| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Feb 2009 14:41:36 -0500
From: Chuck Lever <chuck.lever@...cle.com>
To: Brian Haley <brian.haley@...com>
Cc: Jay Vosburgh <fubar@...ibm.com>,
David Miller <davem@...emloft.net>, arvidjaar@...l.ru,
vladislav.yasevich@...com, tytso@....edu, Valdis.Kletnieks@...edu,
rjw@...k.pl, netdev@...r.kernel.org,
bonding-devel@...ts.sourceforge.net, jamagallon@....com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] bonding: move IPv6 support into a separate kernel module
On Feb 26, 2009, at Feb 26, 2009, 2:28 PM, Brian Haley wrote:
> Jay Vosburgh wrote:
>>>>> I've been fooling with the disable_ipv6 sysctl, and one issue is
>>>>> that, at least on the distro I'm testing on (SLES), it's not
>>>>> picked up
>>>>> from /etc/sysctl.conf at boot time (presumably because ipv6
>>>>> isn't loaded
>>>>> yet, although I haven't really checked).
>>>> Correct, that's the problem.
>>>>
>>>> We could create a blocker bitmap. Two sysctls, "block_af" and
>>>> "unblock_af". You write the AF_foo value for the protocol there
>>>> and
>>>> it sets or clears the assosciated bit in the internal blocker
>>>> bitmap.
>>>>
>>>> Things like sys_socket() et al. key off of this.
>>> I'm open to suggestions at this point in time, I just don't see
>>> how this
>>> will solve the bonding problem since it still wouldn't load, right?
>> It would permit users to load ipv6 (thus allowing bonding to
>> load), but prevent ipv6 from actually doing anything. (because
>> sys_socket, e.g., won't open an ipv6 socket if block_af includes
>> ipv6).
>
> Right, but it doesn't help someone that changed /etc/modprobe.conf
> to have "install ipv6 /bin/true" - they'll have to stop doing that.
>
> I think changing ipv6 to support a disable_ipv6 module parameter
> like Vlad suggested would work, as long as we're not worried about
> someone opening an AF_INET6 socket - even if they do they won't get
> anywhere.
In this case, if IPV6ONLY is set on an AF_INET6 listener, it should
still get AF_INET traffic, correct?
> That, along with the patch below to actually not add the addresses,
> would work (sorry in advance for using an attachment). I'll get
> started on that...
>
> -Brian
>
>
> --
>
> The disable_ipv6 knob was meant to be used for the kernel to disable
> IPv6 on an interface when DAD failed for the link-local address
> based on the MAC, but we should also be able to administratively
> disable it on an interface, or the entire system. This patch fixes
> the per-interface problem.
>
> Signed-off-by: Brian Haley <brian.haley@...com>
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index f8f76d6..90f2a81 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -603,6 +603,11 @@ ipv6_add_addr(struct inet6_dev *idev, const
> struct in6_addr *addr, int pfxlen,
> goto out2;
> }
>
> + if (idev->cnf.disable_ipv6) {
> + err = -EPERM;
> + goto out2;
> + }
> +
> write_lock(&addrconf_hash_lock);
>
> /* Ignore adding duplicate addresses on an interface */
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists