Add IPv6 disable option

This will give user the ability to set these values, if IPv6 is not to be used, it's recommended that it be disabled to reduce the attack surface of the system. Change-Id: Ib3142cce49b93a421ca142a59961ce49a77e66b1 Co-Authored-By: Luke Hinds <lhinds@redhat.com> Signed-off-by: zshi <zshi@redhat.com>
2017-04-06 18:11:26 +08:00 · 2017-04-06 18:11:26 +08:00 · d22484d389
parent e10ddcc3d2
commit d22484d389
2 changed files with 15 additions and 0 deletions
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@ -22,6 +22,10 @@ parameters:
    default: 1048576
    description: Configures sysctl kernel.pid_max key
    type: number
+  KernelDisableIPv6:
+    default: 0
+    description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
+    type: number

 outputs:
  role_data:
@ -57,6 +61,10 @@ outputs:
            value: 500000
          net.netfilter.nf_conntrack_max:
            value: 500000
+          net.ipv6.conf.default.disable_ipv6:
+            value: {get_param: KernelDisableIPv6}
+          net.ipv6.conf.all.disable_ipv6:
+            value: {get_param: KernelDisableIPv6}
          # prevent neutron bridges from autoconfiguring ipv6 addresses
          net.ipv6.conf.all.accept_ra:
            value: 0
--- a/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml
+++ b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml
@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Add IPv6 disable option and make it configurable for user to disable IPv6
+    when it's not used, this will descrease the risk of ipv6 attack.
+    Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6
+    will be explicitly set to the default value (0) which is enabled.