lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <F613EEFD-2332-4C75-A486-73CDF2BAADDE@oracle.com>
Date:	Thu, 26 Feb 2009 14:41:36 -0500
From:	Chuck Lever <chuck.lever@...cle.com>
To:	Brian Haley <brian.haley@...com>
Cc:	Jay Vosburgh <fubar@...ibm.com>,
	David Miller <davem@...emloft.net>, arvidjaar@...l.ru,
	vladislav.yasevich@...com, tytso@....edu, Valdis.Kletnieks@...edu,
	rjw@...k.pl, netdev@...r.kernel.org,
	bonding-devel@...ts.sourceforge.net, jamagallon@....com,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] bonding: move IPv6 support into a separate kernel module

On Feb 26, 2009, at Feb 26, 2009, 2:28 PM, Brian Haley wrote:
> Jay Vosburgh wrote:
>>>>> 	I've been fooling with the disable_ipv6 sysctl, and one issue is
>>>>> that, at least on the distro I'm testing on (SLES), it's not  
>>>>> picked up
>>>>> from /etc/sysctl.conf at boot time (presumably because ipv6  
>>>>> isn't loaded
>>>>> yet, although I haven't really checked).
>>>> Correct, that's the problem.
>>>>
>>>> We could create a blocker bitmap.  Two sysctls, "block_af" and
>>>> "unblock_af".  You write the AF_foo value for the protocol there  
>>>> and
>>>> it sets or clears the assosciated bit in the internal blocker  
>>>> bitmap.
>>>>
>>>> Things like sys_socket() et al. key off of this.
>>> I'm open to suggestions at this point in time, I just don't see  
>>> how this
>>> will solve the bonding problem since it still wouldn't load, right?
>> 	It would permit users to load ipv6 (thus allowing bonding to
>> load), but prevent ipv6 from actually doing anything.  (because
>> sys_socket, e.g., won't open an ipv6 socket if block_af includes  
>> ipv6).
>
> Right, but it doesn't help someone that changed /etc/modprobe.conf  
> to have "install ipv6 /bin/true" - they'll have to stop doing that.
>
> I think changing ipv6 to support a disable_ipv6 module parameter  
> like Vlad suggested would work, as long as we're not worried about  
> someone opening an AF_INET6 socket - even if they do they won't get  
> anywhere.

In this case, if IPV6ONLY is set on an AF_INET6 listener, it should  
still get AF_INET traffic, correct?

> That, along with the patch below to actually not add the addresses,  
> would work (sorry in advance for using an attachment).  I'll get  
> started on that...
>
> -Brian
>
>
> --
>
> The disable_ipv6 knob was meant to be used for the kernel to disable  
> IPv6 on an interface when DAD failed for the link-local address  
> based on the MAC, but we should also be able to administratively  
> disable it on an interface, or the entire system.  This patch fixes  
> the per-interface problem.
>
> Signed-off-by: Brian Haley <brian.haley@...com>
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index f8f76d6..90f2a81 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -603,6 +603,11 @@ ipv6_add_addr(struct inet6_dev *idev, const  
> struct in6_addr *addr, int pfxlen,
> 		goto out2;
> 	}
>
> +	if (idev->cnf.disable_ipv6) {
> +		err = -EPERM;
> +		goto out2;
> +	}
> +
> 	write_lock(&addrconf_hash_lock);
>
> 	/* Ignore adding duplicate addresses on an interface */

-- 
Chuck Lever
chuck[dot]lever[at]oracle[dot]com




--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ