• Bug#1104061: /usr/sbin/NetworkManager: sysctl settings ignored / overri

    From Benoit Panizzon@21:1/5 to All on Fri Apr 25 09:40:02 2025
    Package: network-manager
    Version: 1.42.4-1
    Severity: normal
    File: /usr/sbin/NetworkManager

    Dear Maintainer,

    I have been fighting with wrong ipv6 routes for quite a while and have
    finally been able to track them to NetworkManager being the cause. But not
    what exactly in NetworkManager causes the issue.

    I have a system with two ethernet interfaces. One is actually a vxlan interface used as a L2 VPN and is set up by some of my scripting.

    In this example, assume eth0 and vxlan1

    I have little control of the ipv6 RA being sent to both interfaces. But for the L2 VPN to
    work as intended, I need the IPv6 default route to point to that interface. So prior to set
    up the vxlan interface I disable accept_ra on eth0 and delete the existing default route:

    ip link add vxlan1 type vxlan id 1 dstport 4789 remote 192.168.10.2
    sysctl -w net.ipv6.conf.eth0.accept_ra_defrtr=0
    sysctl -w net.ipv6.conf.eth0.accept_ra=0
    ip -6 route delete default
    ip link set dev vxlan1 up

    As soon as an RA is received on vxlan1 the interface vxlan1 is configured and the correct ipv6 route created to send traffic via L2 VPN.

    tcpdump -vvvv -ttt -i eth0 'icmp6 and ('ip6[40] = 134' or 'ip6[40] = 133')'

    As soon as an RA is received on eth0, which according to the sysctl entry should
    be ignored, a second default route (unfortunately with higher priority) is pointig
    to eth0

    All further attempts to 'fix' with sysctl by disabling autoconfig or setting the
    'all' and 'default' interfaces did not fix the issue.

    When I stop NetworkManager, the RA received on eth0 is ignored as configured by sysctl. This leads me to the conclusion, that NetworkManager somehow still handles RA even when disabled in the kernel via sysctl.

    So I had a look at the NetworkManager ipv6 settings for eth0 and attempted to disable IPv6 RA there,
    unfortunately with no success.

    I wonder if this is a bug or if this is intended behaviour. If intended, how can
    my use case be 'fixed'?

    -- System Information:
    Debian Release: 12.10
    APT prefers stable-updates
    APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
    Architecture: amd64 (x86_64)
    Foreign Architectures: i386

    Kernel: Linux 6.1.0-32-amd64 (SMP w/8 CPU threads; PREEMPT)
    Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
    Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), LANGUAGE=de_CH:de
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages network-manager depends on:
    ii adduser 3.134
    ii dbus [default-dbus-system-bus] 1.14.10-1~deb12u1
    ii libaudit1 1:3.0.9-1
    ii libbluetooth3 5.66-1+deb12u2
    ii libc6 2.36-9+deb12u10
    ii libcurl3-gnutls 7.88.1-10+deb12u12
    ii libglib2.0-0 2.74.6-2+deb12u5
    ii libgnutls30 3.7.9-2+deb12u4
    ii libjansson4 2.14-2
    ii libmm-glib0 1.20.4-1
    ii libndp0 1.8-1+deb12u1
    ii libnewt0.52 0.52.23-1+b1
    ii libnm0 1.42.4-1
    ii libpsl5 0.21.2-1
    ii libreadline8 8.2-1.3
    ii libselinux1 3.4-1+b6
    ii libsystemd0 252.36-1~deb12u1
    ii libteamdctl0 1.31-1
    ii libudev1 252.36-1~deb12u1
    ii policykit-1 122-3
    ii polkitd 122-3
    ii udev 252.36-1~deb12u1

    Versions of packages network-manager recommends:
    ii dnsmasq-base [dnsmasq-base] 2.90-4~deb12u1
    ii libpam-systemd 252.36-1~deb12u1
    ii modemmanager 1.20.4-1
    ii ppp 2.4.9-1+1.1+b1
    ii wireless-regdb 2022.06.06-1
    ii wpasupplicant 2:2.10-12+deb12u2

    Versions of packages network-manager suggests:
    ii iptables 1.8.9-2
    pn libteam-utils <none>

    Versions of packages network-manager is related to:
    ii isc-dhcp-client 4.4.3-P1-2

    -- Configuration Files:
    /etc/NetworkManager/NetworkManager.conf changed:
    [main]
    plugins=ifupdown,keyfile
    [ifupdown]
    managed=false


    -- no debconf information

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)