Re: Disable IPv4-mapped - enforce IPV6_V6ONLY

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alexander Holler <holler@ahsoftware.de>
To: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Subject: Re: Disable IPv4-mapped - enforce IPV6_V6ONLY
Date: Sat, 23 Feb 2013 21:44:27 +0100	[thread overview]
Message-ID: <51292A2B.3000304@ahsoftware.de> (raw)
In-Reply-To: <51278CF6.2060402@ahsoftware.de>

Am 22.02.2013 16:21, schrieb Alexander Holler:
> Hello,
>
> I'm searching for a way to either enforce IPV6_V6ONLY or to block
> IPv4-mapped addresses on ipv6-sockets (e.g. by using iptables) system-wide.
>
> E.g. net.ipv6.bindv6only doesn't help if something calls
>
> int v6on = 0;
> setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, (char *)&v6on, sizeof(v6on))
>
> In such a case I still want to disable or block IPv4-mapped addresses on
> that socket, even if the program thinks it nows it better.
>
> Until now I haven't found a solution.

I've now done it by the following hack:

-----------
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index d1e2e8e..9eefd3e 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -235,7 +235,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int 
level, int optname,
                 if (optlen < sizeof(int) ||
                     inet_sk(sk)->inet_num)
                         goto e_inval;
-               np->ipv6only = valbool;
+               np->ipv6only = valbool || net->ipv6.sysctl.bindv6only;
                 retv = 0;
                 break;
-----------

A proper solution would be to either return false if net.ipv6.bindv6only 
is true and optval is false (which would break downward compatibility 
because it wouldn't just be a default and setsockopt might return an 
error) or to introduce a new sysctl variable like 
net.ipv6.bindv6only_enforced_silently. ("silently" because setsockopt() 
wouldn't return an error if net.ipv6.bindv6only is true and optval 
(v6only in the example above) is false.)

I would volunteer to write a patch which introduces something like 
net.ipv6.bindv6only_enforced_silently if some maintainer would give me 
his ok.

If so, the question remains if

systemctl net.ipv6.bindv6only_enforced_silently = 1

should set systemctl.net.ipv6.bindv6only too or if an error should be 
returned if net.ipv6.bindv6only is false.

Regards,

Alexander

next prev parent reply	other threads:[~2013-02-23 20:45 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-22 15:21 Disable IPv4-mapped - enforce IPV6_V6ONLY Alexander Holler
2013-02-23 20:44 ` Alexander Holler [this message]
2013-02-25 11:44   ` YOSHIFUJI Hideaki
2013-02-25 13:23     ` David Laight
2013-02-25 14:47       ` Alexander Holler

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d1e2e8e dfblob:9eefd3e )
 OR (
bs:"Re: Disable IPv4-mapped - enforce IPV6_V6ONLY" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51292A2B.3000304@ahsoftware.de \
    --to=holler@ahsoftware.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.