networkd RetransmitSec - how to make it work on a host?

Muggeridge, Matt matt.muggeridge2 at hpe.com
Mon Dec 11 02:49:25 UTC 2023 

The RetransmitSec option was introduced in systemd-v255, but I cannot get it to work for Neighbor Solicitations from a Host. Instead, I observe that the NS are always transmitted at 1 second intervals, regardless of whether it was changed by:


  1.  Received RA Retransmit Timer
  2.  Sysctl net.ipv6.icmp.ratelimit
  3.  Systemd.network configuration file RetransmitSec

A few questions:

  1.  Can you point me at the networkd code that generates the neighbor solicitations?
  2.  My router sends an RA with a Retransmit Timer = 5000ms:
     *   What is supposed to take precedence, the RA or the value in the config file?
     *   With debug enabled, I see networkd writes to /proc/sys/net/ipv6/icmp/ratelimit

                                                               i.      However, that makes no difference to the retransmit rate, which is always 1 second.

  1.  Why is this option not enabled under [Network], but instead under [IPv6SendRA].  Hosts send NS that should also be ratelimited.

$ systemctl --version
systemd 255 (255-1-g6a9a58c^)
+PAM -AUDIT -SELINUX -APPARMOR -IMA -SMACK -SECCOMP -GCRYPT -GNUTLS -OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2 -BZIP2 -LZ4 +XZ -ZLIB -ZSTD -BPF_FRAMEWORK -XKBCOMMON -UTMP +SYSVINIT default-hierarchy=hybrid

I've tried several configuration changes, but nothing worked.  E.g. I tried to configure the Retransmit interval to 3 seconds. After each configuration change, I ran:

$ systemctl daemon-reload; systemctl restart systemd-networkd

One of my attempts:

$ networkctl cat 10-eno0.network
# /etc/systemd/network/10-eno0.network
[Match]
KernelCommandLine=!nfsroot
Name=eno0

[DHCP]
ClientIdentifier=mac
RouteMetric=10
UseDomains=yes
UseHostname=yes
UseMTU=yes

[IPv6AcceptRA]
#UseOnLinkPrefix=yes
UseDNS=yes
UseDomains=yes

[Link]
RequiredForOnline=no

[Network]
#Address=16.107.234.71/21
#DHCP=ipv6
#DNS=1.2.3.6
#Gateway=16.107.232.1
Address=10.1.1.1/24
DHCP=no
Gateway=10.1.1.2
IPv6AcceptRA=yes
IPv6SendRA=yes

[IPv6SendRA]
RetransmitSec=3


And here is the tcpdump output:

$ tcpdump -i eno0 -n --number ip6 -vv
tcpdump: listening on eno0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
    1  02:23:50.607129 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::200:10ff:fe10:1060 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
        hop limit 64, Flags [none], pref medium, router lifetime 9000s, reachable time 30000ms, retrans timer 5000ms
          prefix info option (3), length 32 (4): 2001:2:0:1000::/64, Flags [onlink, auto], valid time 65535s, pref. time 65535s
            0x0000:  40c0 0000 ffff 0000 ffff 0000 0000 2001
            0x0010:  0002 0000 1000 0000 0000 0000 0000
          mtu option (5), length 8 (1):  1500
            0x0000:  0000 0000 05dc

    8< -- snip unrelated multicast packets ---- >8

    4  02:24:00.932029 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 10) fe80::200:10ff:fe10:1081 > fe80::9640:c9ff:fed6:77f6: [icmp6 sum ok] ICMP6, echo request, id 0, seq 0
    5  02:24:00.932412 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::9640:c9ff:fed6:77f6 > ff02::1:ff10:1081: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::200:10ff:fe10:1081
          source link-address option (1), length 8 (1): 94:40:c9:d6:77:f6
            0x0000:  9440 c9d6 77f6
    6  02:24:01.934639 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::9640:c9ff:fed6:77f6 > ff02::1:ff10:1081: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::200:10ff:fe10:1081
          source link-address option (1), length 8 (1): 94:40:c9:d6:77:f6
            0x0000:  9440 c9d6 77f6
    7  02:24:02.958599 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::9640:c9ff:fed6:77f6 > ff02::1:ff10:1081: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::200:10ff:fe10:1081
          source link-address option (1), length 8 (1): 94:40:c9:d6:77:f6
            0x0000:  9440 c9d6 77f6

$ sysctl net.ipv6.icmp.ratelimit
net.ipv6.icmp.ratelimit = 5000


Thanks,
Matt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20231211/2a9681aa/attachment-0001.htm>

More information about the systemd-devel mailing list