Merge "Add IPv6 disable option"

2017-04-12 16:39:47 +00:00 · 2017-04-12 16:39:47 +00:00 · 2f230e0775
parent af4f4caf70 d22484d389
commit 2f230e0775
2 changed files with 15 additions and 0 deletions
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@ -22,6 +22,10 @@ parameters:
    default: 1048576
    description: Configures sysctl kernel.pid_max key
    type: number
+  KernelDisableIPv6:
+    default: 0
+    description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
+    type: number

 outputs:
  role_data:
@ -57,6 +61,10 @@ outputs:
            value: 500000
          net.netfilter.nf_conntrack_max:
            value: 500000
+          net.ipv6.conf.default.disable_ipv6:
+            value: {get_param: KernelDisableIPv6}
+          net.ipv6.conf.all.disable_ipv6:
+            value: {get_param: KernelDisableIPv6}
          # prevent neutron bridges from autoconfiguring ipv6 addresses
          net.ipv6.conf.all.accept_ra:
            value: 0
--- a/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml
+++ b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml
@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Add IPv6 disable option and make it configurable for user to disable IPv6
+    when it's not used, this will descrease the risk of ipv6 attack.
+    Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6
+    will be explicitly set to the default value (0) which is enabled.