| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20090217.212919.259912220.davem@davemloft.net> Date: Tue, 17 Feb 2009 21:29:19 -0800 (PST) From: David Miller <davem@...emloft.net> To: Valdis.Kletnieks@...edu Cc: arvidjaar@...l.ru, rjw@...k.pl, netdev@...r.kernel.org, bonding-devel@...ts.sourceforge.net, jamagallon@....com, linux-kernel@...r.kernel.org Subject: Re: 2.6.29 regression? Bonding tied to IPV6 in 29-rc5 From: Valdis.Kletnieks@...edu Date: Tue, 17 Feb 2009 23:41:16 -0500 > What does a poor corporate user do if they're running a distro kernel that > was built with CONFIG_IPV6, but local security policy says "Disable IPv6 > because we don't do it yet, or because it breaks mission-critical software > package XYZ?" There's a *lot* of people who implement that by the "block > the ipv6 module from loading" trick. And building a kernel that doesn't > include IPv6 may not be feasible due to vendor certification issues... > > Heck, *I*'m almost in that boat - probably need to use bonded ethernet on some > servers because we can't get 10GigE, but the software used in the project the > servers were bought for blows chunks if it gets a whiff of an IPv6 address. > Ended up spending 3 weeks doing a massive kludgery of one sort in DNS for the > rest of the world, and equally massive lying in /etc/hosts for the hosts... > (Don't ask - it was long and ugly, and just disabling the module would have > saved me about 2.95 weeks of work, so I know where those people are coming > from...) Well, first of all, if you keep trying to push the box into the round hole you get what you ask for :-) Next, if it's just an issue of IPV6 traffic, install a packet scheduler rule that rejects all packets with ethernet proto ETH_P_IPV6 If openning up ipv6 sockets is problematic, that can be blocked using the security layer, which your super-duper distro kernel is guarenteed to have enabled. :-) I'm sure there is someone who has legacy problems with ipv4 and that can't be disabled, and somehow people cope. Amazing. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists