Message ID | 51292A2B.3000304@ahsoftware.de |
---|---|
State | RFC, archived |
Delegated to: | David Miller |
Headers | show |
Hello. Alexander Holler wrote: > Am 22.02.2013 16:21, schrieb Alexander Holler: >> Hello, >> >> I'm searching for a way to either enforce IPV6_V6ONLY or to block >> IPv4-mapped addresses on ipv6-sockets (e.g. by using iptables) system-wide. >> >> E.g. net.ipv6.bindv6only doesn't help if something calls >> >> int v6on = 0; >> setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, (char *)&v6on, sizeof(v6on)) >> >> In such a case I still want to disable or block IPv4-mapped addresses on >> that socket, even if the program thinks it nows it better. >> >> Until now I haven't found a solution. > > I've now done it by the following hack: > > ----------- > diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c > index d1e2e8e..9eefd3e 100644 > --- a/net/ipv6/ipv6_sockglue.c > +++ b/net/ipv6/ipv6_sockglue.c > @@ -235,7 +235,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, > if (optlen < sizeof(int) || > inet_sk(sk)->inet_num) > goto e_inval; > - np->ipv6only = valbool; > + np->ipv6only = valbool || net->ipv6.sysctl.bindv6only; > retv = 0; > break; > ----------- > > A proper solution would be to either return false if net.ipv6.bindv6only is true and optval is false (which would break downward compatibility because it wouldn't just be a default and setsockopt might return an error) or to introduce a new sysctl variable like net.ipv6.bindv6only_enforced_silently. ("silently" because setsockopt() wouldn't return an error if net.ipv6.bindv6only is true and optval (v6only in the example above) is false.) > > I would volunteer to write a patch which introduces something like net.ipv6.bindv6only_enforced_silently if some maintainer would give me his ok. > > If so, the question remains if > > systemctl net.ipv6.bindv6only_enforced_silently = 1 > > should set systemctl.net.ipv6.bindv6only too or if an error should be returned if net.ipv6.bindv6only is false. I am not convinced why you need this, and I am not in favor of enfocing IPV6_V6ONLY, but... some points: - We should allow system-admin to "enforce" IPV6_V6ONLY to 0 as well. - CAP_NET_ADMIN users should always be able to use both modes (They can do sysctl anyway.) - setsockopt should fail w/ EPERM if user tries to override. --yoshfuji -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
> > A proper solution would be to either return false if net.ipv6.bindv6only is true and optval is false > (which would break downward compatibility because it wouldn't just be a default and setsockopt might > return an error) or to introduce a new sysctl variable like net.ipv6.bindv6only_enforced_silently. > ("silently" because setsockopt() wouldn't return an error if net.ipv6.bindv6only is true and optval > (v6only in the example above) is false.) > > > > I would volunteer to write a patch which introduces something like > net.ipv6.bindv6only_enforced_silently if some maintainer would give me his ok. > > > > If so, the question remains if > > > > systemctl net.ipv6.bindv6only_enforced_silently = 1 > > > > should set systemctl.net.ipv6.bindv6only too or if an error should be returned if > net.ipv6.bindv6only is false. > > I am not convinced why you need this, and I am not in favor of > enfocing IPV6_V6ONLY, but... some points: > > - We should allow system-admin to "enforce" IPV6_V6ONLY to 0 as well. > - CAP_NET_ADMIN users should always be able to use both modes > (They can do sysctl anyway.) > - setsockopt should fail w/ EPERM if user tries to override. I can imagine that some programs will always try to clear IPV6_V6ONLY (maybe for portability with other OS which default to setting it for security reasons) and will error-exit if it fails. So non-silent enforcing could be a PITA. OTOH there might be programs/systems where silent failure is wrong. You really don't want to (globally) stop an application setting IPV6_V6ONLY, such a program may well be creating separate IPv4 and IPv6 sockets. Some of this needs to be part of some application wide 'security' framework - that probably doesn't exist! Should there also be similar controls for the use of IPv4 mapped addresses in actual on-the-wire IPv6 packets - eg those destined for a remote gateway on an IPv6 only system? David -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Am 25.02.2013 14:23, schrieb David Laight: >>> A proper solution would be to either return false if net.ipv6.bindv6only is true and optval is false >> (which would break downward compatibility because it wouldn't just be a default and setsockopt might >> return an error) or to introduce a new sysctl variable like net.ipv6.bindv6only_enforced_silently. >> ("silently" because setsockopt() wouldn't return an error if net.ipv6.bindv6only is true and optval >> (v6only in the example above) is false.) >>> >>> I would volunteer to write a patch which introduces something like >> net.ipv6.bindv6only_enforced_silently if some maintainer would give me his ok. >>> >>> If so, the question remains if >>> >>> systemctl net.ipv6.bindv6only_enforced_silently = 1 >>> >>> should set systemctl.net.ipv6.bindv6only too or if an error should be returned if >> net.ipv6.bindv6only is false. >> >> I am not convinced why you need this, and I am not in favor of >> enfocing IPV6_V6ONLY, but... some points: It's some kind of security feature I want to have. I just don't want to search for applications which are listening on IPv4 ports (too) even when only IPv6 was configured. There exists several of them. >> >> - We should allow system-admin to "enforce" IPV6_V6ONLY to 0 as well. >> - CAP_NET_ADMIN users should always be able to use both modes >> (They can do sysctl anyway.) >> - setsockopt should fail w/ EPERM if user tries to override. > > I can imagine that some programs will always try to clear IPV6_V6ONLY > (maybe for portability with other OS which default to setting it > for security reasons) and will error-exit if it fails. > So non-silent enforcing could be a PITA. Exactly. > You really don't want to (globally) stop an application setting > IPV6_V6ONLY, such a program may well be creating separate IPv4 > and IPv6 sockets. Agreed. Applications which are setting IPV6_V6ONLY to true usually do know what they are doing. But some braindead (configured) applications are disabling it (and would bail out if setsockopt() would return an error). > > Some of this needs to be part of some application wide 'security' > framework - that probably doesn't exist! > > Should there also be similar controls for the use of IPv4 > mapped addresses in actual on-the-wire IPv6 packets - eg those > destined for a remote gateway on an IPv6 only system? I think that can be handled by iptables by just blocking e.g. ::ffff:0:0/96 and ::0/96. But it's a pain to find and take care of apps which are ignoring the default (net.ipv6.bindv6only) and are disabling IPV6_V6ONLY explicit for whatever reason. Therefor I would like to have that net.ipv6.bindv6only_enforced_silently. Disabling IPv4 in general is not what I want. Regards, Alexander -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index d1e2e8e..9eefd3e 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -235,7 +235,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, if (optlen < sizeof(int) || inet_sk(sk)->inet_num) goto e_inval; - np->ipv6only = valbool; + np->ipv6only = valbool || net->ipv6.sysctl.bindv6only; retv = 0; break;