[libvirt] PATCH: Disable IPv6 on virtual network bridges

Thu Jul 30 15:37:35 UTC 2009

This is to address:

  https://bugzilla.redhat.com/show_bug.cgi?id=501934

which allows the guest to DOS the host IPv6 connectivity

Daniel

commit 763cf06ff76b4ded03a9b577cd8c541729190edc
Author: Daniel P. Berrange <berrange at redhat.com>
Date:   Thu Jul 30 16:34:56 2009 +0100

    Disable IPv6 on virtual networks
    
    If the bridge device is configured to have IPv6 address and
    accept router advertisments, then a malicious guest can send
    out bogus advertisments and hijack/DOS host IPv6 connectivity
    
    * src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0
      for IPv6 sysctl on virual network bridge devices

diff --git a/src/network_driver.c b/src/network_driver.c
index 1683631..eaea454 100644
--- a/src/network_driver.c
+++ b/src/network_driver.c
@@ -788,6 +788,55 @@ networkEnableIpForwarding(void)
     return virFileWriteStr("/proc/sys/net/ipv4/ip_forward", "1\n");
 }
 
+#define SYSCTL_PATH "/proc/sys"
+
+static int networkDisableIPV6(virConnectPtr conn,
+                              virNetworkObjPtr network)
+{
+    char *field = NULL;
+    int ret = -1;
+
+    if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/disable_ipv6", network->def->bridge) < 0) {
+        virReportOOMError(conn);
+        goto cleanup;
+    }
+
+    if (virFileWriteStr(field, "1") < 0) {
+        virReportSystemError(conn, errno,
+                             _("cannot enable %s"), field);
+        goto cleanup;
+    }
+    VIR_FREE(field);
+
+    if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/accept_ra", network->def->bridge) < 0) {
+        virReportOOMError(conn);
+        goto cleanup;
+    }
+
+    if (virFileWriteStr(field, "0") < 0) {
+        virReportSystemError(conn, errno,
+                             _("cannot disable %s"), field);
+        goto cleanup;
+    }
+    VIR_FREE(field);
+
+    if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/autoconf", network->def->bridge) < 0) {
+        virReportOOMError(conn);
+        goto cleanup;
+    }
+
+    if (virFileWriteStr(field, "1") < 0) {
+        virReportSystemError(conn, errno,
+                             _("cannot enable %s"), field);
+        goto cleanup;
+    }
+
+    ret = 0;
+cleanup:
+    VIR_FREE(field);
+    return ret;
+}
+
 static int networkStartNetworkDaemon(virConnectPtr conn,
                                    struct network_driver *driver,
                                    virNetworkObjPtr network) {
@@ -806,6 +855,9 @@ static int networkStartNetworkDaemon(virConnectPtr conn,
         return -1;
     }
 
+    if (networkDisableIPV6(conn, network) < 0)
+        goto err_delbr;
+
     if (brSetForwardDelay(driver->brctl, network->def->bridge, network->def->delay) < 0)
         goto err_delbr;
 


-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


