[libvirt] PATCH: Disable IPv6 on virtual network bridges

This is to address: https://bugzilla.redhat.com/show_bug.cgi?id=501934 which allows the guest to DOS the host IPv6 connectivity Daniel commit 763cf06ff76b4ded03a9b577cd8c541729190edc Author: Daniel P. Berrange <berrange@redhat.com> Date: Thu Jul 30 16:34:56 2009 +0100 Disable IPv6 on virtual networks If the bridge device is configured to have IPv6 address and accept router advertisments, then a malicious guest can send out bogus advertisments and hijack/DOS host IPv6 connectivity * src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0 for IPv6 sysctl on virual network bridge devices diff --git a/src/network_driver.c b/src/network_driver.c index 1683631..eaea454 100644 --- a/src/network_driver.c +++ b/src/network_driver.c @@ -788,6 +788,55 @@ networkEnableIpForwarding(void) return virFileWriteStr("/proc/sys/net/ipv4/ip_forward", "1\n"); } +#define SYSCTL_PATH "/proc/sys" + +static int networkDisableIPV6(virConnectPtr conn, + virNetworkObjPtr network) +{ + char *field = NULL; + int ret = -1; + + if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/disable_ipv6", network->def->bridge) < 0) { + virReportOOMError(conn); + goto cleanup; + } + + if (virFileWriteStr(field, "1") < 0) { + virReportSystemError(conn, errno, + _("cannot enable %s"), field); + goto cleanup; + } + VIR_FREE(field); + + if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/accept_ra", network->def->bridge) < 0) { + virReportOOMError(conn); + goto cleanup; + } + + if (virFileWriteStr(field, "0") < 0) { + virReportSystemError(conn, errno, + _("cannot disable %s"), field); + goto cleanup; + } + VIR_FREE(field); + + if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/autoconf", network->def->bridge) < 0) { + virReportOOMError(conn); + goto cleanup; + } + + if (virFileWriteStr(field, "1") < 0) { + virReportSystemError(conn, errno, + _("cannot enable %s"), field); + goto cleanup; + } + + ret = 0; +cleanup: + VIR_FREE(field); + return ret; +} + static int networkStartNetworkDaemon(virConnectPtr conn, struct network_driver *driver, virNetworkObjPtr network) { @@ -806,6 +855,9 @@ static int networkStartNetworkDaemon(virConnectPtr conn, return -1; } + if (networkDisableIPV6(conn, network) < 0) + goto err_delbr; + if (brSetForwardDelay(driver->brctl, network->def->bridge, network->def->delay) < 0) goto err_delbr; -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

On Thu, Jul 30, 2009 at 04:37:35PM +0100 Daniel P. Berrange wrote:
This is to address:
https://bugzilla.redhat.com/show_bug.cgi?id=501934
which allows the guest to DOS the host IPv6 connectivity
Daniel
commit 763cf06ff76b4ded03a9b577cd8c541729190edc Author: Daniel P. Berrange <berrange@redhat.com> Date: Thu Jul 30 16:34:56 2009 +0100
Disable IPv6 on virtual networks
If the bridge device is configured to have IPv6 address and accept router advertisments, then a malicious guest can send out bogus advertisments and hijack/DOS host IPv6 connectivity
* src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0 for IPv6 sysctl on virual network bridge devices
Nasty problem. However, why disable ipv6 as well? Disabling only ra and autoconf seems sufficient. There is probably some reason, but more people than me are undoubtly curios about this. /Jonas -- Jonas Eriksson Consultant at AS/EAB/FLJ/IL Combitech AB Älvsjö, Sweden

On Thu, Jul 30, 2009 at 05:50:30PM +0200, Jonas Eriksson wrote:
On Thu, Jul 30, 2009 at 04:37:35PM +0100 Daniel P. Berrange wrote:
This is to address:
https://bugzilla.redhat.com/show_bug.cgi?id=501934
which allows the guest to DOS the host IPv6 connectivity
Daniel
commit 763cf06ff76b4ded03a9b577cd8c541729190edc Author: Daniel P. Berrange <berrange@redhat.com> Date: Thu Jul 30 16:34:56 2009 +0100
Disable IPv6 on virtual networks
If the bridge device is configured to have IPv6 address and accept router advertisments, then a malicious guest can send out bogus advertisments and hijack/DOS host IPv6 connectivity
* src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0 for IPv6 sysctl on virual network bridge devices
Nasty problem. However, why disable ipv6 as well? Disabling only ra and autoconf seems sufficient. There is probably some reason, but more people than me are undoubtly curios about this.
The current virtuall network support is intended to be IPv4 only at this time. We do have plans to fully support IPv6, at which point this will become configurable, on or off. So until that time its safer to explicitly turn it off Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

On Thu, Jul 30, 2009 at 04:55:11PM +0100 Daniel P. Berrange wrote:
On Thu, Jul 30, 2009 at 05:50:30PM +0200, Jonas Eriksson wrote:
On Thu, Jul 30, 2009 at 04:37:35PM +0100 Daniel P. Berrange wrote:
This is to address:
https://bugzilla.redhat.com/show_bug.cgi?id=501934
which allows the guest to DOS the host IPv6 connectivity
Daniel
commit 763cf06ff76b4ded03a9b577cd8c541729190edc Author: Daniel P. Berrange <berrange@redhat.com> Date: Thu Jul 30 16:34:56 2009 +0100
Disable IPv6 on virtual networks
If the bridge device is configured to have IPv6 address and accept router advertisments, then a malicious guest can send out bogus advertisments and hijack/DOS host IPv6 connectivity
* src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0 for IPv6 sysctl on virual network bridge devices
Nasty problem. However, why disable ipv6 as well? Disabling only ra and autoconf seems sufficient. There is probably some reason, but more people than me are undoubtly curios about this.
The current virtuall network support is intended to be IPv4 only at this time. We do have plans to fully support IPv6, at which point this will become configurable, on or off. So until that time its safer to explicitly turn it off
Thanks and ACK. /Jonas -- Jonas Eriksson Consultant at AS/EAB/FLJ/IL Combitech AB Älvsjö, Sweden

On Thu, Jul 30, 2009 at 04:55:11PM +0100, Daniel P. Berrange wrote:
On Thu, Jul 30, 2009 at 05:50:30PM +0200, Jonas Eriksson wrote:
On Thu, Jul 30, 2009 at 04:37:35PM +0100 Daniel P. Berrange wrote:
This is to address:
https://bugzilla.redhat.com/show_bug.cgi?id=501934
which allows the guest to DOS the host IPv6 connectivity
Daniel
commit 763cf06ff76b4ded03a9b577cd8c541729190edc Author: Daniel P. Berrange <berrange@redhat.com> Date: Thu Jul 30 16:34:56 2009 +0100
Disable IPv6 on virtual networks
If the bridge device is configured to have IPv6 address and accept router advertisments, then a malicious guest can send out bogus advertisments and hijack/DOS host IPv6 connectivity
* src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0 for IPv6 sysctl on virual network bridge devices
Nasty problem. However, why disable ipv6 as well? Disabling only ra and autoconf seems sufficient. There is probably some reason, but more people than me are undoubtly curios about this.
The current virtuall network support is intended to be IPv4 only at this time. We do have plans to fully support IPv6, at which point this will become configurable, on or off. So until that time its safer to explicitly turn it off
FYI, the info about supporting IPv6 properly is here http://www.redhat.com/archives/libvir-list/2009-June/msg00067.html https://bugzilla.redhat.com/show_bug.cgi?id=514749 Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
participants (2)
-
Daniel P. Berrange
-
Jonas Eriksson