summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-04-12 16:39:47 +0000
committerGerrit Code Review <review@openstack.org>2017-04-12 16:39:47 +0000
commit2f230e077577fe63d710f6aade4920d83c17de65 (patch)
tree62ed871c0f7cbc75902bcd490e9fc200e48542b2
parentaf4f4caf70d9493c2a0719ff06c8b46d302e362c (diff)
parentd22484d389b1e2f5e9dd9ea6d9f4196effa31f1c (diff)
Merge "Add IPv6 disable option"
-rw-r--r--puppet/services/kernel.yaml8
-rw-r--r--releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml7
2 files changed, 15 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index 94b15d4b..2a335b67 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -22,6 +22,10 @@ parameters:
default: 1048576
description: Configures sysctl kernel.pid_max key
type: number
+ KernelDisableIPv6:
+ default: 0
+ description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
+ type: number
outputs:
role_data:
@@ -57,6 +61,10 @@ outputs:
value: 500000
net.netfilter.nf_conntrack_max:
value: 500000
+ net.ipv6.conf.default.disable_ipv6:
+ value: {get_param: KernelDisableIPv6}
+ net.ipv6.conf.all.disable_ipv6:
+ value: {get_param: KernelDisableIPv6}
# prevent neutron bridges from autoconfiguring ipv6 addresses
net.ipv6.conf.all.accept_ra:
value: 0
diff --git a/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml
new file mode 100644
index 00000000..8b57f587
--- /dev/null
+++ b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml
@@ -0,0 +1,7 @@
+---
+security:
+ - |
+ Add IPv6 disable option and make it configurable for user to disable IPv6
+ when it's not used, this will descrease the risk of ipv6 attack.
+ Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6
+ will be explicitly set to the default value (0) which is enabled.