tripleo

  1. Bug #1632830
  2. Comment #4

Comment 4 for bug 1632830

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/newton)

Reviewed: https://review.openstack.org/386201
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b5d94be6d1d4e05296ea0d57aaf9a66de5711ab5
Submitter: Jenkins
Branch: stable/newton

commit b5d94be6d1d4e05296ea0d57aaf9a66de5711ab5
Author: Dan Sneddon <email address hidden>
Date: Wed Oct 12 12:38:21 2016 -0700

    Disable IPv6 RAs & Autoconf For All (Not Just Default)

    The current kernel sysctl settings modify the
    net.ipv6.conf.default.accept_ra and net.ipv6.conf.default.autoconf
    to both be '0'. However, this is overridden by the settings in
    net.ipv6.conf.all, so no matter what setting is in the ifcfg file
    for the IPv6 interface, autoconfiguration and accept_ra will be
    enabled. This causes a security vulnerability where rogue RAs
    could be used to intercept traffic from the controllers.

    This change sets both default and all settings to '0' for IPv6
    accept_ra and autoconf.

    Closes-Bug: 1632830
    Change-Id: I95b86c5c6feed30dfa5103ffbddb9e85ac567bbb
    (cherry picked from commit 4eacf4179d03cd2102cac4abf14e80eae440c2d3)