Beta Branch update fix for checkipvsix function + add DISABLE_IPVSIX variable

eva2000 · May 24, 2017

update fix for checkipvsix function + add DISABLE_IPVSIX variable

In 123.09beta01, the checkipvsix function in /inc/cpcheck.inc was used to detect if system had IPv6 support to enable CSF Firewall's IPV6 option. But the check for IPv6 was not completely correct as it only checked for NETWORKING_IPV6=yes in /etc/sysconfig/network. If end users followed official guide to disable IPv6 at https://wiki.centos.org/FAQ/CentOS7#head-8984faf811faccca74c7bcdd74de7467f2fcd8ee, then NETWORKING_IPV6=yes in /etc/sysconfig/network would still exist but IPv6 in fact would of been disabled so would of incorrectly enabled IPV6 option in /etc/csf/csf.conf. This committed update fixes the IPv6 detection to include detecting for:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

If both = 1, then IPv6 is also considered disabled so IPV6 = '0' set in /etc/csf/csf.conf.

Additionally, added new override variable DISABLE_IPVSIX='n' which is default which lets IPv6 work if it exists. You can set DISABLE_IPVSIX='y' in persistent config file at /etc/centminmod/custom_config.inc as outlined on official site at http://centminmod.com/upgrade.html#persistent to override defaults to disable system IPv6 support.

So setting DISABLE_IPVSIX='y', will set

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

and

IPV6 = '0' set in /etc/csf/csf.conf

Setting DISABLE_IPVSIX='n' which is default already, will set

net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0

and

IPV6 = '1' set in /etc/csf/csf.conf

For existing users, updating Centmin Mod 123.09beta01 via centmin.sh menu option 23 submenu option 2, then exiting centmin.sh and re-running centmin.sh will trigger checkipvsix function to auto sync the committed changes.

Continue reading...

123.09beta01 branch

Branch: https://github.com/centminmod/centminmod/tree/123.09beta01

Commit History: https://github.com/centminmod/centminmod/commits/123.09beta01

eva2000 · May 24, 2017

FYI, users using Linux Kernel 4.x i.e. Linode might run into these errors on running centmin.sh - looking into it but there's no harm

Code (Text):

sysctl -a | awk '/net.ipv6.conf.all.disable_ipv6/ {print $NF}'
error: "Input/output error" reading key "net.ipv6.conf.all.stable_secret"
0
error: "Input/output error" reading key "net.ipv6.conf.default.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.dummy0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.eth0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.gre0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.gre1.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.gretap0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.ip6_vti0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.ip6gre0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.ip6tnl0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.ip_vti0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.lo.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.sit0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.teql0.stable_secret"
error: "Input/output error" reading key "net.ipv6.conf.tunl0.stable_secret"

edit: fixed https://community.centminmod.com/threads/fix-checkipvsix-function-for-linux-kernel-4-x.11779/

rdan · May 24, 2017

eva2000 said: ↑

IPV6 = '0' set in /etc/csf/csf.conf
Click to expand...

Mine has:

IPV6 = "0"
Click to expand...

Is that fine?

rdan · May 24, 2017

I already have:

# to disable IPv6 on all interfaces system wide
net.ipv6.conf.all.disable_ipv6 = 1
Click to expand...

On /etc/sysctl.d/101-sysctl.conf

Is it fine?

eva2000 · May 25, 2017

RoldanLT said: ↑

I already have:

On /etc/sysctl.d/101-sysctl.conf

Is it fine?
Click to expand...

If you have that to disable IPv6 then IPV6="0" in csf.conf is correct result. The routine for you would just duplicate
Code (Text):
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
in both /etc/sysctl.d/101-sysctl.conf and /etc/sysctl.conf right now which would end up with same result = IPv6 disabled system wide. If that is the case, you can remove the duplicates in /etc/sysctl.d/101-sysctl.conf

rdan · May 25, 2017

RoldanLT said: ↑

Mine has:

Is that fine?
Click to expand...

What I mean here is there any difference with double and single qoute?
IPV6 = "0" vs IPV6 = '0'.

eva2000 · May 25, 2017

shouldn't be but use double quotes as that is the pattern used for csf.conf

my routine will work for both single and double quoted IPV6 variable in /etc/csf/csf.conf

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Beta Branch update fix for checkipvsix function + add DISABLE_IPVSIX variable

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

eva2000 Administrator Staff Member

rdan Premium Member Premium Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Beta Branch update fix for checkipvsix function + add DISABLE_IPVSIX variable

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

eva2000 Administrator Staff Member

rdan Premium Member Premium Member

eva2000 Administrator Staff Member

.