Enable tools for IPv6

Enable tools for IPv6

[Larsen]

[-- Attachment #1: Type: text/plain, Size: 604 bytes --]

Hi,

some users are currently translating the wiki instructions on how to set  
up an external IPv6 connection with IPFire.
Unfortunately, two things (the latter one not necessarily) need to be  
recompiled with IPv6 support:

http://wiki.ipfire.org/en/add-ipv6/extend/prepare
http://wiki.ipfire.org/en/add-ipv6/extend/dns

Would it be possible to enable IPv6 for those by default or might there be  
negative side effects?
I think it´s time to get IPFire IPv6 ready, so why not start with this.

(Maybe the information from the wiki even is outdated and IPv6 already  
enabled for those tools?)


Lars

Re: Enable tools for IPv6

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1637 bytes --]

Well...

On Tue, 2015-08-04 at 14:46 +0200, Larsen wrote:
> Hi,
> 
> some users are currently translating the wiki instructions on how to 
> set  
> up an external IPv6 connection with IPFire.

I very much appreciate you playing with IPv6 and IPFire. That is good
to learn the system better and also to get familiar with IPv6. I
honestly do not think that this will ever be possible to become some
supported feature in IPFire 2. There is too much to do and this is just
covering the tip of the iceberg.

> Unfortunately, two things (the latter one not necessarily) need to be
>   
> recompiled with IPv6 support:
> 
> http://wiki.ipfire.org/en/add-ipv6/extend/prepare
> http://wiki.ipfire.org/en/add-ipv6/extend/dns
> 
> Would it be possible to enable IPv6 for those by default or might 
> there be  
> negative side effects?

It might. We disabled IPv6 in some packages like squid, curl and so on
because these were sometimes causing errors.

http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=f8c079150ec8df07
a0f90bf25ef3a68f1201756f

I do not know about the others. I think I remember that we disabled
some of them because it won't built. Not too sure about that.

> I think it´s time to get IPFire IPv6 ready, so why not start with 
> this.

IPFire 3 is ready for IPv6. I would appreciate much more to focus on
that then and then finally get rid of IPFire 2.

Just for reference:

http://git.ipfire.org/?p=network.git;a=summary
http://source.ipfire.org/releases/network/man-pages/

> 
> (Maybe the information from the wiki even is outdated and IPv6 
> already  
> enabled for those tools?)

Idk.

> 
> 
> Lars

Best,
-Michael

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Enable tools for IPv6

[Larsen]

[-- Attachment #1: Type: text/plain, Size: 327 bytes --]

On Wed, 05 Aug 2015 12:28:01 +0200, Michael Tremer  
<michael.tremer(a)ipfire.org> wrote:

> IPFire 3 is ready for IPv6. I would appreciate much more to focus on
> that then and then finally get rid of IPFire 2.

Ok, fair enough.
There are precompiled binaries for the needed tools, so this shouldn´t  
pose a problem.


Lars

Re: Enable tools for IPv6

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 861 bytes --]

On Wed, 2015-08-05 at 17:27 +0200, Larsen wrote:
> On Wed, 05 Aug 2015 12:28:01 +0200, Michael Tremer  
> <michael.tremer(a)ipfire.org> wrote:
> 
> > IPFire 3 is ready for IPv6. I would appreciate much more to focus 
> > on
> > that then and then finally get rid of IPFire 2.
> 
> Ok, fair enough.
> There are precompiled binaries for the needed tools, so this 
> shouldn´t  
> pose a problem.

I think that is even worse. When ever we patch those binaries they will
be overwritten on these systems.

If someone is using them and they do not cause any issues then we can
enable IPv6. Having out-of-tree packages is really pain.

I am also okay with compiling in IPv6 support for the other things I
mentioned. There are only bugs to fix first before we can do that.
Disabling IPv6 is more of a workaround than a solution for the issues.

-Michael

> 
> 
> Lars

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Enable tools for IPv6

[Larsen]

[-- Attachment #1: Type: text/plain, Size: 1226 bytes --]

On Wed, 05 Aug 2015 17:31:36 +0200, Michael Tremer  
<michael.tremer(a)ipfire.org> wrote:

> On Wed, 2015-08-05 at 17:27 +0200, Larsen wrote:
>> On Wed, 05 Aug 2015 12:28:01 +0200, Michael Tremer
>> <michael.tremer(a)ipfire.org> wrote:
>>
>> > IPFire 3 is ready for IPv6. I would appreciate much more to focus
>> > on
>> > that then and then finally get rid of IPFire 2.
>>
>> Ok, fair enough.
>> There are precompiled binaries for the needed tools, so this
>> shouldn´t
>> pose a problem.
>
> I think that is even worse. When ever we patch those binaries they will
> be overwritten on these systems.


I guess this problem exists for different aspects of manually getting IPv6  
to work on IPFire 2.x. For example, have a look at the following files  
that will be edited and might possibly be overwritten.

http://wiki.ipfire.org/en/add-ipv6/extend/prepare
/etc/sysconfig/modules
/etc/sysctl.conf
/etc/resolv.conf
/etc/modprobe.d/ipv6.conf (deleted)

http://wiki.ipfire.org/en/add-ipv6/extend/nativ
/etc/init.d/network

Therefore, we don't really need the tools to be IPv6-enabled. It would  
just have made things one step easier.


So, I have added a warning here:
http://wiki.ipfire.org/en/add-ipv6/ipv6/extended


Lars

Re: Enable tools for IPv6

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2198 bytes --]

On Wed, 2015-08-05 at 17:59 +0200, Larsen wrote:
> On Wed, 05 Aug 2015 17:31:36 +0200, Michael Tremer  
> <michael.tremer(a)ipfire.org> wrote:
> 
> > On Wed, 2015-08-05 at 17:27 +0200, Larsen wrote:
> > > On Wed, 05 Aug 2015 12:28:01 +0200, Michael Tremer
> > > <michael.tremer(a)ipfire.org> wrote:
> > > 
> > > > IPFire 3 is ready for IPv6. I would appreciate much more to 
> > > > focus
> > > > on
> > > > that then and then finally get rid of IPFire 2.
> > > 
> > > Ok, fair enough.
> > > There are precompiled binaries for the needed tools, so this
> > > shouldn´t
> > > pose a problem.
> > 
> > I think that is even worse. When ever we patch those binaries they 
> > will
> > be overwritten on these systems.
> 
> 
> I guess this problem exists for different aspects of manually getting 
> IPv6  
> to work on IPFire 2.x. For example, have a look at the following 
> files  
> that will be edited and might possibly be overwritten.

Yes, these are all system files and they *will* be overwritten at some
time.

> /etc/sysconfig/modules

I have no idea why all these modules need to be loaded manually. The
respective tools like ip6tables, strongswan and so on will do that when
needed.

> /etc/sysctl.conf

It is probably better to create /etc/sysctl.d and then have a file in
that directory that overwrites the default settings in /etc/sysctl.conf

> /etc/resolv.conf

There is no need to resolve names over IPv6 and circumvent dnsmasq.
This will disable DNSSEC. Add the name server to the dnsmasq
configuration and you will be fine.

> /etc/modprobe.d/ipv6.conf (deleted)

This can be moved to a sysctl setting and then solved as described
above.

> > http://wiki.ipfire.org/en/add-ipv6/extend/nativ
> /etc/init.d/network
> 
> Therefore, we don't really need the tools to be IPv6-enabled. It 
> would  
> just have made things one step easier.

You will need this in dnsmasq if you want to keep DNSSEC.

> 
> 
> So, I have added a warning here:
> http://wiki.ipfire.org/en/add-ipv6/ipv6/extended

I changed that. IPv6 support is finished in IPFire 3. Some smaller
things like prefix delegation for PPP is not entirely tested and
robust, but it should work well enough.

> 
> Lars

-Michael

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Enable tools for IPv6

[Larsen]

[-- Attachment #1: Type: text/plain, Size: 504 bytes --]

>> /etc/sysconfig/modules
>
> I have no idea why all these modules need to be loaded manually. The
> respective tools like ip6tables, strongswan and so on will do that when
> needed.

Me neither. The documentation stems from a forum thread where this was  
specified.


>> /etc/sysctl.conf
>
> It is probably better to create /etc/sysctl.d and then have a file in
> that directory that overwrites the default settings in /etc/sysctl.conf

Thx, will change this and the other points you mentioned.


Lars

Re: Enable tools for IPv6

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1007 bytes --]

On Wed, 2015-08-05 at 23:51 +0200, Larsen wrote:
> > > /etc/sysconfig/modules
> > 
> > I have no idea why all these modules need to be loaded manually. 
> > The
> > respective tools like ip6tables, strongswan and so on will do that 
> > when
> > needed.
> 
> Me neither. The documentation stems from a forum thread where this 
> was  
> specified.
> 
> 
> > > /etc/sysctl.conf
> > 
> > It is probably better to create /etc/sysctl.d and then have a file 
> > in
> > that directory that overwrites the default settings in 
> > /etc/sysctl.conf
> 
> Thx, will change this and the other points you mentioned.

I guess for this we will need to change the initscripts. It should be
an easy change and we will gain the advantage that we can drop in any
sort of configuration file without overwriting anything. This is also
handy for any add-ons that need to change any of the sysctl settings.
There was no need for this feature yet, but we have it in IPFire 3 and
are using it quite often.

-Michael

> 
> 
> Lars

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]