Disable IPv6 RAs & Autoconf For All (Not Just Default)

The current kernel sysctl settings modify the net.ipv6.conf.default.accept_ra and net.ipv6.conf.default.autoconf to both be '0'. However, this is overridden by the settings in net.ipv6.conf.all, so no matter what setting is in the ifcfg file for the IPv6 interface, autoconfiguration and accept_ra will be enabled. This causes a security vulnerability where rogue RAs could be used to intercept traffic from the controllers. This change sets both default and all settings to '0' for IPv6 accept_ra and autoconf. Closes-Bug: 1632830 Change-Id: I95b86c5c6feed30dfa5103ffbddb9e85ac567bbb
author: Dan Sneddon <dsneddon@redhat.com> 2016-10-12 12:38:21 -0700
committer: Dan Sneddon <dsneddon@redhat.com> 2016-10-12 19:50:35 +0000
commit: 4eacf4179d03cd2102cac4abf14e80eae440c2d3 (patch)
tree: a8039493747ff8c0384c409fe56def0754fd36b8 /puppet/services/kernel.yaml
parent: 90a450fcd86cc27277f8ff83e3e82d17fd0ee795 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index 2f01578e..1fc88bf1 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -39,8 +39,12 @@ outputs:
           net.netfilter.nf_conntrack_max:
             value: 500000
           # prevent neutron bridges from autoconfiguring ipv6 addresses
+          net.ipv6.conf.all.accept_ra:
+            value: 0
           net.ipv6.conf.default.accept_ra:
             value: 0
+          net.ipv6.conf.all.autoconf:
+            value: 0
           net.ipv6.conf.default.autoconf:
             value: 0
           net.core.netdev_max_backlog:
author	Dan Sneddon <dsneddon@redhat.com>	2016-10-12 12:38:21 -0700
committer	Dan Sneddon <dsneddon@redhat.com>	2016-10-12 19:50:35 +0000
commit	4eacf4179d03cd2102cac4abf14e80eae440c2d3 (patch)
tree	a8039493747ff8c0384c409fe56def0754fd36b8 /puppet/services/kernel.yaml
parent	90a450fcd86cc27277f8ff83e3e82d17fd0ee795 (diff)