centminmod.com/threads/fix-checkipvsix-function-for-linux-kernel-4-x.11779/

 

If you have that to disable IPv6 then IPV6="0" in csf.conf is correct result. The routine for you would just duplicate

Code (Text):

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

in both /etc/sysctl.d/101-sysctl.conf and /etc/sysctl.conf right now which would end up with same result = IPv6 disabled system wide. If that is the case, you can remove the duplicates in /etc/sysctl.d/101-sysctl.conf

 

shouldn't be but use double quotes as that is the pattern used for csf.conf

my routine will work for both single and double quoted IPV6 variable in /etc/csf/csf.conf

 

That's what it should do in theory In past folks have reported bugs in the process which I have updated and fixed