On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote:
> so as discussed recently having the inet6 link-local addrs on every
> interface by default is stupid and a security risk.
>
> this diff fixes that. well, really two independent parts.
> one: set the NOINET6 flag by default on each and every interface.
> two: implement "ifconfig <if> +inet6" to turn inet6 on and assign
> the link-local addr.
>
> this should be transparent for almost all real use cases of inet6
> since assigning any inet6 address also resets the flag (and ll is
> assigned then as well).
> lo0 still gets it's ::1 and fe80::1%lo0 by default.
>
> the only use case that needs config adoption: people ONLY using
> link-local, they will need to put +inet6 in the corresponding
> hostname.if file.
>
> ok?
To be honest the right fix would be to get rid of IFXF_NOINET6 and
just make it the default. There is no need for such a flag anymore.
> Index: sys/net/if.c
> ===================================================================
> RCS file: /cvs/src/sys/net/if.c,v
> retrieving revision 1.288
> diff -u -p -r1.288 if.c
> --- sys/net/if.c 13 May 2014 14:33:25 -0000 1.288
> +++ sys/net/if.c 14 May 2014 21:03:45 -0000
> @@ -429,6 +429,9 @@ if_attach(struct ifnet *ifp)
> #else
> TAILQ_INSERT_TAIL(&ifnet, ifp, if_list);
> #endif
> +#ifdef INET6
> + ifp->if_xflags |= IFXF_NOINET6;
> +#endif
>
> m_clinitifp(ifp);
>
> Index: sbin/ifconfig/ifconfig.8
> ===================================================================
> RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v
> retrieving revision 1.241
> diff -u -p -r1.241 ifconfig.8
> --- sbin/ifconfig/ifconfig.8 22 Apr 2014 10:11:32 -0000 1.241
> +++ sbin/ifconfig/ifconfig.8 13 May 2014 14:58:58 -0000
> @@ -283,8 +283,12 @@ Disable
> on the given interface and remove all configured
> .Xr inet6 4
> addresses, including the link-local ones.
> -To turn it on again, assign any inet6 address or run
> +To turn it on again, use +inet6, assign any inet6 address or run
> .Xr rtsol 8 .
> +.It +inet6
> +Enable
> +.Xr inet6 4
> +and assign a link local address if the interface doesn't have one yet.
> .It Cm instance Ar minst
> Set the media instance to
> .Ar minst .
> Index: sbin/ifconfig/ifconfig.c
> ===================================================================
> RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
> retrieving revision 1.283
> diff -u -p -r1.283 ifconfig.c
> --- sbin/ifconfig/ifconfig.c 12 May 2014 08:47:37 -0000 1.283
> +++ sbin/ifconfig/ifconfig.c 13 May 2014 14:56:25 -0000
> @@ -412,6 +412,7 @@ const struct cmd {
> { "-flowdst", 1, 0, unsetpflow_receiver },
> { "pflowproto", NEXTARG, 0, setpflowproto },
> { "-inet6", IFXF_NOINET6, 0, setifxflags } ,
> + { "+inet6", 0, 0, setia6eui64 },
> { "keepalive", NEXTARG2, 0, NULL, setkeepalive },
> { "-keepalive", 1, 0, unsetkeepalive },
> { "add", NEXTARG, 0, bridge_add },
> @@ -1310,7 +1311,9 @@ setia6eui64(const char *cmd, int val)
> const struct in6_addr *lladdr = NULL;
> struct in6_addr *in6;
>
> - if (afp->af_af != AF_INET6)
> + if (!strcmp(cmd, "+inet6"))
> + setifxflags("inet6", -IFXF_NOINET6);
> + else if (afp->af_af != AF_INET6)
> errx(1, "%s not allowed for the AF", cmd);
> in6 = (struct in6_addr *)&in6_addreq.ifra_addr.sin6_addr;
> if (memcmp(&in6addr_any.s6_addr[8], &in6->s6_addr[8], 8) != 0)
>
>
>
> --
> Henning Brauer, [email protected], [email protected]
> BS Web Services GmbH, http://bsws.de, Full-Service ISP
> Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully
> Managed
> Henning Brauer Consulting, http://henningbrauer.com/
>
--
:wq Claudio
