search

citizenfx / fivem

The source code for the Cfx.re modification frameworks, such as FiveM, RedM and LibertyM, as well as FXServer.
https://cfx.re/
3.4k stars 1.99k forks source link

Server crashes on startup if ipv6 is disabled (linux) #2565

Open raidekoptix opened 1 month ago

raidekoptix commented 1 month ago

What happened?

Server fails to startup with error if kernel option ipv6.disable=1:

Could not bind on 0.0.0.0:30120 - is this address valid and not already in use?
[ citizen-server-impl] Error: Could not bind on 0.0.0.0:30120 - is this address valid and not already in use?

Expected result

Server runs and binds successfully to 0.0.0.0

Reproduction steps

  1. Set kernel to boot with IPv6 disabled (ipv6.disable=1)
  2. Attempt to start server.

Importancy

There's a workaround

Area(s)

FiveM, FXServer

Specific version(s)

Multiple. Tested on 8102 and 8216

Additional information

I'd really like to keep ipv6.disable on for security reasons. It looks like something in Enet barfs when IPv6 is disabled... I'm thinking somewhere around here:

https://github.com/citizenfx/fivem/blob/7a61eafd2ad6e553335c87a3a315f766db6a58b3/code/components/citizen-server-impl/src/GameServerNet.ENet.cpp#L31

Additional discord conversation is here:

https://discord.com/channels/192358910387159041/1213597178908512296

raidekoptix commented 1 month ago

Additionally, this happens no matter what the bind IP is set to in server.cfg ... Could be 0, could be 127.0.0.1, could be real public ip. This is reproducable on Ubuntu 22.04 and Ubuntu 24.04, I have not tested others but I believe the fellow in the Discord thread mentioned he's on Debian 11 (I do not know what his kernel options are)

FabianTerhorst commented 1 month ago

The reason is most likely that we always bind using the ipv6 address type: https://github.com/citizenfx/fivem/blob/7a61eafd2ad6e553335c87a3a315f766db6a58b3/code/components/citizen-server-impl/src/EnetUv.cpp#L186 but this is very common since this way makes it possible to support both address types without having to manually determinate it.

AvarianKnight commented 1 month ago

Out of curiosity, what is the use case for needing to disable ipv6 "for security reasons"?

raidekoptix commented 1 month ago

The reason is most likely that we always bind using the ipv6 address type

...and that makes sense, but if it fails to see ipv6 support, it should handle this more gracefully and default to the ipv4, no?

Out of curiosity, what is the use case for needing to disable ipv6 "for security reasons"?

Smaller attack surface... allows me to be lazy yet confident that no ipv6 traffic is happening. My provider is kinda loose with VLANs for general population servers and I'd just rather not some link-local shenanigans be a part of my life right now. Also a lot of applications try for v6 first as Fabian mentioned, and I'd rather force them to v4... simplest way to do that is disable the whole v6 stack at kernel level. Most applications handle this gracefully. "for security reasons" was just a (over)simplification of why i disable it globally.

SloPro commented 1 month ago

For what it's worth, works fine here (and has worked for years) with 

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1