https://wiki.archlinux.org/api.php?action=feedcontributions&user=Op3&feedformat=atomArchWiki - User contributions [en]2024-03-28T12:36:35ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=IPv6&diff=741551IPv62022-08-14T06:50:55Z<p>Op3: /* NAT64 */ Jool domain changed</p>
<hr />
<div>[[Category:Networking]]<br />
[[ja:IPv6]]<br />
[[pt:IPv6]]<br />
[[ru:IPv6]]<br />
{{Related articles start}}<br />
{{Related|IPv6 tunnel broker setup}}<br />
{{Related articles end}}<br />
<br />
In Arch Linux, [[Wikipedia:IPv6|IPv6]] is enabled by default.<br />
<br />
The [https://tldp.org/HOWTO/Linux+IPv6-HOWTO/index.html tldp Linux+IPv6-HOWTO] article is older, and less maintained. Yet it attempts to cover many topics that are mentioned in this article, starts from the basics, and advances in a slower pace. It also has many command line examples. Beginners might want to read or skim it before reading this wiki article.<br />
<br />
== Neighbor discovery ==<br />
<br />
Pinging the multicast address {{ic|ff02::1}} results in all hosts in link-local scope responding. An interface has to be specified:<br />
<br />
$ ping ff02::1%eth0<br />
<br />
After that, you can get a list of all the neighbors in the local network with:<br />
<br />
$ ip -6 neigh<br />
<br />
With a ping to the multicast address {{ic|ff02::2}} only routers will respond.<br />
<br />
If you add an option {{ic|-I ''your-global-ipv6''}}, link-local hosts will respond with their link-global scope addresses. The interface can be omitted in this case:<br />
<br />
$ ping -I 2001:4f8:fff6::21 ff02::1<br />
<br />
== Stateless autoconfiguration (SLAAC) ==<br />
<br />
The easiest way to acquire an IPv6 address as long as your network is configured is through ''Stateless address autoconfiguration'' (SLAAC for short). The address is automatically inferred from the prefix that your router advertises and requires neither further configuration nor specialized software such as a DHCP client.<br />
<br />
=== For clients ===<br />
<br />
If you are using [[netctl]] you just need to add the following line to your Ethernet or wireless configuration.<br />
<br />
IP6=stateless<br />
<br />
If you are using [[NetworkManager]] then it automatically enables IPv6 addresses if there are advertisements for them in the network.<br />
<br />
Please note that stateless autoconfiguration works on the condition that IPv6 icmp packets are allowed throughout the network. So for the client side the {{ic|ipv6-icmp}} packets must be accepted. If you are using the [[Simple stateful firewall]]/[[iptables]] you only need to add:<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
<br />
If you are using an other firewall frontend (ufw, shorewall, etc) consult their documentation on how to enable the {{ic|ipv6-icmp}} packets.<br />
<br />
If your chosen network management solution does not support configuring the DNS resolver with stateless IPv6 (e.g. ''netctl''), then it is possible to use {{man|8|rdnssd}} from the {{pkg|ndisc6}} package for that.<br />
<br />
=== For gateways ===<br />
<br />
To properly hand out IPv6s to the network clients we will need to use an advertising daemon. The standard tool for this job is {{Pkg|radvd}} and is available in [[official repositories]]. Configuration of ''radvd'' is fairly simple. Edit {{ic|/etc/radvd.conf}} to include<br />
<br />
# replace LAN with your LAN facing interface<br />
interface LAN {<br />
AdvSendAdvert on;<br />
MinRtrAdvInterval 3;<br />
MaxRtrAdvInterval 10;<br />
prefix ::/64 {<br />
AdvOnLink on;<br />
AdvAutonomous on;<br />
AdvRouterAddr on;<br />
};<br />
};<br />
<br />
The above configuration will tell clients to autoconfigure themselves using addresses from the advertised /64 block. Please note that the above configuration advertises ''all available prefixes'' assigned to the LAN facing interface. If you want to limit the advertised prefixes instead of {{ic|::/64}} use the desired prefix, e.g. {{ic|2001:DB8::/64}}. The {{ic|prefix}} block can be repeated many times for more prefixes.<br />
<br />
To advertise DNS servers to your LAN clients you can use RDNSS feature. For example, add the following lines to {{ic|/etc/radvd.conf}} to advertise Google's DNS v6 servers:<br />
<br />
RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {<br />
};<br />
<br />
The gateway must also allow the traffic of {{ic|ipv6-icmp}} packets on all basic chains. For the [[Simple stateful firewall]]/[[iptables]] add:<br />
<br />
-A INPUT -p ipv6-icmp -j ACCEPT<br />
-A OUTPUT -p ipv6-icmp -j ACCEPT<br />
-A FORWARD -p ipv6-icmp -j ACCEPT<br />
<br />
Adjust accordingly for other firewall frontends and do not forget to [[enable]] {{ic|radvd.service}}.<br />
<br />
== Privacy extensions ==<br />
<br />
When a client acquires an address through SLAAC its IPv6 address is derived from the advertised prefix and the MAC address of the network interface of the client. This may raise security concerns as the MAC address of the computer can be easily derived by the IPv6 address. In order to tackle this problem the ''IPv6 Privacy Extensions'' standard ([[RFC:4941|RFC 4941]]) has been developed. With privacy extensions the kernel generates a ''temporary'' address that is mangled from the original autoconfigured address. Private addresses are preferred when connecting to a remote server so the original address is hidden. To enable Privacy Extensions reproduce the following steps:<br />
<br />
Add these lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 Privacy Extensions<br />
net.ipv6.conf.all.use_tempaddr = 2<br />
net.ipv6.conf.default.use_tempaddr = 2<br />
net.ipv6.conf.''nic0''.use_tempaddr = 2<br />
...<br />
net.ipv6.conf.''nicN''.use_tempaddr = 2<br />
<br />
Where {{ic|nic0}} to {{ic|nicN}} are your '''N'''etwork '''I'''nterface '''C'''ards. You can find their names using the instructions in [[Network configuration#Listing network interfaces]]. The {{ic|all.use_tempaddr}} or {{ic|default.use_tempaddr}} parameters are not applied to nic's that already exist when the [[sysctl]] settings are executed.<br />
<br />
After a reboot, at the latest, Privacy Extensions should be enabled.<br />
<br />
=== dhcpcd ===<br />
<br />
[[dhcpcd]]'s default configuration includes the option {{ic|slaac private}}, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing [[RFC:7217|RFC 7217]]. Therefore, it is not necessary to change anything, except if it is desired to change of IPv6 address more often than each time the system is connected to a new network. Set it to {{ic|slaac hwaddr}} for a stable address.<br />
<br />
=== NetworkManager ===<br />
<br />
The use of IPv6 Privacy Extensions in [[NetworkManager]] can be controlled with the {{ic|ipv6.ip6-privacy}} setting in {{man|5|NetworkManager.conf}} or in the connection's profile. If it is not set globally nor per-connection, NetworkManager will fall back to reading {{ic|/proc/sys/net/ipv6/conf/default/use_tempaddr}}.<br />
<br />
To explicitly enable IPv6 Privacy Extensions by default, add these lines to {{man|5|NetworkManager.conf}}:<br />
<br />
{{hc|/etc/NetworkManager/conf.d/ip6-privacy.conf|2=<br />
[connection]<br />
ipv6.ip6-privacy=2<br />
}}<br />
<br />
[[NetworkManager#Configuration|Apply the configuration]] and reconnect to all active connections.<br />
<br />
To control the use of IPv6 Privacy Extensions for individual NetworkManager-managed connections, edit the desired connection keyfile in {{ic|/etc/NetworkManager/system-connections/}} and append to its {{ic|[ipv6]}} section the key-value pair {{ic|1=ip6-privacy=2}}:<br />
<br />
{{hc|/etc/NetworkManager/system-connections/''example_connection''.nmconnection|2=<br />
...<br />
[ipv6]<br />
method=auto<br />
'''ip6-privacy=2'''<br />
...<br />
}}<br />
<br />
Reload the connection and reconnect to it afterwards.<br />
<br />
{{Note|Although it may seem the {{ic|scope global temporary}} IPv6 address created by enabling Privacy Extensions never gets renewed (it never shifts to {{ic|deprecated}} status at the term of its {{ic|valid_lft}} lifetime), it is to be verified over a longer period of time that this address '''does''' indeed change.}}<br />
<br />
=== systemd-networkd ===<br />
<br />
''systemd-networkd'' also does not honor the settings {{ic|net.ipv6.conf.xxx.use_tempaddr}} placed in {{ic|/etc/sysctl.d/40-ipv6.conf}} unless the option {{ic|IPv6PrivacyExtensions}} is set with the value {{ic|kernel}} in the ''.network'' file(s).<br />
<br />
Other options for the IPv6 Privacy Extensions like:<br />
<br />
net.ipv6.conf.xxx.temp_prefered_lft<br />
net.ipv6.conf.xxx.temp_valid_lft<br />
<br />
are honored, however.<br />
<br />
{{Note|{{ic|temp_prefered_lft}} is the variable name, preferred has to be misspelled.}}<br />
<br />
See [[systemd-networkd]] and {{man|5|systemd.network}} for details.<br />
<br />
=== ConnMan ===<br />
<br />
Set in a service file, i.e. {{ic|/var/lib/connman/''service''/settings}}:<br />
<br />
IPv6.privacy=preferred<br />
<br />
See [[ConnMan]] for details.<br />
<br />
== Stable private addresses ==<br />
<br />
Another option is a stable private IP address ([[RFC:7217|RFC 7217]]). This allows for IPs that are stable within a network without exposing the MAC address of the interface.<br />
<br />
In order to have the kernel generate a key (for {{ic|wlan0}}, for example) we can set:<br />
<br />
# sysctl net.ipv6.conf.wlan0.addr_gen_mode=3<br />
<br />
Bring the interface down and up and you should see {{ic|stable-privacy}} next to each IPv6 address after running {{ic|ip addr show dev wlan0}}. The kernel has generated a 128-bit secret for generating ip addresses for this interface, to see it run {{ic|sysctl net.ipv6.conf.wlan0.stable_secret}}. We are going to persist this value so add the following lines to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Enable IPv6 stable privacy mode<br />
net.ipv6.conf.wlan0.stable_secret = ''output_from_previous_command''<br />
net.ipv6.conf.wlan0.addr_gen_mode = 2<br />
<br />
{{Note|If you are using [[dhcpcd]] to get the IPv6 address, the {{ic|stable-privacy}} flag will '''not''' be attributed to this IP address.}}<br />
<br />
=== NetworkManager ===<br />
<br />
The above settings are not honored by NetworkManager, but NetworkManager uses stable private addresses by default.[https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/nm-1-12/NEWS#L367-369][https://bugzilla.redhat.com/show_bug.cgi?id=1279242#c15]<br />
<br />
== Static address ==<br />
<br />
Sometimes, using a static address can improve security. For example, if your local router uses Neighbor Discovery or ''radvd'' ([[RFC:2461|RFC 2461]]), your interface will automatically be assigned an address based on its MAC address (using IPv6's Stateless Autoconfiguration). This may be less than ideal for security since it allows a system to be tracked even if the network portion of the IP address changes.<br />
<br />
To assign a static IP address using [[netctl]], look at the example profile in {{ic|/etc/netctl/examples/ethernet-static}}. The following lines are important:<br />
<br />
...<br />
# For IPv6 static address configuration<br />
IP6=static<br />
Address6=('1234:5678:9abc:def::1/64' '1234:3456::123/96')<br />
Routes6=('abcd::1234')<br />
Gateway6='1234:0:123::abcd'<br />
<br />
{{Note|1=If you are connected IPv6-only, then you need to determine your IPv6 DNS server. For example:<br />
<br />
DNS=('6666:6666::1' '6666:6666::2')<br />
<br />
If your provider did not give you IPv6 DNS and you are not running your own, you can choose from the [[resolv.conf]] article.<br />
}}<br />
<br />
== IPv6 and PPPoE ==<br />
<br />
The standard tool for PPPoE, {{man|8|pppd}}, provides support for IPv6 on PPPoE as long as your ISP and your modem support it. Just add the following to {{ic|/etc/ppp/options}}<br />
<br />
+ipv6<br />
<br />
If you are using [[netctl]] for PPPoE then just add the following to your ''netctl'' configuration instead:<br />
<br />
PPPoEIP6=yes<br />
<br />
== Prefix delegation (DHCPv6-PD) ==<br />
<br />
{{Note|This section is targeted towards custom gateway configuration, not client machines. For standard market routers please consult the documentation of your router on how to enable prefix delegation.}}<br />
<br />
Prefix delegation is a common IPv6 deployment technique used by many ISPs. It is a method of assigning a network prefix to a user site (i.e. local network). A router can be configured to assign different network prefixes to various subnetworks. The ISP hands out a network prefix using DHCPv6 (usually a {{ic|/56}} or {{ic|/64}}) and a dhcp client assigns the prefixes to the local network. For a simple two interface gateway it practically assigns an IPv6 prefix to the interface connected to to the local network from an address acquired through the interface connected to WAN (or a pseudo-interface such as [[ppp]]).<br />
<br />
DHCPv6 requires the client to receive incoming connections on port 546 UDP. For an [[nftables]]-based firewall, that can be configured with one line in the input chain in {{ic|/etc/nftables.conf}}:<br />
<br />
table inet filter {<br />
chain input {<br />
udp dport dhcpv6-client accept<br />
...<br />
}<br />
...<br />
}<br />
<br />
=== With dhcpcd ===<br />
<br />
[[dhcpcd]] apart from IPv4 dhcp support also provides a fairly complete implementation of the DHCPv6 client standard which includes DHCPv6-PD. If you are using {{ic|dhcpcd}} edit {{ic|/etc/dhcpcd.conf}}. You might already be using dhcpcd for IPv4 so just update your existing configuration.<br />
<br />
{{bc|<br />
duid<br />
noipv6rs<br />
waitip 6<br />
# Uncomment this line if you are running dhcpcd for IPv6 only.<br />
#ipv6only<br />
<br />
# use the interface connected to WAN<br />
interface WAN<br />
ipv6rs<br />
iaid 1<br />
# use the interface connected to your LAN<br />
ia_pd 1 LAN<br />
#ia_pd 1/::/64 LAN/0/64<br />
}}<br />
<br />
This configuration will ask for a prefix from WAN interface ({{ic|WAN}}) and delegate it to the internal interface ({{ic|LAN}}).<br />
In the event that a {{ic|/64}} range is issued, you will need to use the 2nd {{ic|ia_pd instruction}} that is commented out instead.<br />
It will also disable router solicitations on all interfaces except for the WAN interface ({{ic|WAN}}).<br />
<br />
{{Tip|Also read {{man|8|dhcpcd}} and {{man|5|dhcpcd.conf}}.}}<br />
<br />
=== With WIDE-DHCPv6 ===<br />
<br />
[http://wide-dhcpv6.sourceforge.net/ WIDE-DHCPv6] is an open-source implementation of Dynamic Host Configuration Protocol for IPv6 (DHCPv6) originally developed by the KAME project. It can be [[install]]ed with {{AUR|wide-dhcpv6}}.<br />
<br />
If you are using ''wide-dhcpv6'', edit {{ic|/etc/wide-dhcpv6/dhcp6c.conf}}<br />
<br />
{{bc|<br />
# use the interface connected to your WAN<br />
interface WAN {<br />
send ia-pd 0;<br />
};<br />
<br />
id-assoc pd 0 {<br />
# use the interface connected to your LAN<br />
prefix-interface LAN {<br />
sla-id 1;<br />
sla-len 8;<br />
};<br />
};<br />
}}<br />
<br />
{{Note|1={{ic|sla-len}} should be set so that {{ic|1=(WAN-prefix) + (sla-len) = 64}}. In this case it is set up for a {{ic|/56}} prefix 56+8=64. For a {{ic|/64}} prefix {{ic|sla-len}} should be {{ic|0}}.}}<br />
<br />
The ''wide-dhcpv6'' client can be [[started/enabled]] using the {{ic|dhcp6c@''interface''.service}} systemd unit file, where {{ic|''interface''}} is the interface name in the configuration file, e.g. for a interface name "WAN" use {{ic|dhcp6c@WAN.service}}.<br />
<br />
{{Tip|Read {{man|8|dhcp6c|url=}} and {{man|5|dhcp6c.conf|url=}} for more information.}}<br />
<br />
=== systemd-networkd ===<br />
<br />
Configure both your upstream (wan) and downstream (lan) interface. This will enable DHCPv6-PD on the interface where the DHCPv6 client is running. The delegated prefixes are distributed by IPv6 Router Advertisement on the downstream network.<br />
<br />
{{hc|/etc/systemd/network/wan.network|2=<br />
[Network]<br />
# Use 'yes' instead of 'ipv6' for both ipv4 and ipv6.<br />
DHCP=ipv6<br />
}}<br />
<br />
{{hc|/etc/systemd/network/lan.network|2=<br />
[Network]<br />
IPv6SendRA=yes<br />
DHCPv6PrefixDelegation=yes<br />
}}<br />
<br />
=== Other clients ===<br />
<br />
[[dhclient]] can also request a prefix, but assigning that prefix, or parts of that prefix to interfaces must be done using a ''dhclient'' exit script. For example: https://github.com/jaymzh/v6-gw-scripts/blob/master/dhclient-ipv6.<br />
<br />
== NAT64 ==<br />
<br />
[[Wikipedia:NAT64]] is the IPv6 transition mechanism where IPv6 only hosts are able to communicate with IPv4 hosts using NAT.<br />
<br />
Linux kernel does not support NAT64 natively but there are several packages to add support for NAT64.<br />
<br />
* {{App|Jool|SIIT and NAT64 for Linux|https://nicmx.github.io/Jool/|{{AUR|jool-dkms}}, {{AUR|jool-tools}}}}<br />
* {{App|TAYGA|NAT64 daemon (unmaintained)|http://www.litech.org/tayga/|{{AUR|tayga}}}}<br />
<br />
== Disable IPv4 ==<br />
<br />
{{Expansion|Add instructions to disable legacy IP, esp. if the network has NAT64 and DNS64 we do not need to maintain dualstack, also the implementation of CGN degraded ipv4 performance and usability (e.g. hosting nextcloud at home is nowadays often only possible using only ipv6 and services like dynv6.com or namecheap dyndns records. This is because no public ipv4 is available, not even to the CPE router)}}<br />
<br />
== Disable IPv6 ==<br />
<br />
{{Note|The Arch kernel has IPv6 support built in directly, therefore a module cannot be blacklisted.}}<br />
<br />
{{Expansion|Add reasons why users may want to disable IPv6, such as low-quality DNS servers or firewall rules}}<br />
{{Expansion|Add drawbacks of disabling IPv6, like degraded performance behind CGN, worse performance in p2p/webrtc based applications and games}}<br />
<br />
=== Disable functionality ===<br />
<br />
Adding {{ic|1=ipv6.disable=1}} to the kernel line disables the whole IPv6 stack, which is likely what you want if you are experiencing issues. See [[Kernel parameters]] for more information.<br />
<br />
Alternatively, adding {{ic|1=ipv6.disable_ipv6=1}} instead will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.<br />
<br />
One can also avoid assigning IPv6 addresses to specific network interfaces by adding the following [[sysctl]] configuration to {{ic|/etc/sysctl.d/40-ipv6.conf}}:<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.''nic0''.disable_ipv6 = 1<br />
...<br />
net.ipv6.conf.''nicN''.disable_ipv6 = 1<br />
<br />
[[Restart]] the {{ic|systemd-sysctl.service}} unit to apply the configuration changes.<br />
<br />
Note that you must list all of the targeted interfaces explicitly, as disabling {{ic|all.disable_ipv6}} does not apply to interfaces that are already "up" when ''sysctl'' settings are applied.<br />
<br />
{{Note|If disabling IPv6 via ''sysctl'', you should comment out the IPv6 hosts in your {{ic|/etc/hosts}}. Otherwise there could be some connection errors because hosts are resolved to their IPv6 address which is not reachable.}}<br />
<br />
=== Other programs ===<br />
<br />
Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.<br />
<br />
==== dhcpcd ====<br />
<br />
''dhcpcd'' will continue to harmlessly attempt to perform IPv6 router solicitation. To disable this, as stated in the {{man|5|dhcpcd.conf}} [[man page]], add the following to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noipv6rs<br />
noipv6<br />
<br />
==== NetworkManager ====<br />
<br />
To disable IPv6 in NetworkManager, right click the network status icon, and select ''Edit Connections > Wired > ''Network name'' > Edit > IPv6 Settings > Method > Ignore/Disabled''. Then click ''Save''.<br />
<br />
This can also be done as: <br />
<br />
# nmcli connection modify ''ConnectionName'' ipv6.method "disabled"<br />
<br />
Followed by a restart of the network connection:<br />
<br />
# nmcli connection up ''ConnectionName''<br />
<br />
To confirm the settings have been applied, use {{ic|ip address show}} and check no inet6 entry is displayed. Alternatively, {{ic|/proc/sys/net/ipv6/conf/''interface''/disable_ipv6}} should have the value 1.<br />
<br />
==== ntpd ====<br />
<br />
Following advice in [[systemd#Drop-in files]], [[edit]] {{ic|ntpd.service}} to define how ''systemd'' starts it.<br />
<br />
This will create a drop-in snippet that will be run instead of the default {{ic|ntpd.service}}. The {{ic|-4}} flag prevents IPv6 from being used by the ''ntp'' daemon. Put the following into the drop-in snippet:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/ntpd -4 -g -u ntp:ntp<br />
<br />
which first clears the previous {{ic|ExecStart}}, and then replaces it with one that includes the {{ic|-4}} flag.<br />
<br />
==== GnuPG ====<br />
<br />
Disable IPv6 in the ''dirmngr''<nowiki/>'s configuration file:<br />
<br />
{{hc|~/.gnupg/dirmngr.conf|<br />
disable-ipv6<br />
}}<br />
<br />
[[Restart]] the {{ic|dirmngr.service}} user unit afterwards.<br />
<br />
==== sshd ====<br />
<br />
Ensure ''sshd'' is using IPv4 by adding the following to {{ic|sshd_config}}:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
AddressFamily inet<br />
}}<br />
<br />
And restart the {{ic|sshd.service}}.<br />
<br />
==== systemd-timesyncd ====<br />
<br />
On occasion [[systemd-timesyncd]] will attempt to query an IPv6 timeserver even when IPv6 has been disabled. This can result in the system clock not being updated and the journal showing an error similar to:<br />
<br />
systemd-timesyncd[336]: Failed to set up connection socket: Address family not supported by protocol<br />
<br />
The [[unit status]] of {{ic|systemd-timesyncd}} will show an attempt to connect with an IPv6 address in its ''Status'' entry, similar to:<br />
<br />
Status: "Connecting to time server [2001:19f0:8001:afd:5400:1ff:fe9d:cba]:123 (2.pool.ntp.org)"<br />
<br />
Per {{Bug|59806}}, only the "2." ntp.org pools serve IPv6. So to prevent this remove {{ic|2.arch.pool.ntp.org}} and {{ic|2.pool.ntp.org}} from the NTP and FallbackNTP entries in {{ic|/etc/systemd/timesyncd.conf}} file.<br />
<br />
=== systemd-networkd ===<br />
<br />
''networkd'' supports disabling IPv6 on a per-interface basis. When a network unit's {{ic|[Network]}} section has either {{ic|1=LinkLocalAddressing=ipv4}} or {{ic|1=LinkLocalAddressing=no}}, networkd will not try to configure IPv6 on the matching interfaces.<br />
<br />
Note however that even when using the above option, ''networkd'' will still be expecting to receive router advertisements if IPv6 is not disabled globally. If IPv6 traffic is not being received by the interface (e.g. due to ''sysctl'' or ''ip6tables'' settings), it will remain in the configuring state and potentially cause timeouts for services waiting for the network to be fully configured. To avoid this, the {{ic|1=IPv6AcceptRA=no}} option should also be set in the {{ic|[Network]}} section.<br />
<br />
== Prefer IPv4 over IPv6 ==<br />
<br />
{{Accuracy|This disables the other default rules. [https://serverfault.com/a/93782/]|section=Factual accuracy - Prefer IPv4 over IPv6}}<br />
<br />
Uncomment the following line in {{ic|/etc/gai.conf}}:<br />
<br />
#<br />
# For sites which prefer IPv4 connections change the last line to<br />
#<br />
precedence ::ffff:0:0/96 100<br />
<br />
== See also ==<br />
<br />
* [https://docs.kernel.org/networking/ipv6.html IPv6] — kernel.org documentation<br />
* [https://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/ IPv6 temporary addresses] — a summary about temporary addresses and privacy extensions<br />
* [https://mirrors.deepspace6.net/howtos/Linux+IPv6-HOWTO.html#AEN520 IPv6 prefixes] — a summary of prefix types<br />
* [https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html net.ipv6 options] — documentation of kernel parameters</div>Op3https://wiki.archlinux.org/index.php?title=Fwupd&diff=537792Fwupd2018-08-26T08:43:06Z<p>Op3: /* Secure Boot */ shim and custom keys</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Hardware]]<br />
[[ja:Fwupd]]<br />
{{Related articles start}}<br />
{{Related|Secure Boot}}<br />
{{Related|Unified Extensible Firmware Interface}}<br />
{{Related articles end}}<br />
'''fwupd''' is a simple daemon allowing to update some devices firmware, including UEFI BIOS for several machines.<br />
<br />
Supported devices are listed [https://fwupd.org/lvfs/devicelist here] and [https://fwupd.org/vendorlist more are to come].<br />
<br />
== Installation ==<br />
<br />
[[Install]] {{Pkg|fwupd}}.<br />
<br />
See [[#Setup for UEFI BIOS upgrade]] if you intend such an use.<br />
<br />
== Usage ==<br />
<br />
You can get available devices by running:<br />
$ fwupdmgr get-devices<br />
{{Note|Some returned devices might not be updatable through fwupd, ''e.g.'' Intel integrated graphics.}}<br />
To refresh metadata on available updates:<br />
$ fwupdmgr refresh<br />
To check which devices have updates:<br />
$ fwupdmgr get-updates<br />
To install updates:<br />
$ fwupdmgr update<br />
<br />
{{Note|Some updates might require root rights.}}<br />
<br />
== Setup for UEFI BIOS upgrade ==<br />
<br />
# Make sure you are booted in UEFI mode.<br />
# Verify [[Unified_Extensible_Firmware_Interface#Requirements_for_UEFI_variable_support|your EFI variables are accessible]].<br />
# Mount your [[EFI system partition]] (ESP) properly. {{ic|''esp''}} is used to denote the mountpoint in this article.<br />
<br />
=== Secure Boot ===<br />
<br />
Currently, fwupd relies on [[Secure_Boot#shim|shim]] to chainload the fwupd EFI binary on systems with [[Secure Boot]] enabled.<br />
For this to work, shim has to be installed correctly.<br />
<br />
==== Using your own keys ====<br />
<br />
{{Note|The following description is based on a future version of fwupd that is not yet released. See [https://github.com/hughsie/fwupd/issues/669].}}<br />
<br />
Alternatively, you have to manually sign the UEFI executable used to perform upgrades, which is located in {{ic|/usr/lib/fwupd/efi/fwupdx64.efi}}.<br />
The signed UEFI executable is expected in {{ic|/usr/lib/fwupd/efi/fwupdx64.efi.signed}}.<br />
Using {{Pkg|sbsigntools}}, this can be achieved by running:<br />
<br />
# sbsign --key <keyfile> --cert <certfile> /usr/lib/fwupd/efi/fwupdx64.efi<br />
<br />
To automatically sign this file when installed or upgraded, a [[pacman#Hooks|Pacman hook]] can be used:<br />
<br />
{{hc|head=/etc/pacman.d/hooks/sign-fwupd-secureboot.hook|output=<br />
[Trigger]<br />
Operation = Install<br />
Operation = Upgrade<br />
Type = File<br />
Target = usr/lib/fwupd/efi/fwupdx64.efi<br />
<br />
[Action]<br />
When = PostTransaction<br />
Exec = /usr/bin/sbsign --key <keyfile> --cert <certfile> /usr/lib/fwupd/efi/fwupdx64.efi<br />
Depends = sbsigntools<br />
}}<br />
<br />
Make sure to replace {{ic|<keyfile>}} and {{ic|<certfile>}} with the corresponding paths of your keys.<br />
<br />
Finally, you have to change the line containing {{ic|RequireShimForSecureBoot}} in {{ic|/etc/fwupd/uefi.conf}} to {{ic|1=RequireShimForSecureBoot=false}}.</div>Op3