On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: > so as discussed recently having the inet6 link-local addrs on every > interface by default is stupid and a security risk. > > this diff fixes that. well, really two independent parts. > one: set the NOINET6 flag by default on each and every interface. > two: implement "ifconfig <if> +inet6" to turn inet6 on and assign > the link-local addr. > > this should be transparent for almost all real use cases of inet6 > since assigning any inet6 address also resets the flag (and ll is > assigned then as well). > lo0 still gets it's ::1 and fe80::1%lo0 by default. > > the only use case that needs config adoption: people ONLY using > link-local, they will need to put +inet6 in the corresponding > hostname.if file. > > ok?
To be honest the right fix would be to get rid of IFXF_NOINET6 and just make it the default. There is no need for such a flag anymore. > Index: sys/net/if.c > =================================================================== > RCS file: /cvs/src/sys/net/if.c,v > retrieving revision 1.288 > diff -u -p -r1.288 if.c > --- sys/net/if.c 13 May 2014 14:33:25 -0000 1.288 > +++ sys/net/if.c 14 May 2014 21:03:45 -0000 > @@ -429,6 +429,9 @@ if_attach(struct ifnet *ifp) > #else > TAILQ_INSERT_TAIL(&ifnet, ifp, if_list); > #endif > +#ifdef INET6 > + ifp->if_xflags |= IFXF_NOINET6; > +#endif > > m_clinitifp(ifp); > > Index: sbin/ifconfig/ifconfig.8 > =================================================================== > RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v > retrieving revision 1.241 > diff -u -p -r1.241 ifconfig.8 > --- sbin/ifconfig/ifconfig.8 22 Apr 2014 10:11:32 -0000 1.241 > +++ sbin/ifconfig/ifconfig.8 13 May 2014 14:58:58 -0000 > @@ -283,8 +283,12 @@ Disable > on the given interface and remove all configured > .Xr inet6 4 > addresses, including the link-local ones. > -To turn it on again, assign any inet6 address or run > +To turn it on again, use +inet6, assign any inet6 address or run > .Xr rtsol 8 . > +.It +inet6 > +Enable > +.Xr inet6 4 > +and assign a link local address if the interface doesn't have one yet. > .It Cm instance Ar minst > Set the media instance to > .Ar minst . > Index: sbin/ifconfig/ifconfig.c > =================================================================== > RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v > retrieving revision 1.283 > diff -u -p -r1.283 ifconfig.c > --- sbin/ifconfig/ifconfig.c 12 May 2014 08:47:37 -0000 1.283 > +++ sbin/ifconfig/ifconfig.c 13 May 2014 14:56:25 -0000 > @@ -412,6 +412,7 @@ const struct cmd { > { "-flowdst", 1, 0, unsetpflow_receiver }, > { "pflowproto", NEXTARG, 0, setpflowproto }, > { "-inet6", IFXF_NOINET6, 0, setifxflags } , > + { "+inet6", 0, 0, setia6eui64 }, > { "keepalive", NEXTARG2, 0, NULL, setkeepalive }, > { "-keepalive", 1, 0, unsetkeepalive }, > { "add", NEXTARG, 0, bridge_add }, > @@ -1310,7 +1311,9 @@ setia6eui64(const char *cmd, int val) > const struct in6_addr *lladdr = NULL; > struct in6_addr *in6; > > - if (afp->af_af != AF_INET6) > + if (!strcmp(cmd, "+inet6")) > + setifxflags("inet6", -IFXF_NOINET6); > + else if (afp->af_af != AF_INET6) > errx(1, "%s not allowed for the AF", cmd); > in6 = (struct in6_addr *)&in6_addreq.ifra_addr.sin6_addr; > if (memcmp(&in6addr_any.s6_addr[8], &in6->s6_addr[8], 8) != 0) > > > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services GmbH, http://bsws.de, Full-Service ISP > Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully > Managed > Henning Brauer Consulting, http://henningbrauer.com/ > -- :wq Claudio