On Fri, Jul 18, 2008 at 9:05 PM, J. Bruce Fields <bfields@xxxxxxxxxxxx> wrote: > On Mon, Jun 30, 2008 at 06:46:17PM -0400, Chuck Lever wrote: >> My plan is to use an AF_INET listener on systems that support only IPv4, >> and an AF_INET6 listener on systems that can support IPv6. Incoming >> IPv4 packets will be posted to an AF_INET6 listener with a mapped IPv4 >> address. >> >> Max Matveev <makc@xxxxxxx> says: >> Creating a single listener can be dangerous - if net.ipv6.bindv6only >> is enabled then it's possible to create another listener in v4 >> namespace on the same port and steal the traffic from the "unifed" >> listener. You need to disable V6ONLY explicitly via a sockopt to stop >> that. > > Is the V6ONLY option documented anywhere? A quick grep through the > kernel sources and a couple man pages didn't turn up anything. I didn't find anything that documented it, so I based this patch on studying pieces of the IPv6 code that use this flag. It would be worth passing this patch by netdev. >> >> Set appropriate socket option on RPC server listener sockets to prevent >> this. >> >> Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx> >> --- >> >> net/sunrpc/svcsock.c | 12 ++++++++++++ >> 1 files changed, 12 insertions(+), 0 deletions(-) >> >> >> diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c >> index 3e65719..43c21f7 100644 >> --- a/net/sunrpc/svcsock.c >> +++ b/net/sunrpc/svcsock.c >> @@ -1114,6 +1114,7 @@ static struct svc_sock *svc_setup_socket(struct svc_serv *serv, >> struct svc_sock *svsk; >> struct sock *inet; >> int pmap_register = !(flags & SVC_SOCK_ANONYMOUS); >> + int zero = 0; >> >> dprintk("svc: svc_setup_socket %p\n", sock); >> if (!(svsk = kzalloc(sizeof(*svsk), GFP_KERNEL))) { >> @@ -1146,6 +1147,17 @@ static struct svc_sock *svc_setup_socket(struct svc_serv *serv, >> else >> svc_tcp_init(svsk, serv); >> >> + /* >> + * We start one listener per sv_serv. We want AF_INET >> + * requests to be automatically shunted to our AF_INET6 >> + * listener using a mapped IPv4 address. Make sure >> + * no-one starts an equivalent IPv4 listener, which >> + * would steal our incoming connections. >> + */ >> + if (serv->sv_family == AF_INET6) >> + kernel_setsockopt(sock, SOL_IPV6, IPV6_V6ONLY, >> + (char *)&zero, sizeof(zero)); >> + >> dprintk("svc: svc_setup_socket created %p (inet %p)\n", >> svsk, svsk->sk_sk); >> >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- "Alright guard, begin the unnecessarily slow-moving dipping mechanism." --Dr. Evil -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html