From: Julien Cristau <jcristau@debian.org>
Date: Mon, 14 Oct 2019 17:52:12 +0000 (+0200)
Subject: Use a pre-up script to turn off accept_ra
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=commitdiff_plain;h=0a7bc9ac5836678c0872f155522f357d5e39f8b2

Use a pre-up script to turn off accept_ra

Turns out the /all/ sysctl is a no-op.
---

diff --git a/modules/debian_org/files/ifupdown-pre-up-accept-ra b/modules/debian_org/files/ifupdown-pre-up-accept-ra
new file mode 100644
index 000000000..109489176
--- /dev/null
+++ b/modules/debian_org/files/ifupdown-pre-up-accept-ra
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+[ "$IFACE" != "lo" ] || exit 0
+[ "$IFACE" != "--all" ] || exit 0
+
+if [ -z "$IFACE" ]; then
+	echo "no interface specified" >&2
+	exit 1
+fi
+
+if [ ! -d /proc/sys/net/ipv6/conf/$IFACE ]; then
+	echo "specified interface does not exist in /proc/sys/net/ipv6/conf/" >&2
+	exit 1
+fi
+
+echo 0 > /procy/sys/net/ipv6/conf/$IFACE/accept_ra
diff --git a/modules/debian_org/manifests/init.pp b/modules/debian_org/manifests/init.pp
index be1fe7109..d45b12964 100644
--- a/modules/debian_org/manifests/init.pp
+++ b/modules/debian_org/manifests/init.pp
@@ -340,13 +340,15 @@ class debian_org {
 	}
 
 	# our ipv6 addresses and routes are statically configured.
+	file { '/etc/network/if-pre-up.d/no_accept_ra':
+		source => 'puppet://modules/debian_org/ifupdown-pre-up-accept-ra',
+		mode   => '0555',
+	}
 	base::sysctl { 'dsa-accept-ra-default':
-		key   => 'net.ipv6.conf.default.accept_ra',
-		value => 0,
+		ensure => absent,
 	}
 	base::sysctl { 'dsa-accept-ra-all':
-		key   => 'net.ipv6.conf.all.accept_ra',
-		value => 0,
+		ensure => absent,
 	}
 
 	# Disable kpartx udev rules