From: Daniel P. Berrange <berrange@redhat.com>
Date: Thu, 30 Jul 2009 15:34:56 +0000 (+0100)
Subject: Disable IPv6 on virtual networks
X-Git-Tag: v0.7.0~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=651153216b7109db45000f2e2ac53709e5572dda;p=thirdparty%2Flibvirt.git

Disable IPv6 on virtual networks

If the bridge device is configured to have IPv6 address and
accept router advertisments, then a malicious guest can send
out bogus advertisments and hijack/DOS host IPv6 connectivity

* src/network_driver.c: Set accept_ra=0, disable_ipv6=1, autoconf=0
  for IPv6 sysctl on virual network bridge devices
---

diff --git a/src/network_driver.c b/src/network_driver.c
index 1683631dda..eaea454143 100644
--- a/src/network_driver.c
+++ b/src/network_driver.c
@@ -788,6 +788,55 @@ networkEnableIpForwarding(void)
     return virFileWriteStr("/proc/sys/net/ipv4/ip_forward", "1\n");
 }
 
+#define SYSCTL_PATH "/proc/sys"
+
+static int networkDisableIPV6(virConnectPtr conn,
+                              virNetworkObjPtr network)
+{
+    char *field = NULL;
+    int ret = -1;
+
+    if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/disable_ipv6", network->def->bridge) < 0) {
+        virReportOOMError(conn);
+        goto cleanup;
+    }
+
+    if (virFileWriteStr(field, "1") < 0) {
+        virReportSystemError(conn, errno,
+                             _("cannot enable %s"), field);
+        goto cleanup;
+    }
+    VIR_FREE(field);
+
+    if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/accept_ra", network->def->bridge) < 0) {
+        virReportOOMError(conn);
+        goto cleanup;
+    }
+
+    if (virFileWriteStr(field, "0") < 0) {
+        virReportSystemError(conn, errno,
+                             _("cannot disable %s"), field);
+        goto cleanup;
+    }
+    VIR_FREE(field);
+
+    if (virAsprintf(&field, SYSCTL_PATH "/net/ipv6/conf/%s/autoconf", network->def->bridge) < 0) {
+        virReportOOMError(conn);
+        goto cleanup;
+    }
+
+    if (virFileWriteStr(field, "1") < 0) {
+        virReportSystemError(conn, errno,
+                             _("cannot enable %s"), field);
+        goto cleanup;
+    }
+
+    ret = 0;
+cleanup:
+    VIR_FREE(field);
+    return ret;
+}
+
 static int networkStartNetworkDaemon(virConnectPtr conn,
                                    struct network_driver *driver,
                                    virNetworkObjPtr network) {
@@ -806,6 +855,9 @@ static int networkStartNetworkDaemon(virConnectPtr conn,
         return -1;
     }
 
+    if (networkDisableIPV6(conn, network) < 0)
+        goto err_delbr;
+
     if (brSetForwardDelay(driver->brctl, network->def->bridge, network->def->delay) < 0)
         goto err_delbr;