| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Mar 2009 22:50:50 +0100 (CET) From: Kolbjørn Barmen <linux@...la.no> To: Brian Haley <brian.haley@...com> cc: Kolbjørn Barmen <linux@...la.no>, David Miller <davem@...emloft.net>, yoshfuji@...paulia.net, netdev@...r.kernel.org, yoshfuji@...ux-ipv6.org Subject: Re: PROBLEM: IPv6 autoconf/accept_ra default values On Fri, 20 Mar 2009, Brian Haley wrote: > Kolbjørn Barmen wrote: > > I personally really dont care what is default as long as I have a _very > > easy_ way to turn it off, kernel module paramters and boot parameters - > > great! If the rest of the world has decided they want to fight this > > manually by default, fine by me :) > > I'll work on the module parameters Yoshifuji mentioned, the "harder" > version since to me it seems more useful. Since it's of interest to you > can you give me some input? Definetly! Thanks alot for the effort! :) > Are the two parameters he described for this going to be good enough for > you? I was thinking of also adding a "default" keyword to control > net.ipv6.conf.default.*, for example: > > disable_ipv6=all,default,eth0,eth1 > autoconf=all,default,eth2,eth3 > > This is because "default" is what's inherited by all the ethX values, > "all" is the big hammer. This is still unclear for me. I've been assuming that by changing "default" all future devices will inherit the value, but leaving existing devices as is. "all" I've assumed takes all existing interfaces, but leaving default as is. Is this what you are saying? > And also adding an "enable_ipv6" one: > > enable_ipv6=lo,eth4,eth5 > > This would let you do: > > disable_ipv6=default > enable_ipv6=lo,eth0 > > Which saves you from listing many interfaces: > > disable_ipv6=eth1,eth2,eth3,eth4.... > > Of course I could be over-thinking this and the simple solution could work just > fine: > > disable_ipv6=1 > autoconf=0 > > Then just let you put things in sysctl.conf to enable what you want. I'll play > with that first to see if it's enough. I think this would be enough yes. Probably best to think about how one would be able to set boot paramets so that a machine gets static address and no autoconf, for example for NFS-root etc. This falls under same "mission"? > I'd rather get this right the first time... Ofcourse :) > > How about the behaviour that I described: > > > > root:~# sysctl net.ipv6.conf.all.accept_ra > > net.ipv6.conf.all.accept_ra = 1 > > root:~# sysctl -w net.ipv6.conf.all.accept_ra=0 > > net.ipv6.conf.all.accept_ra = 0 > > root:~# sysctl net.ipv6.conf.eth0.accept_ra > > net.ipv6.conf.all.accept_ra = 1 > > > > Is this intended behaviour or not? Bug or (mis)feature? > > I *think* that's intended, at least it's one of the ways IPv6 differs from IPv4 > - setting "all" doesn't reset to individual nic settings. But the code in > ndisc_router_discovery() should probably check the "all" flag and drop the RA. > The other "all" sysctl's should behave the same, so someone needs to take a > deeper look. OK, I have this weird feeling that this "worked" some years ago, but I dont have any old systems to try out that theory on. I fail to see wht purpose "all" has, if it isn't setting the value of all interfaces. Again, thank you very much for looking into this! :) -- kolla -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists