From patchwork Sat Feb 23 20:44:27 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Holler X-Patchwork-Id: 222745 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id F26F62C02A6 for ; Sun, 24 Feb 2013 07:45:44 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758649Ab3BWUpH (ORCPT ); Sat, 23 Feb 2013 15:45:07 -0500 Received: from h1446028.stratoserver.net ([85.214.92.142]:58737 "EHLO mail.ahsoftware.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758219Ab3BWUpF (ORCPT ); Sat, 23 Feb 2013 15:45:05 -0500 Received: by mail.ahsoftware.de (Postfix, from userid 65534) id 86E8A888E95; Sat, 23 Feb 2013 21:45:00 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.ahsoftware.de X-Spam-Level: X-Spam-Status: No, score=-101.0 required=5.0 tests=ALL_TRUSTED, T_FRT_STOCK2, USER_IN_WHITELIST autolearn=disabled version=3.3.1 Received: from eiche.ahsoftware (p57B20375.dip0.t-ipconnect.de [87.178.3.117]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.ahsoftware.de (Postfix) with ESMTPSA id AF23D888AF1; Sat, 23 Feb 2013 21:44:59 +0100 (CET) Received: by eiche.ahsoftware (Postfix, from userid 65534) id BF6243FDAC; Sat, 23 Feb 2013 21:44:56 +0100 (CET) Received: from krabat.ahsoftware (unknown [192.168.207.2]) by eiche.ahsoftware (Postfix) with ESMTP id 5334D3FCA5; Sat, 23 Feb 2013 20:44:28 +0000 (UTC) Message-ID: <51292A2B.3000304@ahsoftware.de> Date: Sat, 23 Feb 2013 21:44:27 +0100 From: Alexander Holler User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130219 Thunderbird/17.0.3 MIME-Version: 1.0 To: netdev@vger.kernel.org CC: linux-kernel@vger.kernel.org Subject: Re: Disable IPv4-mapped - enforce IPV6_V6ONLY References: <51278CF6.2060402@ahsoftware.de> In-Reply-To: <51278CF6.2060402@ahsoftware.de> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Am 22.02.2013 16:21, schrieb Alexander Holler: > Hello, > > I'm searching for a way to either enforce IPV6_V6ONLY or to block > IPv4-mapped addresses on ipv6-sockets (e.g. by using iptables) system-wide. > > E.g. net.ipv6.bindv6only doesn't help if something calls > > int v6on = 0; > setsockopt(sd, IPPROTO_IPV6, IPV6_V6ONLY, (char *)&v6on, sizeof(v6on)) > > In such a case I still want to disable or block IPv4-mapped addresses on > that socket, even if the program thinks it nows it better. > > Until now I haven't found a solution. I've now done it by the following hack: ----------- ----------- A proper solution would be to either return false if net.ipv6.bindv6only is true and optval is false (which would break downward compatibility because it wouldn't just be a default and setsockopt might return an error) or to introduce a new sysctl variable like net.ipv6.bindv6only_enforced_silently. ("silently" because setsockopt() wouldn't return an error if net.ipv6.bindv6only is true and optval (v6only in the example above) is false.) I would volunteer to write a patch which introduces something like net.ipv6.bindv6only_enforced_silently if some maintainer would give me his ok. If so, the question remains if systemctl net.ipv6.bindv6only_enforced_silently = 1 should set systemctl.net.ipv6.bindv6only too or if an error should be returned if net.ipv6.bindv6only is false. Regards, Alexander --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index d1e2e8e..9eefd3e 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -235,7 +235,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, if (optlen < sizeof(int) || inet_sk(sk)->inet_num) goto e_inval; - np->ipv6only = valbool; + np->ipv6only = valbool || net->ipv6.sysctl.bindv6only; retv = 0; break;