[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f73f7ab80902262325q2779f3f5y4870bc30a062971d@mail.gmail.com>
Date: Fri, 27 Feb 2009 02:25:54 -0500
From: Kyle Moffett <kyle@...fetthome.net>
To: Vlad Yasevich <vladislav.yasevich@...com>
Cc: Jay Vosburgh <fubar@...ibm.com>, Brian Haley <brian.haley@...com>,
David Miller <davem@...emloft.net>, arvidjaar@...l.ru,
chuck.lever@...cle.com, tytso@....edu, Valdis.Kletnieks@...edu,
rjw@...k.pl, netdev@...r.kernel.org,
bonding-devel@...ts.sourceforge.net, jamagallon@....com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] bonding: move IPv6 support into a separate kernel
module
On Thu, Feb 26, 2009 at 3:57 PM, Vlad Yasevich
<vladislav.yasevich@...com> wrote:
>
> Yes. The bitmask to disable certain family can be useful, but it's orthogonal
> the issue of IPv6 support. As you said, it can be used to disable
> any address family that user wishes. The slight issue with this might
> be, should the settings affect already create sockets?
>
> I guess it comes down how many levels of control to do we want to provide.
> Things that have been suggested so far:
> 1) Global on/off switch (i.e module parameter)
> 2) Per interface on/off switch (currently exists, but has bugs).
> 3) Socket on/off switch (i.e blocker bitmask)
>
> I think numbers 1 and 2 turn off the IPv6 protocol on the wire, while number
> 3 turns off the interface to the user. The two can be done independent.
I feel extremely nervous about people discussing disabling IPv6 going
forward. Current estimates are that the first RIRs will begin to
exhaust their address spaces (after IANA's address space is exhausted)
early in 2011. If you consider that any change probably won't be in a
released kernel until June or so, there would be all of 18 months left
until IPv6 is *required* to contact some hosts on the internet.
At this point in time, anyone looking at "disabling" IPv6 should be
doing so with standard firewall rules *exactly* the same way that they
would disable IPv4 traffic; adding rules using ip6tables or ebtables
is easy.
You could simply drop all IPv6 ethernet frames:
ebtables -P INPUT ACCEPT
ebtables -A INPUT -p IPv6 -j DROP
ebtables -P FORWARD ACCEPT
ebtables -A FORWARD -p IPv6 -j DROP
ebtables -P OUTPUT ACCEPT
ebtables -A OUTPUT -p IPv6 -j DROP
Alternatively for a per-interface switch you could "ebtables -A INPUT
-i eth4 -p IPv6 -j DROP", etc...
You could also do this instead (this includes IPv6 tunnels and whatnot):
ip6tables -t raw -P INPUT DROP
ip6tables -t raw -P OUTPUT DROP
This allows programs which have been written to use AF_INET6 even for
IPv4 sockets to continue to function appropriately (and there are at
least a few).
Cheers,
Kyle Moffett
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists