diff options
author | zshi <zshi@redhat.com> | 2017-04-06 18:11:26 +0800 |
---|---|---|
committer | zshi <zshi@redhat.com> | 2017-04-11 15:29:04 +0800 |
commit | d22484d389b1e2f5e9dd9ea6d9f4196effa31f1c (patch) | |
tree | 04be32083bd352266c8f2d03163ea5237339b5c2 | |
parent | e10ddcc3d2cbbd27b77a528a643adf7ca334c08e (diff) |
Add IPv6 disable option
This will give user the ability to set these values,
if IPv6 is not to be used, it's recommended that it be
disabled to reduce the attack surface of the system.
Change-Id: Ib3142cce49b93a421ca142a59961ce49a77e66b1
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
-rw-r--r-- | puppet/services/kernel.yaml | 8 | ||||
-rw-r--r-- | releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml | 7 |
2 files changed, 15 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 9b314b2a..12255614 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -22,6 +22,10 @@ parameters: default: 1048576 description: Configures sysctl kernel.pid_max key type: number + KernelDisableIPv6: + default: 0 + description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys + type: number outputs: role_data: @@ -57,6 +61,10 @@ outputs: value: 500000 net.netfilter.nf_conntrack_max: value: 500000 + net.ipv6.conf.default.disable_ipv6: + value: {get_param: KernelDisableIPv6} + net.ipv6.conf.all.disable_ipv6: + value: {get_param: KernelDisableIPv6} # prevent neutron bridges from autoconfiguring ipv6 addresses net.ipv6.conf.all.accept_ra: value: 0 diff --git a/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml new file mode 100644 index 00000000..8b57f587 --- /dev/null +++ b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + Add IPv6 disable option and make it configurable for user to disable IPv6 + when it's not used, this will descrease the risk of ipv6 attack. + Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6 + will be explicitly set to the default value (0) which is enabled. |