Ondřej Svoboda has uploaded a new change for review.
Change subject: network: disable IPv6 via sysctl if no IPv6 functionality was requested ......................................................................
network: disable IPv6 via sysctl if no IPv6 functionality was requested
This applies to bridges. On CentOS/RHEL 7, disable_ipv6=0 is the default so bridges allowed IPv6 traffic even though it was not enabled by setting a static address or using DHCPv6.
Change-Id: I2314d4bc120c15af44ff9e20c9281ab69c84ad0a Bug-Url: https://bugzilla.redhat.com/1219363 Signed-off-by: Ondřej Svoboda osvoboda@redhat.com --- M tests/functional/networkTests.py M vdsm/network/configurators/ifcfg.py M vdsm/network/configurators/iproute2.py 3 files changed, 13 insertions(+), 0 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/52/43252/1
diff --git a/tests/functional/networkTests.py b/tests/functional/networkTests.py index f3dff3f..94ee4db 100644 --- a/tests/functional/networkTests.py +++ b/tests/functional/networkTests.py @@ -1685,6 +1685,9 @@ if 6 in families: self.assertIn(IPv6_ADDRESS_AND_CIDR, test_net['ipv6addrs']) self.assertEqual(IPv6_GATEWAY, test_net['ipv6gateway']) + else: + # VDSM disables IPv6 via sysctl if IPv6 is not requested + self.assertEqual([], test_net['ipv6addrs']) delete = {NETWORK_NAME: {'remove': True}} status, msg = self.vdsm_net.setupNetworks(delete, {}, {}) self.assertEqual(status, SUCCESS, msg) diff --git a/vdsm/network/configurators/ifcfg.py b/vdsm/network/configurators/ifcfg.py index e008994..1b36199 100644 --- a/vdsm/network/configurators/ifcfg.py +++ b/vdsm/network/configurators/ifcfg.py @@ -35,6 +35,7 @@ from vdsm import constants from vdsm import ipwrapper from vdsm import netinfo +from vdsm import sysctl from vdsm import utils from vdsm.netconfpersistence import RunningConfig
@@ -93,6 +94,10 @@ bridge.port.configure(**opts) self._addSourceRoute(bridge) _ifup(bridge) + if not bridge.ipv6.address and not bridge.ipv6.ipv6autoconf and ( + not bridge.ipv6.dhcpv6): + # disallow IPv6 traffic on the bridge if IPv6 is not requested + sysctl.disable_ipv6(bridge.name)
def configureVlan(self, vlan, **opts): self.configApplier.addVlan(vlan, **opts) diff --git a/vdsm/network/configurators/iproute2.py b/vdsm/network/configurators/iproute2.py index 9a8b751..31b1cf4 100644 --- a/vdsm/network/configurators/iproute2.py +++ b/vdsm/network/configurators/iproute2.py @@ -25,6 +25,7 @@ from vdsm.constants import EXT_BRCTL from vdsm.ipwrapper import routeAdd, routeDel, ruleAdd, ruleDel, IPRoute2Error from vdsm.netconfpersistence import RunningConfig +from vdsm import sysctl from vdsm.utils import CommandPath from vdsm.utils import execCmd
@@ -72,6 +73,10 @@ self.configApplier.addBridgePort(bridge) DynamicSourceRoute.addInterfaceTracking(bridge) self.configApplier.setIfaceConfigAndUp(bridge) + if not bridge.ipv6.address and not bridge.ipv6.ipv6autoconf and ( + not bridge.ipv6.dhcpv6): + # disallow IPv6 traffic on the bridge if IPv6 is not requested + sysctl.disable_ipv6(bridge.name) self._addSourceRoute(bridge) if 'custom' in opts and 'bridge_opts' in opts['custom']: self.configApplier._setBridgeOpts(bridge,
automation@ovirt.org has posted comments on this change.
Change subject: network: disable IPv6 via sysctl if no IPv6 functionality was requested ......................................................................
Patch Set 1:
* Update tracker::#1219363::OK * Check Bug-Url::OK * Check Public Bug::#1219363::OK, public bug * Check Product::#1219363::OK, Correct product oVirt * Check TR::SKIP, not in a monitored branch (ovirt-3.5 ovirt-3.4 ovirt-3.3 ovirt-3.2) * Check merged to previous::IGNORE, Not in stable branch (['ovirt-3.5', 'ovirt-3.4', 'ovirt-3.3'])
Dan Kenigsberg has posted comments on this change.
Change subject: network: disable IPv6 via sysctl if no IPv6 functionality was requested ......................................................................
Patch Set 1: Code-Review-1
(1 comment)
https://gerrit.ovirt.org/#/c/43252/1/vdsm/network/configurators/ifcfg.py File vdsm/network/configurators/ifcfg.py:
Line 95: self._addSourceRoute(bridge) Line 96: _ifup(bridge) Line 97: if not bridge.ipv6.address and not bridge.ipv6.ipv6autoconf and ( Line 98: not bridge.ipv6.dhcpv6): Line 99: # disallow IPv6 traffic on the bridge if IPv6 is not requested the comment only translate Python into English (which is not really useful).
You could write:
# disable ipv6 (unless explictly requested) to avoid # guest-host communication over ipv6
but atucally, this should go into the commit message. Line 100: sysctl.disable_ipv6(bridge.name) Line 101: Line 102: def configureVlan(self, vlan, **opts): Line 103: self.configApplier.addVlan(vlan, **opts)
automation@ovirt.org has posted comments on this change.
Change subject: network: avoid guest-host communication over IPv6 on bridges, unless requested ......................................................................
Patch Set 2:
* Update tracker::#1219363::OK * Check Bug-Url::OK * Check Public Bug::#1219363::OK, public bug * Check Product::#1219363::OK, Correct product oVirt * Check TR::SKIP, not in a monitored branch (ovirt-3.5 ovirt-3.4 ovirt-3.3 ovirt-3.2) * Check merged to previous::IGNORE, Not in stable branch (['ovirt-3.5', 'ovirt-3.4', 'ovirt-3.3'])
Ondřej Svoboda has posted comments on this change.
Change subject: network: avoid guest-host communication over IPv6 on bridges, unless requested ......................................................................
Patch Set 2: Verified+1
testStaticNetworkConfig passes with all configurators and indeed disable_ipv6 is set as needed (whenever IPv6 is requested).
while true; do sysctl -a | grep test-network | grep disable_ipv6; sleep 0.2s; done;
Dan Kenigsberg has posted comments on this change.
Change subject: network: avoid guest-host communication over IPv6 on bridges, unless requested ......................................................................
Patch Set 2: Code-Review+2
Dan Kenigsberg has submitted this change and it was merged.
Change subject: network: avoid guest-host communication over IPv6 on bridges, unless requested ......................................................................
network: avoid guest-host communication over IPv6 on bridges, unless requested
On CentOS/RHEL 7, disable_ipv6=0 is the default so bridges allowed IPv6 traffic even though it was not enabled (by setting a static address or using SLAAC or DHCPv6).
Change-Id: I2314d4bc120c15af44ff9e20c9281ab69c84ad0a Bug-Url: https://bugzilla.redhat.com/1219363 Signed-off-by: Ondřej Svoboda osvoboda@redhat.com Reviewed-on: https://gerrit.ovirt.org/43252 Continuous-Integration: Jenkins CI Reviewed-by: Dan Kenigsberg danken@redhat.com --- M tests/functional/networkTests.py M vdsm/network/configurators/ifcfg.py M vdsm/network/configurators/iproute2.py 3 files changed, 10 insertions(+), 0 deletions(-)
Approvals: Ondřej Svoboda: Verified Jenkins CI: Passed CI tests Dan Kenigsberg: Looks good to me, approved
automation@ovirt.org has posted comments on this change.
Change subject: network: avoid guest-host communication over IPv6 on bridges, unless requested ......................................................................
Patch Set 3:
* Update tracker::#1219363::OK * Check TR::#1219363::ERROR, 3.6.0 should not match .*
vdsm-patches@lists.fedorahosted.org