disabling ipv6 (when ipv6 module is already loaded or built in)

disabling ipv6 (when ipv6 module is already loaded or built in)

[Arkadiusz Miskiewicz]

Hi,

There are two options for disabling some ipv6 functionality in ipv6 module - 
disable and disable_ipv6. The second option is also available as sysctl and 
can be switched runtime.

First is nicer because it also prevents apps from creating sockets by using 
socket(AF_INET6, ...). Various apps use AF_INET6 socket creation to deterine 
if ipv6 is supported on the system. Unfortunately "disable" one doesn't exist 
as sysctl and this is a problem.

Is it possible to make "disable" sysctl option, too? Currently there is no 
runtime way to disable ipv6 (or I'm unaware of such way).

Thanks,
-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/

Re: disabling ipv6 (when ipv6 module is already loaded or built in)

[Brian Haley]

On 03/25/2011 01:17 PM, Arkadiusz Miskiewicz wrote:
> 
> Hi,
> 
> There are two options for disabling some ipv6 functionality in ipv6 module - 
> disable and disable_ipv6. The second option is also available as sysctl and 
> can be switched runtime.
> 
> First is nicer because it also prevents apps from creating sockets by using 
> socket(AF_INET6, ...). Various apps use AF_INET6 socket creation to deterine 
> if ipv6 is supported on the system. Unfortunately "disable" one doesn't exist 
> as sysctl and this is a problem.
> 
> Is it possible to make "disable" sysctl option, too? Currently there is no 
> runtime way to disable ipv6 (or I'm unaware of such way).

Not really, the module parameter causes IPv6 to be loaded just enough to
allow other modules that rely on it to load, but it never registers
any of the protocol handlers, sysctls, tables, etc. to make it usable.
And the IPv6 module isn't unloadable, so you have to reboot to change
this setting.

When there are no addresses it's not very usable since you can't send
out packets...

-Brian

Re: disabling ipv6 (when ipv6 module is already loaded or built in)

[Arkadiusz Miskiewicz]

On Friday 25 of March 2011, Brian Haley wrote:
> On 03/25/2011 01:17 PM, Arkadiusz Miskiewicz wrote:
> > Hi,
> > 
> > There are two options for disabling some ipv6 functionality in ipv6
> > module - disable and disable_ipv6. The second option is also available
> > as sysctl and can be switched runtime.
> > 
> > First is nicer because it also prevents apps from creating sockets by
> > using socket(AF_INET6, ...). Various apps use AF_INET6 socket creation
> > to deterine if ipv6 is supported on the system. Unfortunately "disable"
> > one doesn't exist as sysctl and this is a problem.
> > 
> > Is it possible to make "disable" sysctl option, too? Currently there is
> > no runtime way to disable ipv6 (or I'm unaware of such way).
> 
> Not really, the module parameter causes IPv6 to be loaded just enough to
> allow other modules that rely on it to load, but it never registers
> any of the protocol handlers, sysctls, tables, etc. to make it usable.
> And the IPv6 module isn't unloadable, so you have to reboot to change
> this setting.
> 
> When there are no addresses it's not very usable since you can't send
> out packets...

The whole problem is that socket(AF_INET6,...) is allowed. If setting 
net.ipv6.conf.all.disable_ipv6=1 would also prevent such socket() from 
succeeding then everything would be fine.

> -Brian

-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/

Re: disabling ipv6 (when ipv6 module is already loaded or built in)

[David Miller]

From: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
Date: Fri, 25 Mar 2011 23:53:06 +0100

> The whole problem is that socket(AF_INET6,...) is allowed. If setting 
> net.ipv6.conf.all.disable_ipv6=1 would also prevent such socket() from 
> succeeding then everything would be fine.

You have to make this setting before the module loads, once we register
the protocol handlers (which is what allows socket() to succeed) the
cat is out of the bag.

If even just one socket exists, we can't perform the steps necessary
to block new ones.

That's why you have to use the module option, and it is the only way
to block this class of operations.

Re: disabling ipv6 (when ipv6 module is already loaded or built in)

[Arkadiusz Miskiewicz]

On Friday 25 of March 2011, David Miller wrote:
> From: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
> Date: Fri, 25 Mar 2011 23:53:06 +0100
> 
> > The whole problem is that socket(AF_INET6,...) is allowed. If setting
> > net.ipv6.conf.all.disable_ipv6=1 would also prevent such socket() from
> > succeeding then everything would be fine.
> 
> You have to make this setting before the module loads, once we register
> the protocol handlers (which is what allows socket() to succeed) the
> cat is out of the bag.
> 
> If even just one socket exists, we can't perform the steps necessary
> to block new ones.
> 
> That's why you have to use the module option, and it is the only way
> to block this class of operations.

Hm, maybe then it could be done in a way where ipv6 is initially built in but 
disabled and could be permanently enabled via sysfs/proc/something based on a 
userspace (or user/admin) decision runtime? That would be analogous to 
"modprobe ipv6" in kernel with modular ipv6.

-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/

Re: disabling ipv6 (when ipv6 module is already loaded or built in)

[David Miller]

From: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
Date: Sun, 27 Mar 2011 23:19:15 +0200

> Hm, maybe then it could be done in a way where ipv6 is initially built in but 
> disabled and could be permanently enabled via sysfs/proc/something based on a 
> userspace (or user/admin) decision runtime? That would be analogous to 
> "modprobe ipv6" in kernel with modular ipv6.

Sorry, no.

We believe the current facilities handle all reasonable uses of the
feature.