Bug#507788: sysctl and modules
I'd like to note two things to this bug: 1) moving sysctl invocation later might open some subtile problems. For example moving things like net.ipv4.conf.all.accept_redirects = 0 after network initialisation might open up a window for attacks. Or some of the arp related stuff, that might break in more complex settings when in the short time the wrong packages are received. 2) ipv6 is not the only thing that needs the module loaded first. For example when doing an nfs4 mount, you might need to set the tcp callback port. But you need to set it before mounting (as otherwise the mount will not use it, and perhaps even fail due to some firewalls) but usually the nfs module is only loaded in the init.d script also doing the mount, so /proc/sys/fs/nfs/nfs_callback_tcpport does not exist before, so currently you have to add nfs to /etc/modules and so you can set that value in sysctl.conf, so you get a working mount despite of the over-zealous firewalls. While the best solution would of course some meachnism to load the appropiate modules for a needed file, the lack of some usable catalog for that most likely will not make that very scaleable. Another way would be to just add an additional construct so that with something like !modprobe nfs or !modprobe ipv6 in sysctl config files will modprobe the appropiate module before continuing. Of course for the ipv6 problems this bugreport is about, adding a comment that the ipv6 module is to be listed in /etc/modules might also be considered a fix in some way. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#507788: sysctl and modules
also sprach Bernhard R. Link [EMAIL PROTECTED] [2008.12.05.1207 +0100]: 1) moving sysctl invocation later might open some subtile problems. For example moving things like net.ipv4.conf.all.accept_redirects = 0 after network initialisation might open up a window for attacks. The key you mention should thus be disabled by default, ideally in the kernel. Same goes for all other settings that have no real-world use anymore. Or some of the arp related stuff, that might break in more complex settings when in the short time the wrong packages are received. Like what? -- .''`. martin f. krafft [EMAIL PROTECTED] : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Bug#507788: sysctl and modules
Le vendredi 5 décembre 2008 12:07:41 Bernhard R. Link, vous avez écrit : (…) Of course for the ipv6 problems this bugreport is about, adding a comment that the ipv6 module is to be listed in /etc/modules might also be considered a fix in some way. Hochachtungsvoll, Bernhard R. Link Hi tested this : # cat ipv6 /etc/modules # reboot with net.ipv6.conf.all.autoconf=0 in /etc/sysctl.conf It worked. BUT eth0 went autoconfigured and for some reason : $ cat /proc/sys/net/ipv6/conf/all/autoconf 0 $ cat /proc/sys/net/ipv6/conf/eth0/autoconf 1 Putting net.ipv6.conf.eth0.autoconf=0 in /etc/sysctl.conf solves 'my' problem. Still… Weird. -- OdyX, Didier Raboud, proud Debian user. CH-1802 Corseaux [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part.
Bug#507788: sysctl and modules
On Fri, Dec 05, 2008 at 12:39:29PM +0100, Didier Raboud wrote: It worked. BUT eth0 went autoconfigured and for some reason : $ cat /proc/sys/net/ipv6/conf/all/autoconf 0 $ cat /proc/sys/net/ipv6/conf/eth0/autoconf I'm a little fuzzy on what the all does, but here goes: all means all interfaces I have NOW default means all interfaces I will have LATER I think, hence for some if they are using default and we shift the runlevel to 40 it will break things. I'm sure it all makes fabulous sense to someone in kernel-land :) - Craig -- Craig Small GnuPG:1C1B D893 1418 2AF4 45EE 95CB C76C E5AC 12CA DFA5 http://www.enc.com.au/ csmall at : enc.com.au http://www.debian.org/ Debian GNU/Linux, software should be Free -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#507788: sysctl and modules
* martin f krafft [EMAIL PROTECTED] [081205 12:20]: Or some of the arp related stuff, that might break in more complex settings when in the short time the wrong packages are received. Like what? arp_ignore settings might be a case. As far as I do understand it, Linux will answer on every interface to arp requests of every other interface it has while arp_ignore changes this. Thus not setting this option early enough opens a tiny timeframe in which arp requests might be generated that are not wanted. Such settings might be rare, but they are obviously not too rare for this options to be in the kernel. Also usually in most cases a short window where such bad responses could be generated would not make that much a difference, but if it belongs to the beginning of an connection that could cause a connection refused that could cause some things to give up. Or it might cause a dhcp server to think an address is already in use and suddenly give some host another IP than usual and things like that. All such situations are rare, as having multiple nets with the same IP addresses or over-zealos arp watchers in them is not very common. But this is only one of many options and mean that something else might have some effects, too. I do not think it will effect more than 1% of people and even those it effects might not have significant problems, but is has effects and those are hard to predict and when then happen they might very hard to track down because of being a race condition. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#507788: sysctl and modules
* Didier Raboud [EMAIL PROTECTED] [081205 12:48]: It worked. BUT eth0 went autoconfigured and for some reason : $ cat /proc/sys/net/ipv6/conf/all/autoconf 0 $ cat /proc/sys/net/ipv6/conf/eth0/autoconf 1 Putting net.ipv6.conf.eth0.autoconf=0 in /etc/sysctl.conf solves 'my' problem. Still??? Weird. What value is in /proc/sys/net/ipv6/conf/default/autoconf ? Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
