diff options
author | Dan Sneddon <dsneddon@redhat.com> | 2016-10-12 12:38:21 -0700 |
---|---|---|
committer | Dan Sneddon <dsneddon@redhat.com> | 2016-10-12 19:50:35 +0000 |
commit | 4eacf4179d03cd2102cac4abf14e80eae440c2d3 (patch) | |
tree | a8039493747ff8c0384c409fe56def0754fd36b8 /puppet | |
parent | 90a450fcd86cc27277f8ff83e3e82d17fd0ee795 (diff) |
Disable IPv6 RAs & Autoconf For All (Not Just Default)
The current kernel sysctl settings modify the
net.ipv6.conf.default.accept_ra and net.ipv6.conf.default.autoconf
to both be '0'. However, this is overridden by the settings in
net.ipv6.conf.all, so no matter what setting is in the ifcfg file
for the IPv6 interface, autoconfiguration and accept_ra will be
enabled. This causes a security vulnerability where rogue RAs
could be used to intercept traffic from the controllers.
This change sets both default and all settings to '0' for IPv6
accept_ra and autoconf.
Closes-Bug: 1632830
Change-Id: I95b86c5c6feed30dfa5103ffbddb9e85ac567bbb
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/services/kernel.yaml | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 2f01578e..1fc88bf1 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -39,8 +39,12 @@ outputs: net.netfilter.nf_conntrack_max: value: 500000 # prevent neutron bridges from autoconfiguring ipv6 addresses + net.ipv6.conf.all.accept_ra: + value: 0 net.ipv6.conf.default.accept_ra: value: 0 + net.ipv6.conf.all.autoconf: + value: 0 net.ipv6.conf.default.autoconf: value: 0 net.core.netdev_max_backlog: |