lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 26 Feb 2009 14:28:45 -0500
From:	Brian Haley <brian.haley@...com>
To:	Jay Vosburgh <fubar@...ibm.com>
CC:	David Miller <davem@...emloft.net>, arvidjaar@...l.ru,
	vladislav.yasevich@...com, chuck.lever@...cle.com, tytso@....edu,
	Valdis.Kletnieks@...edu, rjw@...k.pl, netdev@...r.kernel.org,
	bonding-devel@...ts.sourceforge.net, jamagallon@....com,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] bonding: move IPv6 support into a separate kernel
 module

Jay Vosburgh wrote:
>>>> 	I've been fooling with the disable_ipv6 sysctl, and one issue is
>>>> that, at least on the distro I'm testing on (SLES), it's not picked up
>>>> from /etc/sysctl.conf at boot time (presumably because ipv6 isn't loaded
>>>> yet, although I haven't really checked).
>>> Correct, that's the problem.
>>>
>>> We could create a blocker bitmap.  Two sysctls, "block_af" and
>>> "unblock_af".  You write the AF_foo value for the protocol there and
>>> it sets or clears the assosciated bit in the internal blocker bitmap.
>>>
>>> Things like sys_socket() et al. key off of this.
>> I'm open to suggestions at this point in time, I just don't see how this
>> will solve the bonding problem since it still wouldn't load, right?
> 
> 	It would permit users to load ipv6 (thus allowing bonding to
> load), but prevent ipv6 from actually doing anything.  (because
> sys_socket, e.g., won't open an ipv6 socket if block_af includes ipv6).

Right, but it doesn't help someone that changed /etc/modprobe.conf to have 
"install ipv6 /bin/true" - they'll have to stop doing that.

I think changing ipv6 to support a disable_ipv6 module parameter like Vlad 
suggested would work, as long as we're not worried about someone opening an 
AF_INET6 socket - even if they do they won't get anywhere.  That, along with the 
patch below to actually not add the addresses, would work (sorry in advance for 
using an attachment).  I'll get started on that...

-Brian


--

The disable_ipv6 knob was meant to be used for the kernel to disable IPv6 on an 
interface when DAD failed for the link-local address based on the MAC, but we 
should also be able to administratively disable it on an interface, or the 
entire system.  This patch fixes the per-interface problem.

Signed-off-by: Brian Haley <brian.haley@...com>

View attachment "noipv6.patch" of type "text/x-diff" (422 bytes)

Powered by blists - more mailing lists