diff options
author | Phil Dibowitz <phil@ipom.com> | 2016-10-05 12:40:45 +0200 |
---|---|---|
committer | Lukáš Nykrýn <lnykryn@redhat.com> | 2016-10-10 13:54:54 +0200 |
commit | 432951de1f7f94317ed8c9c713ee4aa8d40d04c3 (patch) | |
tree | a5874d4748a50e1e6bbce0915264d49a3c4e8adc | |
parent | 5b4fe63afd4c36b501782e4cd54454f0d262e097 (diff) | |
download | initscripts-432951de1f7f94317ed8c9c713ee4aa8d40d04c3.tar initscripts-432951de1f7f94317ed8c9c713ee4aa8d40d04c3.tar.gz initscripts-432951de1f7f94317ed8c9c713ee4aa8d40d04c3.tar.bz2 initscripts-432951de1f7f94317ed8c9c713ee4aa8d40d04c3.tar.xz initscripts-432951de1f7f94317ed8c9c713ee4aa8d40d04c3.zip |
Provide a mechanism to prevent network-scripts from messing with sysctls
network-scripts makes odd assumptions, like if I don't want SLAAC (i.e.
if I turn off AUTOCONF) that I also don't want RA. This is not true,
it's common to have a static local address, but to get my gateway
through RA.
This is one solution. I will also be sending a more specific solution to
enable the above directly, but having a way to tell network-scripts
to not mess with systctls seems generally useful.
-rwxr-xr-x | sysconfig/network-scripts/ifdown-ipv6 | 10 | ||||
-rwxr-xr-x | sysconfig/network-scripts/ifup-ipv6 | 21 | ||||
-rwxr-xr-x | sysconfig/network-scripts/init.ipv6-global | 44 |
3 files changed, 42 insertions, 33 deletions
diff --git a/sysconfig/network-scripts/ifdown-ipv6 b/sysconfig/network-scripts/ifdown-ipv6 index d2207b76..f06f56dd 100755 --- a/sysconfig/network-scripts/ifdown-ipv6 +++ b/sysconfig/network-scripts/ifdown-ipv6 @@ -62,10 +62,12 @@ if [ $? != 0 -a $? != 11 ]; then exit 1 fi -# Switch some sysctls to secure mode -/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.forwarding=0 >/dev/null 2>&1 -/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.accept_ra=0 >/dev/null 2>&1 -/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.accept_redirects=0 >/dev/null 2>&1 +if [ ! "$IPV6_SET_SYCTL" = "no" ]; then + # Switch some sysctls to secure mode + /sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.forwarding=0 >/dev/null 2>&1 + /sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.accept_ra=0 >/dev/null 2>&1 + /sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.accept_redirects=0 >/dev/null 2>&1 +fi /sbin/ip link set $DEVICE addrgenmode eui64 >/dev/null 2>&1 # Test status of tun6to4 device diff --git a/sysconfig/network-scripts/ifup-ipv6 b/sysconfig/network-scripts/ifup-ipv6 index 8f740344..296fa77e 100755 --- a/sysconfig/network-scripts/ifup-ipv6 +++ b/sysconfig/network-scripts/ifup-ipv6 @@ -127,10 +127,13 @@ else ipv6_local_accept_ra=0 fi fi -/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.forwarding=$ipv6_local_forwarding >/dev/null 2>&1 -/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.accept_ra=$ipv6_local_accept_ra >/dev/null 2>&1 -/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.accept_redirects=$ipv6_local_auto >/dev/null 2>&1 -/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.autoconf=$ipv6_local_auto >/dev/null 2>&1 + +if [ ! "$IPV6_SET_SYSCTLS" = "no" ]; then + /sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.forwarding=$ipv6_local_forwarding >/dev/null 2>&1 + /sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.accept_ra=$ipv6_local_accept_ra >/dev/null 2>&1 + /sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.accept_redirects=$ipv6_local_auto >/dev/null 2>&1 + /sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.autoconf=$ipv6_local_auto >/dev/null 2>&1 +fi # Set IPv6 MTU, if given if [ -n "$IPV6_MTU" ]; then @@ -146,10 +149,12 @@ fi # Enable IPv6 RFC3041 privacy extensions if desired if [ "$IPV6_PRIVACY" = "rfc3041" ]; then - /sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.use_tempaddr=2 >/dev/null 2>&1 - if [ $? -ne 0 ]; then - net_log $"Cannot enable IPv6 privacy method '$IPV6_PRIVACY', not supported by kernel" - fi + if [ ! "$IPV6_SET_SYSCTLS" = "no" ]; then + /sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.use_tempaddr=2 >/dev/null 2>&1 + if [ $? -ne 0 ]; then + net_log $"Cannot enable IPv6 privacy method '$IPV6_PRIVACY', not supported by kernel" + fi + fi fi # Setup default IPv6 route, check are done by function diff --git a/sysconfig/network-scripts/init.ipv6-global b/sysconfig/network-scripts/init.ipv6-global index da1c1742..fc916e87 100755 --- a/sysconfig/network-scripts/init.ipv6-global +++ b/sysconfig/network-scripts/init.ipv6-global @@ -28,8 +28,6 @@ # IPV6_DEFAULTDEV=<interface> [optional] # - - . /etc/sysconfig/network cd /etc/sysconfig/network-scripts @@ -64,16 +62,18 @@ case $ACTION in fi # Reset IPv6 sysctl switches for "all", "default" and still existing devices - for i in /proc/sys/net/ipv6/conf/* ; do - interface=${i##*/} - sinterface=${interface/.//} - # Host/Router behaviour for the interface - /sbin/sysctl -e -w net.ipv6.conf.$sinterface.forwarding=$ipv6_global_forwarding >/dev/null 2>&1 - - # Autoconfiguration and redirect handling for Hosts - /sbin/sysctl -e -w net.ipv6.conf.$sinterface.accept_ra=$ipv6_global_auto >/dev/null 2>&1 - /sbin/sysctl -e -w net.ipv6.conf.$sinterface.accept_redirects=$ipv6_global_auto >/dev/null 2>&1 - done + if [ ! "$IPV6_SET_SYSCTLS" = "no" ]; then + for i in /proc/sys/net/ipv6/conf/* ; do + interface=${i##*/} + sinterface=${interface/.//} + # Host/Router behaviour for the interface + /sbin/sysctl -e -w net.ipv6.conf.$sinterface.forwarding=$ipv6_global_forwarding >/dev/null 2>&1 + + # Autoconfiguration and redirect handling for Hosts + /sbin/sysctl -e -w net.ipv6.conf.$sinterface.accept_ra=$ipv6_global_auto >/dev/null 2>&1 + /sbin/sysctl -e -w net.ipv6.conf.$sinterface.accept_redirects=$ipv6_global_auto >/dev/null 2>&1 + done + fi ;; post) @@ -131,16 +131,18 @@ case $ACTION in ipv6_test testonly || exit 0 - for i in /proc/sys/net/ipv6/conf/* ; do - interface=${i##*/} - sinterface=${interface/.//} - # Assume Host behaviour - /sbin/sysctl -e -w net.ipv6.conf.$sinterface.forwarding=0 >/dev/null 2>&1 + if [ ! "$IPV6_SET_SYSCTLS" = "no" ]; then + for i in /proc/sys/net/ipv6/conf/* ; do + interface=${i##*/} + sinterface=${interface/.//} + # Assume Host behaviour + /sbin/sysctl -e -w net.ipv6.conf.$sinterface.forwarding=0 >/dev/null 2>&1 - # Disable autoconfiguration and redirects - /sbin/sysctl -e -w net.ipv6.conf.$sinterface.accept_ra=0 >/dev/null 2>&1 - /sbin/sysctl -e -w net.ipv6.conf.$sinterface.accept_redirects=0 >/dev/null 2>&1 - done + # Disable autoconfiguration and redirects + /sbin/sysctl -e -w net.ipv6.conf.$sinterface.accept_ra=0 >/dev/null 2>&1 + /sbin/sysctl -e -w net.ipv6.conf.$sinterface.accept_redirects=0 >/dev/null 2>&1 + done + fi # Cleanup still existing tunnel devices ipv6_cleanup_tunnel_devices |