lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 26 Feb 2009 15:10:45 -0500
From:	Vlad Yasevich <vladislav.yasevich@...com>
To:	Brian Haley <brian.haley@...com>
CC:	Jay Vosburgh <fubar@...ibm.com>,
	David Miller <davem@...emloft.net>, arvidjaar@...l.ru,
	chuck.lever@...cle.com, tytso@....edu, Valdis.Kletnieks@...edu,
	rjw@...k.pl, netdev@...r.kernel.org,
	bonding-devel@...ts.sourceforge.net, jamagallon@....com,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] bonding: move IPv6 support into a separate kernel
 module

Brian Haley wrote:
> Jay Vosburgh wrote:
>>>>>     I've been fooling with the disable_ipv6 sysctl, and one issue is
>>>>> that, at least on the distro I'm testing on (SLES), it's not picked up
>>>>> from /etc/sysctl.conf at boot time (presumably because ipv6 isn't
>>>>> loaded
>>>>> yet, although I haven't really checked).
>>>> Correct, that's the problem.
>>>>
>>>> We could create a blocker bitmap.  Two sysctls, "block_af" and
>>>> "unblock_af".  You write the AF_foo value for the protocol there and
>>>> it sets or clears the assosciated bit in the internal blocker bitmap.
>>>>
>>>> Things like sys_socket() et al. key off of this.
>>> I'm open to suggestions at this point in time, I just don't see how this
>>> will solve the bonding problem since it still wouldn't load, right?
>>
>>     It would permit users to load ipv6 (thus allowing bonding to
>> load), but prevent ipv6 from actually doing anything.  (because
>> sys_socket, e.g., won't open an ipv6 socket if block_af includes ipv6).
> 
> Right, but it doesn't help someone that changed /etc/modprobe.conf to
> have "install ipv6 /bin/true" - they'll have to stop doing that.
> 
> I think changing ipv6 to support a disable_ipv6 module parameter like
> Vlad suggested would work, as long as we're not worried about someone
> opening an AF_INET6 socket - even if they do they won't get anywhere. 
> That, along with the patch below to actually not add the addresses,
> would work (sorry in advance for using an attachment).  I'll get started
> on that...
> 
> -Brian
> 
> 
> -- 
> 
> The disable_ipv6 knob was meant to be used for the kernel to disable
> IPv6 on an interface when DAD failed for the link-local address based on
> the MAC, but we should also be able to administratively disable it on an
> interface, or the entire system.  This patch fixes the per-interface
> problem.
> 
> Signed-off-by: Brian Haley <brian.haley@...com>
> 
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index f8f76d6..90f2a81 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -603,6 +603,11 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr, int pfxlen,
>  		goto out2;
>  	}
>  
> +	if (idev->cnf.disable_ipv6) {
> +		err = -EPERM;
> +		goto out2;
> +	}
> +
>  	write_lock(&addrconf_hash_lock);
>  

Don't forget net->ipv6.devconf_all->disable_ipv6.

-vlad

>  	/* Ignore adding duplicate addresses on an interface */
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ