Could you provide the full set of commands to reproduce?

As I understand the priority of the sysctl should be after some feature/config

I can only refer to whats unfolded on the forum at https://forum.vyos.io/t/how-to-set-net-ipv6-neigh-etha-b-base-reachable-time-in-vyos/14304

User wants to alter settings for ND timeout in IPv6 (similar to ARP timeout) to 4 hours by altering sysctl settings.

After a fresh and successful boot the user adds this to the VyOS config:

set system sysctl parameter net.ipv6.neigh.eth3/2.base_reachable_time_ms value 14400000

Based on output of:

sudo sysctl -a | grep -i base_reachable_time_ms

which outputs (after the config was committed and saved with no errors):

net.ipv6.neigh.eth3.base_reachable_time_ms = 14400000
net.ipv6.neigh.eth3/2.base_reachable_time_ms = 14400000
net.ipv6.neigh.eth3/3.base_reachable_time_ms = 14400000

But when VyOS is rebooted it will say:

There was a config error on boot

And the sysctl rows from the config have been removed by vyos-configd.

But when this sysctl config command is runned after the boot have completed there are no errors and the output of sysctl -a verifies that the sysctl command through config worked.

I interpret this as when the sysctl commands from the config are being runned during the boot the interfaces are not yet properly setup meaning there is no net.ipv6.neigh.eth3/2.base_reachable_time_ms to be set hence the error.

Hence suggested fix would be to either add a syntax to the sysctl command in config which sysctl commands should be runned at the very last during boot (similar to manually do this through /config/scripts/vyos-postconfig-bootup.script) OR move where in the pipeline the sysctl commands are executed by the vyos-configd during boot.

As comparision if the commands are set manually through /etc/sysctl.conf - where in the boot process would they be executed, before or after vyos-configd have interpreted the config?

What do I need to do to get these values?

root@r1-right:/home/vyos# sysctl net.ipv6.neigh.eth3/2.base_reachable_time_ms
sysctl: cannot stat /proc/sys/net/ipv6/neigh/eth3.2/base_reachable_time_ms: No such file or directory

That's why I asked about a set of commands to reproduce.

I have asked the OP @canoziia to provide such in the forum.

As I understand it the user have setup 1 or more VIF defined under the ETH3 interface.

Which in linux will be handled as eth3, eth3/2 and eth3/3.

Most likely needs to change priority to 319 for the sysctl

vyos@r4:~$ /usr/libexec/vyos/priority.py | match "ethernet|sysctl"
       300  interfaces_virtual-ethernet.py      ['interfaces', 'virtual-ethernet']
       318  interfaces_ethernet.py              ['interfaces', 'ethernet']
       318  system_sysctl.py                    ['system', 'sysctl']
       321  interfaces_pseudo-ethernet.py       ['interfaces', 'pseudo-ethernet']
vyos@r4:~$

In T6258#184716, @Viacheslav wrote:

Most likely needs to change priority to 319 for the sysctl

vyos@r4:~$ /usr/libexec/vyos/priority.py | match "ethernet|sysctl"
       300  interfaces_virtual-ethernet.py      ['interfaces', 'virtual-ethernet']
       318  interfaces_ethernet.py              ['interfaces', 'ethernet']
       318  system_sysctl.py                    ['system', 'sysctl']
       321  interfaces_pseudo-ethernet.py       ['interfaces', 'pseudo-ethernet']
vyos@r4:~$

Tested in my lab and setting the priority to 319 worked across multiple reboots. I didn't test if anything else was impacted by the change however. firewall.py currently has a priority of 319, so if there's any sysctl setting that firewall.py could be dependent on, there could be conflicts.

Hi everyone, I think I found the simplest configuration that can reproduce this problem. If we set up firewall and use this command(set system sysctl parameter net.ipv6.neigh.eth3/2) in configuration at the same time, an error message will show when startup.
This is an example

set firewall
set interfaces ethernet eth0 address 'xxx.xxx.184.32/24'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:50'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:ba'
set interfaces ethernet eth1 vif 2
set interfaces loopback lo
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.184.1
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/0'
set service ntp allow-client xxxxxx '::/0'
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ssh
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system sysctl parameter net.ipv6.neigh.eth1/2.base_reachable_time_ms value '14400000'
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'

If delete the first line (set firewall), system will start normally without error message.

This sysctl option is deprecated https://man7.org/linux/man-pages/man8/sysctl.8.html

DEPRECATED PARAMETERS         top

       The base_reachable_time and retrans_time are deprecated.  The
       sysctl command does not allow changing values of these
       parameters.  Users who insist to use deprecated kernel interfaces
       should push values to /proc file system by other means.  For
       example:

       echo 256 > /proc/sys/net/ipv6/neigh/eth0/base_reachable_time

But the next man says https://man7.org/linux/man-pages/man7/arp.7.html

base_reachable_time (since Linux 2.2)
       Once a neighbor has been found, the entry is considered to
       be valid for at least a random value between
       base_reachable_time/2 and 3*base_reachable_time/2.  An
       entry's validity will be extended if it receives positive
       feedback from higher level protocols.  Defaults to 30
       seconds.  This file is now obsolete in favor of
       base_reachable_time_ms.

I propose adding a new option under the interface

set interfaces ethernet eth1 ip[v6] base-reachable-time xxx

In T6258#184875, @Viacheslav wrote:

This sysctl option is deprecated

DEPRECATED PARAMETERS         top

       The base_reachable_time and retrans_time are deprecated.  The
       sysctl command does not allow changing values of these
       parameters.  Users who insist to use deprecated kernel interfaces
       should push values to /proc file system by other means.  For
       example:

       echo 256 > /proc/sys/net/ipv6/neigh/eth0/base_reachable_time

I propose to add new option under interface

set interfaces ethernet eth1 ip[v6] base-reachable-time xxx

However, we can't set ipv6 base-reachable-time in vyos.

set interfaces ethernet eth1 ipv6 base-reachable-time 14400
  Configuration path: interfaces ethernet eth1 ipv6 [base-reachable-time] is not valid
  Set failed

vyos@core-mci-us:~$ show version
Version:          VyOS 1.5-rolling-202404220020
Release train:    current

Built by:         [email protected]
Built on:         Mon 22 Apr 2024 02:45 UTC
Build UUID:       35c71cfe-90b3-468b-9ac0-9ee2abc9021a
Build commit ID:  d9499a16a463aa

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    a64c30a1-d185-413c-ac56-6a5937ccaff1

Copyright:        VyOS maintainers and contributors

In T6258#184876, @canoziia wrote:

However, we can't set ipv6 base-reachable-time in vyos.

set interfaces ethernet eth1 ipv6 base-reachable-time 14400
  Configuration path: interfaces ethernet eth1 ipv6 [base-reachable-time] is not valid
  Set failed

Thats why I proposed to implement the NEW CLI option :)

PR https://github.com/vyos/vyos-1x/pull/3361

vyos@r4# set interfaces ethernet eth2 ipv6 base-reachable-time 28
[edit]
vyos@r4# commit
[edit]
vyos@r4# 
[edit]
vyos@r4# sudo sysctl net.ipv6.neigh.eth2.base_reachable_time_ms
net.ipv6.neigh.eth2.base_reachable_time_ms = 28000
[edit]
vyos@r4# 
vyos@r4# cat /proc/sys/net/ipv6/neigh/eth2/base_reachable_time_ms 
28000
[edit]
vyos@r4#

Will be available in the next rolling release.

Note that "base_reachable_time_ms" is still valid while "base_reachable_time" is obsolete.

However this task is not just about changing IPv6 ND timeouts (even if PR3361 is a welcomed addition), its about that sysctl being runned by VyOS-config collides in order with when interfaces are being set which gives that sysctl based on interfaces might fail (as it is today).

So I would say that this task is still not fully resolved, https://github.com/vyos/vyos-1x/pull/3361 is only a partial fix.

@Apachez, there is no easy way to fix anything related to sysctl, until one component depends on another.
Especially, for example, if we have to deal with "dynamic" interfaces.
Globally, this task is still open and could contain subtasks.
Thanks!

Im thinking since sysctl can be changed after the system have completed its boot shouldnt the "system sysctl" be runned among the last tasks according to "/usr/libexec/vyos/priority.py", which would also fix this issue ?

In T6258#185013, @Apachez wrote:

Im thinking since sysctl can be changed after the system have completed its boot shouldnt the "system sysctl" be runned among the last tasks according to "/usr/libexec/vyos/priority.py", which would also fix this issue ?

We have sysctl changes in firewall/interfaces/conntrack and maybe in other sections; if the sysctl section is executed after all other sections, it will rewrite interface-related sysctl configs

vyos@r4# set interfaces ethernet eth1 ip 
Possible completions:
   adjust-mss           Adjust TCP MSS value
   arp-cache-timeout    ARP cache entry timeout in seconds (default: 30)
   disable-arp-filter   Disable ARP filter on this interface
   disable-forwarding   Disable IP forwarding on this interface
   enable-arp-accept    Enable ARP accept on this interface
   enable-arp-announce  Enable ARP announce on this interface
   enable-arp-ignore    Enable ARP ignore on this interface
   enable-directed-broadcast
                        Enable directed broadcast forwarding on this interface
   enable-proxy-arp     Enable proxy-arp on this interface
   proxy-arp-pvlan      Enable private VLAN proxy ARP on this interface
   source-validation    Source validation by reversed path (RFC3704)

Perhaps those changes should be within the firewall context?

Because those listed affect by interface context could either be done through interface context (after the interface have been created) or saved for a global "system sysctl" context (to be executed after interface and after firewall contexts)?