From f1d5d13a50f05c9dd439306e1f464f47d3603a86 Mon Sep 17 00:00:00 2001
From: eriknordmark <erik@zededa.com>
Date: Thu, 12 Aug 2021 21:30:09 +0200
Subject: [PATCH 1/2] Stable IPv6 addresses

Signed-off-by: eriknordmark <erik@zededa.com>
---
 pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf b/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf
index 476b3d0eaf..eaf855eaf1 100644
--- a/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf
+++ b/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf
@@ -25,6 +25,9 @@ net.ipv6.conf.default.addr_gen_mode = 2
 net.ipv6.conf.all.addr_gen_mode = 2
 net.ipv6.conf.default.use_tempaddr = 0
 net.ipv6.conf.all.use_tempaddr = 0
+# Used a fixed number to get the same for each boot/EVE update
+net.ipv6.conf.default.stable_secret = ff::0
+net.ipv6.conf.all.stable_secret = ff::0
 
 # For reliable downloads need less than 2 hour keepalive timer
 net.ipv4.tcp_keepalive_time = 60

From 783c7d8cfc29c90661ce1a99f8834e6a575d7fba Mon Sep 17 00:00:00 2001
From: eriknordmark <erik@zededa.com>
Date: Thu, 28 Oct 2021 15:17:01 -0700
Subject: [PATCH 2/2] Try force settings for stable IPv6

Signed-off-by: eriknordmark <erik@zededa.com>
---
 .../rootfs/etc/sysctl.d/02-eve.conf           |  3 ++
 pkg/pillar/devicenetwork/rename.go            | 39 ++++++++++++++++++-
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf b/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf
index eaf855eaf1..d98bcb2ea6 100644
--- a/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf
+++ b/pkg/dom0-ztools/rootfs/etc/sysctl.d/02-eve.conf
@@ -9,6 +9,7 @@ kernel.softlockup_panic = 1
 # zedrouter settings
 net.ipv4.ip_forward = 1
 net.ipv6.conf.all.forwarding = 1
+net.ipv6.conf.default.forwarding = 1
 # We use ip6tables for the bridge
 net.bridge.bridge-nf-call-ip6tables = 1
 net.bridge.bridge-nf-call-iptables = 1
@@ -20,6 +21,8 @@ net.netfilter.nf_conntrack_timestamp = 1
 net.ipv4.conf.all.log_martians = 0
 net.ipv4.conf.default.log_martians = 0
 
+net.ipv6.conf.default.accept_ra = 2
+net.ipv6.conf.all.accept_ra = 2
 # Avoid lots of temporary addresses; use RFC7217 instead
 net.ipv6.conf.default.addr_gen_mode = 2
 net.ipv6.conf.all.addr_gen_mode = 2
diff --git a/pkg/pillar/devicenetwork/rename.go b/pkg/pillar/devicenetwork/rename.go
index 7299e74be9..e9f36cb9d7 100644
--- a/pkg/pillar/devicenetwork/rename.go
+++ b/pkg/pillar/devicenetwork/rename.go
@@ -18,6 +18,7 @@ import (
 // Ethernet interfaces have no bridge
 // Assumes that the caller has checked that the interfaces exist
 // We therefore skip any interfaces which do not exist
+// Also sets sysctls on the interface
 func UpdateBridge(log *base.LogObject, newConfig, oldConfig types.DevicePortConfig) {
 
 	// Look for adds
@@ -47,6 +48,7 @@ func addBridge(log *base.LogObject, ifname string) error {
 	log.Noticef("addBridge(%s)", ifname)
 	if !strings.HasPrefix(ifname, "eth") {
 		log.Functionf("addBridge: skipping %s", ifname)
+		setSysctls(log, ifname)
 		return nil
 	}
 	link, err := netlink.LinkByName(ifname)
@@ -115,6 +117,7 @@ func addBridge(log *base.LogObject, ifname string) error {
 		log.Error(err)
 		return err
 	}
+	setSysctls(log, ifname)
 	// ip link set kethN master ethN
 	if err := netlink.LinkSetMaster(kernLink, bridge); err != nil {
 		err = fmt.Errorf("addBridge LinkSetMaster(%s, %s) failed: %v",
@@ -128,7 +131,7 @@ func addBridge(log *base.LogObject, ifname string) error {
 		log.Error(err)
 		return err
 	}
-	// update cached ifindex
+	// updatecached ifindex
 	_, err = UpdateIfnameToIndex(log, ifname)
 	if err != nil {
 		log.Errorf("addBridge: UpdateIfnameToIndex failed: %v", err)
@@ -136,6 +139,40 @@ func addBridge(log *base.LogObject, ifname string) error {
 	return nil
 }
 
+// Make sure we have the settings needed for IPv6
+func setSysctls(log *base.LogObject, ifname string) {
+	sysctlSetting := fmt.Sprintf("net.ipv6.conf.%s.stable_secret=ff::0",
+		ifname)
+	args := []string{"-w", sysctlSetting}
+	log.Noticef("Calling command %s %v", "sysctl", args)
+	out, err := base.Exec(log, "sysctl", args...).CombinedOutput()
+	if err != nil {
+		errStr := fmt.Sprintf("sysctl command %s failed %s output %s",
+			args, err, out)
+		log.Errorln(errStr)
+	}
+	sysctlSetting = fmt.Sprintf("net.ipv6.conf.%s.accept_ra=2",
+		ifname)
+	args = []string{"-w", sysctlSetting}
+	log.Noticef("Calling command %s %v", "sysctl", args)
+	out, err = base.Exec(log, "sysctl", args...).CombinedOutput()
+	if err != nil {
+		errStr := fmt.Sprintf("sysctl command %s failed %s output %s",
+			args, err, out)
+		log.Errorln(errStr)
+	}
+	sysctlSetting = fmt.Sprintf("net.ipv6.conf.%s.addr_gen_mode=4",
+		ifname)
+	args = []string{"-w", sysctlSetting}
+	log.Noticef("Calling command %s %v", "sysctl", args)
+	out, err = base.Exec(log, "sysctl", args...).CombinedOutput()
+	if err != nil {
+		errStr := fmt.Sprintf("sysctl command %s failed %s output %s",
+			args, err, out)
+		log.Errorln(errStr)
+	}
+}
+
 // Check if the name is ethN and a bridge
 // If so delete it and find kethN and rename it back to ethN.
 // Also restore the Mac address on ethN