New subject: Change in vdsm[master]: network: avoid guest-host communication over IPv6 on bridges...

6 Jul 2015

Ondřej Svoboda has uploaded a new change for review.
Change subject: network: disable IPv6 via sysctl if no IPv6 functionality was requested
......................................................................
network: disable IPv6 via sysctl if no IPv6 functionality was requested
This applies to bridges. On CentOS/RHEL 7, disable_ipv6=0 is the default
so bridges allowed IPv6 traffic even though it was not enabled by setting
a static address or using DHCPv6.
Change-Id: I2314d4bc120c15af44ff9e20c9281ab69c84ad0a
Bug-Url: https://bugzilla.redhat.com/1219363
Signed-off-by: Ondřej Svoboda osvoboda@redhat.com
---
M tests/functional/networkTests.py
M vdsm/network/configurators/ifcfg.py
M vdsm/network/configurators/iproute2.py
3 files changed, 13 insertions(+), 0 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/52/43252/1

diff --git a/tests/functional/networkTests.py b/tests/functional/networkTests.py
index f3dff3f..94ee4db 100644
--- a/tests/functional/networkTests.py
+++ b/tests/functional/networkTests.py
@@ -1685,6 +1685,9 @@
                 if 6 in families:
                     self.assertIn(IPv6_ADDRESS_AND_CIDR, test_net['ipv6addrs'])
                     self.assertEqual(IPv6_GATEWAY, test_net['ipv6gateway'])
+                else:
+                    # VDSM disables IPv6 via sysctl if IPv6 is not requested
+                    self.assertEqual([], test_net['ipv6addrs'])
                 delete = {NETWORK_NAME: {'remove': True}}
                 status, msg = self.vdsm_net.setupNetworks(delete, {}, {})
                 self.assertEqual(status, SUCCESS, msg)
diff --git a/vdsm/network/configurators/ifcfg.py b/vdsm/network/configurators/ifcfg.py
index e008994..1b36199 100644
--- a/vdsm/network/configurators/ifcfg.py
+++ b/vdsm/network/configurators/ifcfg.py
@@ -35,6 +35,7 @@
 from vdsm import constants
 from vdsm import ipwrapper
 from vdsm import netinfo
+from vdsm import sysctl
 from vdsm import utils
 from vdsm.netconfpersistence import RunningConfig
@@ -93,6 +94,10 @@
             bridge.port.configure(**opts)
         self._addSourceRoute(bridge)
         _ifup(bridge)
+        if not bridge.ipv6.address and not bridge.ipv6.ipv6autoconf and (
+                not bridge.ipv6.dhcpv6):
+            # disallow IPv6 traffic on the bridge if IPv6 is not requested
+            sysctl.disable_ipv6(bridge.name)
def configureVlan(self, vlan, **opts):
         self.configApplier.addVlan(vlan, **opts)
diff --git a/vdsm/network/configurators/iproute2.py b/vdsm/network/configurators/iproute2.py
index 9a8b751..31b1cf4 100644
--- a/vdsm/network/configurators/iproute2.py
+++ b/vdsm/network/configurators/iproute2.py
@@ -25,6 +25,7 @@
 from vdsm.constants import EXT_BRCTL
 from vdsm.ipwrapper import routeAdd, routeDel, ruleAdd, ruleDel, IPRoute2Error
 from vdsm.netconfpersistence import RunningConfig
+from vdsm import sysctl
 from vdsm.utils import CommandPath
 from vdsm.utils import execCmd
@@ -72,6 +73,10 @@
             self.configApplier.addBridgePort(bridge)
         DynamicSourceRoute.addInterfaceTracking(bridge)
         self.configApplier.setIfaceConfigAndUp(bridge)
+        if not bridge.ipv6.address and not bridge.ipv6.ipv6autoconf and (
+                not bridge.ipv6.dhcpv6):
+            # disallow IPv6 traffic on the bridge if IPv6 is not requested
+            sysctl.disable_ipv6(bridge.name)
         self._addSourceRoute(bridge)
         if 'custom' in opts and 'bridge_opts' in opts['custom']:
             self.configApplier._setBridgeOpts(bridge,
-- 
To view, visit https://gerrit.ovirt.org/43252
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I2314d4bc120c15af44ff9e20c9281ab69c84ad0a
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Ondřej Svoboda osvoboda@redhat.com

    

Change in vdsm[master]: network: disable IPv6 via sysctl if no IPv6 functionality wa...