From d22484d389b1e2f5e9dd9ea6d9f4196effa31f1c Mon Sep 17 00:00:00 2001 From: zshi Date: Thu, 6 Apr 2017 18:11:26 +0800 Subject: Add IPv6 disable option This will give user the ability to set these values, if IPv6 is not to be used, it's recommended that it be disabled to reduce the attack surface of the system. Change-Id: Ib3142cce49b93a421ca142a59961ce49a77e66b1 Co-Authored-By: Luke Hinds Signed-off-by: zshi --- puppet/services/kernel.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet/services/kernel.yaml') diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 9b314b2a..12255614 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -22,6 +22,10 @@ parameters: default: 1048576 description: Configures sysctl kernel.pid_max key type: number + KernelDisableIPv6: + default: 0 + description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys + type: number outputs: role_data: @@ -57,6 +61,10 @@ outputs: value: 500000 net.netfilter.nf_conntrack_max: value: 500000 + net.ipv6.conf.default.disable_ipv6: + value: {get_param: KernelDisableIPv6} + net.ipv6.conf.all.disable_ipv6: + value: {get_param: KernelDisableIPv6} # prevent neutron bridges from autoconfiguring ipv6 addresses net.ipv6.conf.all.accept_ra: value: 0 -- cgit 1.2.3-korg