[NetworkManager] NM service listens to IPV6 addresses of the whole network

Keywords: Linux networkmanager

1 problem phenomenon

When IPV6 is enabled, the NetworkManager service will listen to all 0 addresses by default. Here 58 is not a port, but a protocol number, indicating icmpv6. The phenomenon is as follows:

# netstat -anp | grep Network
raw6 0 0 :::58 :::* 7 2581242/NetworkMana

2 cause analysis

2.1 raw6 what is it?

raw6 is the RAW SOCKET of IPV6,
You can confirm by viewing the / proc/net/sockstat6 file:

[root@localhost:~ ]#  cat /proc/net/sockstat6
TCP6: inuse 1
UDP6: inuse 0
UDPLITE6: inuse 0
RAW6: inuse 1
FRAG6: inuse 0 memory 0
[root@localhost:~ ]# 

2.2: what's the address?

In ipv6,::: means 0 address, which means all ip addresses here

2.3 what service port is 58?

58 is not a port, but a protocol number. It corresponds to the icmp6 protocol, that is, the ICMP Protocol on IPV6. You can use the following command to query the protocol type corresponding to the port:

[root@localhost:~ ]# ss -l -6 -p -e -n
Netid      State        Recv-Q       Send-Q             Local Address:Port             Peer Address:Port      Process                                                                        
icmp6      UNCONN       0            0                              *:58                          *:*          users:(("NetworkManager",pid=229210,fd=21)) ino:685747 sk:1 v6only:0 <->      
tcp        LISTEN       0            128                         [::]:22                       [::]:*          users:(("sshd",pid=2780,fd=4)) ino:45366 sk:2 v6only:1 <->  

When the NetworkManager service is started, it calls libndp for setting. By default, it listens to all 0 network segments, and cannot be specified through command line parameters or modified through configuration files.

2.4 what is the purpose of protocol 58 monitoring all addresses?

For DAD detection
In IPv6 environment, when a host attempts to configure an IPv6 address, it will first conduct address repeatability detection to confirm the uniqueness of the address on the link. This process is called DAD (Duplicate Address Detection).
For example, when starting a network card with IPv6 enabled, the network card will be automatically configured with a link local address - the address starting with fe80. DAD detection will be carried out before this address takes effect.
The key of DAD detection is NS message. Note that the source address of the message is all 0, the destination address is a multicast address, and the Target points to the IPv6 address to be configured. For a period of time, if no one replies to NA on the link or receives NS messages with the same structure on the link, the address is considered unique on the link and the configuration takes effect
The NS and NA messages used in the whole process are icmpv6 protocol

3 solution

In the scenario where IPV6 is not used, you can disable IPV6 to turn off all zero listening. Otherwise, the product should decide to use firewall and other means for network isolation according to the actual business networking situation and usage scenario.

Method 1: turn off the ipv6 function of the network card

/Configure IPv6 with / etc / sysconfig / network scripts / ifcfg ethx_ Autoconf = "yes" enable listening on this port and configure it as IPV6_AUTOCONF="no" turns off Port 58 listening

Modify the configuration file and restart the network card to take effect:

root localhost:~ $ cat  /etc/sysconfig/network-scripts/ifcfg-eth6 
root localhost:~ $ ifdown eth6 && ifup eth6

Final effect:

Method 2: Firewall

When NetworkManager.service has usage scenarios, add firewalld rules to restrict access to specific networks. For example, using the following configuration, the address request with port 58 (involving ipv6) will be deleted:

firewall-cmd --permanent --add-rich-rule="rule family=ipv6  port protocol=tcp port=58 drop"

Method 3: close the NetworkManager service

Shut down service:

systemctl  stop NetworkManager

Prohibit startup:

systemctl  disable NetworkManager

Posted by valtido on Tue, 28 Sep 2021 13:12:28 -0700