summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Sneddon <dsneddon@redhat.com>2016-10-12 12:38:21 -0700
committerDan Sneddon <dsneddon@redhat.com>2016-10-12 19:50:35 +0000
commit4eacf4179d03cd2102cac4abf14e80eae440c2d3 (patch)
treea8039493747ff8c0384c409fe56def0754fd36b8
parent90a450fcd86cc27277f8ff83e3e82d17fd0ee795 (diff)
Disable IPv6 RAs & Autoconf For All (Not Just Default)
The current kernel sysctl settings modify the net.ipv6.conf.default.accept_ra and net.ipv6.conf.default.autoconf to both be '0'. However, this is overridden by the settings in net.ipv6.conf.all, so no matter what setting is in the ifcfg file for the IPv6 interface, autoconfiguration and accept_ra will be enabled. This causes a security vulnerability where rogue RAs could be used to intercept traffic from the controllers. This change sets both default and all settings to '0' for IPv6 accept_ra and autoconf. Closes-Bug: 1632830 Change-Id: I95b86c5c6feed30dfa5103ffbddb9e85ac567bbb
-rw-r--r--puppet/services/kernel.yaml4
1 files changed, 4 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index 2f01578e..1fc88bf1 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -39,8 +39,12 @@ outputs:
net.netfilter.nf_conntrack_max:
value: 500000
# prevent neutron bridges from autoconfiguring ipv6 addresses
+ net.ipv6.conf.all.accept_ra:
+ value: 0
net.ipv6.conf.default.accept_ra:
value: 0
+ net.ipv6.conf.all.autoconf:
+ value: 0
net.ipv6.conf.default.autoconf:
value: 0
net.core.netdev_max_backlog: