This is to address: https://bugzilla.redhat.com/show_bug.cgi?id=501934 which allows the guest to DOS the host IPv6 connectivity Daniel commit 763cf06ff76b4ded03a9b577cd8c541729190edc Author: Daniel P. Berrange <berrange@xxxxxxxxxx> Date: Thu Jul 30 16:34:56 2009 +0100 Disable IPv6 on virtual networks If the bridge device is configured to have IPv6 address and accept router advertisments, then a malicious guest can send out bogus advertisments and hijack/DOS host IPv6 connectivity * src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0 for IPv6 sysctl on virual network bridge devices diff --git a/src/network_driver.c b/src/network_driver.c index 1683631..eaea454 100644 --- a/src/network_driver.c +++ b/src/network_driver.c @@ -788,6 +788,55 @@ networkEnableIpForwarding(void) return virFileWriteStr("/proc/sys/net/ipv4/ip_forward", "1\n"); } +#define SYSCTL_PATH "/proc/sys" + +static int networkDisableIPV6(virConnectPtr conn, + virNetworkObjPtr network) +{ + char *field = NULL; + int ret = -1; + + if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/disable_ipv6", network->def->bridge) < 0) { + virReportOOMError(conn); + goto cleanup; + } + + if (virFileWriteStr(field, "1") < 0) { + virReportSystemError(conn, errno, + _("cannot enable %s"), field); + goto cleanup; + } + VIR_FREE(field); + + if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/accept_ra", network->def->bridge) < 0) { + virReportOOMError(conn); + goto cleanup; + } + + if (virFileWriteStr(field, "0") < 0) { + virReportSystemError(conn, errno, + _("cannot disable %s"), field); + goto cleanup; + } + VIR_FREE(field); + + if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/autoconf", network->def->bridge) < 0) { + virReportOOMError(conn); + goto cleanup; + } + + if (virFileWriteStr(field, "1") < 0) { + virReportSystemError(conn, errno, + _("cannot enable %s"), field); + goto cleanup; + } + + ret = 0; +cleanup: + VIR_FREE(field); + return ret; +} + static int networkStartNetworkDaemon(virConnectPtr conn, struct network_driver *driver, virNetworkObjPtr network) { @@ -806,6 +855,9 @@ static int networkStartNetworkDaemon(virConnectPtr conn, return -1; } + if (networkDisableIPV6(conn, network) < 0) + goto err_delbr; + if (brSetForwardDelay(driver->brctl, network->def->bridge, network->def->delay) < 0) goto err_delbr; -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list