so as discussed recently having the inet6 link-local addrs on every
interface by default is stupid and a security risk.
this diff fixes that. well, really two independent parts.
one: set the NOINET6 flag by default on each and every interface.
two: implement "ifconfig <if> +inet6" to turn inet6 on and assign
the link-local addr.
this should be transparent for almost all real use cases of inet6
since assigning any inet6 address also resets the flag (and ll is
assigned then as well).
lo0 still gets it's ::1 and fe80::1%lo0 by default.
the only use case that needs config adoption: people ONLY using
link-local, they will need to put +inet6 in the corresponding
hostname.if file.
ok?
Index: sys/net/if.c
===================================================================
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.288
diff -u -p -r1.288 if.c
--- sys/net/if.c 13 May 2014 14:33:25 -0000 1.288
+++ sys/net/if.c 14 May 2014 21:03:45 -0000
@@ -429,6 +429,9 @@ if_attach(struct ifnet *ifp)
#else
TAILQ_INSERT_TAIL(&ifnet, ifp, if_list);
#endif
+#ifdef INET6
+ ifp->if_xflags |= IFXF_NOINET6;
+#endif
m_clinitifp(ifp);
Index: sbin/ifconfig/ifconfig.8
===================================================================
RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v
retrieving revision 1.241
diff -u -p -r1.241 ifconfig.8
--- sbin/ifconfig/ifconfig.8 22 Apr 2014 10:11:32 -0000 1.241
+++ sbin/ifconfig/ifconfig.8 13 May 2014 14:58:58 -0000
@@ -283,8 +283,12 @@ Disable
on the given interface and remove all configured
.Xr inet6 4
addresses, including the link-local ones.
-To turn it on again, assign any inet6 address or run
+To turn it on again, use +inet6, assign any inet6 address or run
.Xr rtsol 8 .
+.It +inet6
+Enable
+.Xr inet6 4
+and assign a link local address if the interface doesn't have one yet.
.It Cm instance Ar minst
Set the media instance to
.Ar minst .
Index: sbin/ifconfig/ifconfig.c
===================================================================
RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.283
diff -u -p -r1.283 ifconfig.c
--- sbin/ifconfig/ifconfig.c 12 May 2014 08:47:37 -0000 1.283
+++ sbin/ifconfig/ifconfig.c 13 May 2014 14:56:25 -0000
@@ -412,6 +412,7 @@ const struct cmd {
{ "-flowdst", 1, 0, unsetpflow_receiver },
{ "pflowproto", NEXTARG, 0, setpflowproto },
{ "-inet6", IFXF_NOINET6, 0, setifxflags } ,
+ { "+inet6", 0, 0, setia6eui64 },
{ "keepalive", NEXTARG2, 0, NULL, setkeepalive },
{ "-keepalive", 1, 0, unsetkeepalive },
{ "add", NEXTARG, 0, bridge_add },
@@ -1310,7 +1311,9 @@ setia6eui64(const char *cmd, int val)
const struct in6_addr *lladdr = NULL;
struct in6_addr *in6;
- if (afp->af_af != AF_INET6)
+ if (!strcmp(cmd, "+inet6"))
+ setifxflags("inet6", -IFXF_NOINET6);
+ else if (afp->af_af != AF_INET6)
errx(1, "%s not allowed for the AF", cmd);
in6 = (struct in6_addr *)&in6_addreq.ifra_addr.sin6_addr;
if (memcmp(&in6addr_any.s6_addr[8], &in6->s6_addr[8], 8) != 0)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
