Merge "Add IPv6 disable option"
This commit is contained in:
commit
2f230e0775
@ -22,6 +22,10 @@ parameters:
|
||||
default: 1048576
|
||||
description: Configures sysctl kernel.pid_max key
|
||||
type: number
|
||||
KernelDisableIPv6:
|
||||
default: 0
|
||||
description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
|
||||
type: number
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
@ -57,6 +61,10 @@ outputs:
|
||||
value: 500000
|
||||
net.netfilter.nf_conntrack_max:
|
||||
value: 500000
|
||||
net.ipv6.conf.default.disable_ipv6:
|
||||
value: {get_param: KernelDisableIPv6}
|
||||
net.ipv6.conf.all.disable_ipv6:
|
||||
value: {get_param: KernelDisableIPv6}
|
||||
# prevent neutron bridges from autoconfiguring ipv6 addresses
|
||||
net.ipv6.conf.all.accept_ra:
|
||||
value: 0
|
||||
|
@ -0,0 +1,7 @@
|
||||
---
|
||||
security:
|
||||
- |
|
||||
Add IPv6 disable option and make it configurable for user to disable IPv6
|
||||
when it's not used, this will descrease the risk of ipv6 attack.
|
||||
Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6
|
||||
will be explicitly set to the default value (0) which is enabled.
|
Loading…
Reference in New Issue
Block a user