Do I need disable IPv6 on CentOS 6.0? If yes, how exactly?

[yngens]

http://wiki.centos.org/FAQ/CentOS5#head-47912ebdae3b5ac10ff76053ef057c366b421dc4 gives instructions on how to remove ipv6 form CentOS5. I could not find similar wiki page for CentOS6. Searching Internet gives different instructions and many of them suggest editing '/etc/modprobe.conf' file, which is not present in CentOS6. So what is the most appropriate way of disabling (removing) IPv6 from CentOS6? Does removing it really somehow effect performance?

[TrevorH]

The instructions for 5.4 talk about using a file in /etc/modprobe.d and that should work on C6 (untested by me).

[pschaff]

Found on the rhelv6-list:
[quote]
Add a new file [b]/etc/modprobe.d/ipv6-off.conf[/b] containing
[code]
alias net-pf-10 off
alias ipv6 off
[/code]
Edit [b]/etc/sysconfig/network[/b] and add a line
[code]
NETWORKING_IPV6=no
[/code]
Then
[code]
chkconfig ip6tables off
[/code]
Reboot.
[/quote]
Minimally tested but seems to work. Please report your experiences.

Disabling IPv6 may minimize network timeout delays. I notice no difference in my minimal tests.

[TrevorH]

The ipv6 module on CentOS 6 seems to still support the 'disable' parameter that was used on 5.6 - at least modinfo ipv6 reports so.

[yngens]

I found instructions elsewhere to to put

'install ipv6 /bin/true'

in

/etc/modprobe.d/disable-ipv6.conf

Seems working for me.

Thanks all!

[TrevorH]

Hmmm, I did some digging and found this

[code]
sysctl net.ipv6.conf.default.disable_ipv6=1
sysctl net.ipv6.conf.all.disable_ipv6=1
[/code]

Which looks much more elegant and almost like it was done by design :-)

Oh, and for this to work, the ipv6 module has to be loaded.

The comment on the bugzilla about loads of selinux denials as all processes that are ipv6 enabled try to load the ipv6 module was

[quote]
Eric Paris

I believe the networking kernel community recommends (and it will shut up these
AVCs) that IPv6 be disabled by:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

It still loads the module but unhooks almost all of the calls into the module.
(apparently the IPv6 module has become so ingrained in the kernel that a number
of other things, like certain firewall modules, require it. I didn't design
it, I'm just telling it how it is)
[/quote]

[pschaff]

So, we have multiple potential approaches, but what is the [i][b]Right Way [TM][/b][/i] to implement disabling IPv6 so it survives reboots and does not break SELinux or other things?

[TrevorH]

The quote I provided was from a Redhat employee commenting in a bugzilla about the correct approach on RHEL6.

The problem with the alias to off or /bin/false or /bin/true is that it stops the ipv6 module from loading altogether and there are now lots of other modules that require it. Disabling it in this way has the side effect of disabling, e.g. bonding and possibly also flooding your logs with SELinux AVC messages.

The old Centos 5.4 approach of allowing it to load but with the parameter 'disable=1' should still work but I am not sure if that let's you re-enable it without unloading the module.

The final approach is this one, and adding the keys to /etc/sysctl.conf should make it persistent across reboots. It also means that you can enable it on the fly (which may still be possible with disable=1).

https://bugzilla.redhat.com/show_bug.cgi?id=641836

Apparently this method will also work on Centos 5.4 onwards but there's a memory leak that's only fixed in 2.6.18-238+ kernels.

[pschaff]

Good enough for me - thanks. Updated CentOS-5 FAQ and added a [url=http://wiki.centos.org/FAQ/CentOS6#head-d47139912868bcb9d754441ecb6a8a10d41781df]CentOS 6 FAQ[/url] entry.

[yngens]

I wonder could the issue I described in another thread https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=32574&forum=58 (to which, unfortunately, nobody replied) have something with my [improper] turning off of IPv6?