how do i convince Alpine Linux that it doesn't have IPv4 connectivity? when i run e.g. "ping bbc.co.uk", it picks the IPv4 address first, even though it doesn't have a default route.
i can't disable IPv4 because i need it for Wireguard.
i can't use /etc/gai.conf because musl libc doesn't support that.
this makes e.g. apk very slow because it waits for IPv4 to time out before it tries IPv6. i don't understand why it doesn't immediately get "no route to host" over IPv4...
any ideas?
workaround:
iptables -A OUTPUT -j REJECT
not ideal, but at least installing packages works now...
hyacinth:~# ip -4 route
23.155.224.0/24 dev eth0 proto kernel scope link src 23.155.224.95
176.126.243.164 via 23.155.224.1 dev eth0
hyacinth:~#
that /32 route is the Wireguard endpoint, no default route.
@lw Firstly, I want to apologize for missing the part in your original post where you already said there was no default route. I now see how strange the situation is.
It's perplexing as to what would be holding up the v4 connection. Is tcpdump or Wireshark available to examine the traffic? The primary DNS server is on v6?
@litchralee_v6 okay so, bizarrely, the packets are going over the Wireguard interface.
hyacinth# ping bbc.co.uk
PING bbc.co.uk (151.101.192.81): 56 data bytes
---
hyacinth:/etc# tcpdump -ni rose dst host 151.101.192.81
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on rose, link-type RAW (Raw IP), snapshot length 262144 bytes
13:35:52.189219 IP 23.155.224.95 > 151.101.192.81: ICMP echo request, id 8050, seq 57, length 64
13:35:53.189802 IP 23.155.224.95 > 151.101.192.81: ICMP echo request, id 8050, seq 58, length 64
13:35:54.189848 IP 23.155.224.95 > 151.101.192.81: ICMP echo request, id 8050, seq 59, length 64
but there's no route, so this shouldn't be happening. perhaps wg-quick is doing some "helpful magic" here?
(i usually use plain wg, but that seems to be a bit of a pain on Linux...)
@lw I think, but I'm not certain, this might be due to how WG attaches itself to the iptables/nftables chain, stealing packets before they get to the routing decision.
Perhaps "iptables -vL" will show something along those lines? It's been a while since I've dealt with iptables, and I now mostly prefer to do WG in a separate namespace so that my application containers don't have to be dual-stack.
@lw @litchralee_v6 check with "ip rule", there might be routing rules pointing where other routing tables?
Otherwise, for your initial question, I wonder how tricky it would be to run a small local DNS server that would filter out A records 🤔
@lucasmz "why is IPv4 being preferred?" is exactly what i'm asking :D
i do use ULAs internally, but that shouldn't affect "ping bbc.co.uk" since it has a GUA.
@lucasmz although, perhaps this is related to the host itself having a ULA, so it prefers the IPv4 address. but this doesn't seem to be configurable in musl :-/
on FreeBSD it just works, since it realises the host has no IPv4 connectivity.
@lw
Understood, but namespaces would IMO be much cleaner here: you would create a NS with IPv4 - so your main NS could stay IPv6 only.
But yes: its a tad more complex and not supported by wg-quick
some quirky girl
Anderson Silva
Litchralee_v6
Jérôme Petazzoni
lucasmz (en)
fcalva
adrian_blx
Ken Milmore