From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
To: Alexander Holler <holler@ahsoftware.de>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: Disable IPv4-mapped - enforce IPV6_V6ONLY
Date: Mon, 25 Feb 2013 20:44:47 +0900 [thread overview]
Message-ID: <512B4EAF.2050301@linux-ipv6.org> (raw)
In-Reply-To: <51292A2B.3000304@ahsoftware.de>
Hello.
Alexander Holler wrote:
> Am 22.02.2013 16:21, schrieb Alexander Holler:
>> Hello,
>>
>> I'm searching for a way to either enforce IPV6_V6ONLY or to block
>> IPv4-mapped addresses on ipv6-sockets (e.g. by using iptables) system-wide.
>>
>> E.g. net.ipv6.bindv6only doesn't help if something calls
>>
>> int v6on = 0;
>> setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, (char *)&v6on, sizeof(v6on))
>>
>> In such a case I still want to disable or block IPv4-mapped addresses on
>> that socket, even if the program thinks it nows it better.
>>
>> Until now I haven't found a solution.
>
> I've now done it by the following hack:
>
> -----------
> diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
> index d1e2e8e..9eefd3e 100644
> --- a/net/ipv6/ipv6_sockglue.c
> +++ b/net/ipv6/ipv6_sockglue.c
> @@ -235,7 +235,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
> if (optlen < sizeof(int) ||
> inet_sk(sk)->inet_num)
> goto e_inval;
> - np->ipv6only = valbool;
> + np->ipv6only = valbool || net->ipv6.sysctl.bindv6only;
> retv = 0;
> break;
> -----------
>
> A proper solution would be to either return false if net.ipv6.bindv6only is true and optval is false (which would break downward compatibility because it wouldn't just be a default and setsockopt might return an error) or to introduce a new sysctl variable like net.ipv6.bindv6only_enforced_silently. ("silently" because setsockopt() wouldn't return an error if net.ipv6.bindv6only is true and optval (v6only in the example above) is false.)
>
> I would volunteer to write a patch which introduces something like net.ipv6.bindv6only_enforced_silently if some maintainer would give me his ok.
>
> If so, the question remains if
>
> systemctl net.ipv6.bindv6only_enforced_silently = 1
>
> should set systemctl.net.ipv6.bindv6only too or if an error should be returned if net.ipv6.bindv6only is false.
I am not convinced why you need this, and I am not in favor of
enfocing IPV6_V6ONLY, but... some points:
- We should allow system-admin to "enforce" IPV6_V6ONLY to 0 as well.
- CAP_NET_ADMIN users should always be able to use both modes
(They can do sysctl anyway.)
- setsockopt should fail w/ EPERM if user tries to override.
--yoshfuji
next prev parent reply other threads:[~2013-02-25 11:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-22 15:21 Disable IPv4-mapped - enforce IPV6_V6ONLY Alexander Holler
2013-02-23 20:44 ` Alexander Holler
2013-02-25 11:44 ` YOSHIFUJI Hideaki [this message]
2013-02-25 13:23 ` David Laight
2013-02-25 14:47 ` Alexander Holler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=512B4EAF.2050301@linux-ipv6.org \
--to=yoshfuji@linux-ipv6.org \
--cc=holler@ahsoftware.de \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.