Bug#968712: sysctl.conf: IPv6 accept_redirect not honored
reassign 968712 linux-signed-amd64 retitle 968712 IPv6 default accept_redirect not honoured thankyou Hi, This isn't a procps bug for two reasons. 1) It looks like you are using systemd, so the program doing the changes would be systemd-sysctl 2) Either program merely writes the value to the "default" or "all" sysctl file, its not sysctl's job to transfer it to the relevant interface. I've re-assigned it to the kernel, because that's where the copying occurs. On Fri, 21 Aug 2020 at 00:15, Testinstall wrote: > c) Check the values in /proc - some interfaces are still 1 (some real > interfaces, not just loopback). $ for f in `ls -1 /proc/sys/net/ipv6/conf/*/accept_redirects` ; do echo -n $f'=' ; cat $f ; done /proc/sys/net/ipv6/conf/all/accept_redirects=0 /proc/sys/net/ipv6/conf/default/accept_redirects=0 /proc/sys/net/ipv6/conf/eno1/accept_redirects=1 /proc/sys/net/ipv6/conf/lo/accept_redirects=1 /proc/sys/net/ipv6/conf/virbr0/accept_redirects=0 /proc/sys/net/ipv6/conf/virbr0-nic/accept_redirects=0 /proc/sys/net/ipv6/conf/wlo1/accept_redirects=0 Breaking this down: The first two lines are zero, that's the entire job of sysctl or systemd-sysctl done. The interfaces except eno and lo have 0, this is expected behaviour. eno1 and lo have 1, this is not expected. Oddly enough it seems they won't ever change, maybe by design? # echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects # cat /proc/sys/net/ipv6/conf/eno1/accept_redirects 1 # echo 1 > /proc/sys/net/ipv6/conf/all/accept_redirects # echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects # cat /proc/sys/net/ipv6/conf/eno1/accept_redirects 1 Directly writing to it makes it work. # echo 0 > /proc/sys/net/ipv6/conf/eno1/accept_redirects # cat /proc/sys/net/ipv6/conf/eno1/accept_redirects 0
Bug#968712: sysctl.conf: IPv6 accept_redirect not honored
Package: procps Version: 2:3.3.15-2 Severity: important Tags: ipv6 security Dear maintainers, on a fresh Debian stable (or sid) install, with a PC with one or more (wired) LAN interfaces, I can see following behaviour: a) In /etc/sysctl.conf, set net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 b) Reboot c) Check the values in /proc - some interfaces are still 1 (some real interfaces, not just loopback). While nowadays, it's not a "big" security risk for most people, this still is an undesireable security problem, and might hint for a larger problem around sysctl settings in IPv6. For IPv4, everything seems to work fine (except loopback stays 1 there too, but that's expected I think). Thank you -- System Information: Debian Release: 10.5 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-10-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages procps depends on: ii init-system-helpers 1.56+nmu1 ii libc62.28-10 ii libncurses6 6.1+20181013-2+deb10u2 ii libncursesw6 6.1+20181013-2+deb10u2 ii libprocps7 2:3.3.15-2 ii libtinfo66.1+20181013-2+deb10u2 ii lsb-base 10.2019051400 Versions of packages procps recommends: pn psmisc procps suggests no packages. -- no debconf information
