Implemented: V-38548.
This patch disables ICMPv6 redirects feature on the host. Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. It is configurable by ``security_disable_icmpv6_redirects`` variable. This feature is disabled by default. Change-Id: I12049973d351aee76b95153779c6545e4c7cf00c
This commit is contained in:
parent
fb33be7e68
commit
31823b7647
@ -215,6 +215,7 @@ security_disable_module_tipc: yes # V-38517
|
||||
security_disable_module_usb_storage: no # V-38490
|
||||
security_disable_icmpv4_redirects: no # V-38524
|
||||
security_disable_icmpv4_redirects_secure: no # V-38526
|
||||
security_disable_icmpv6_redirects: no # V-38548
|
||||
#
|
||||
# ** DANGER **
|
||||
# It's strongly recommended to fully understand the effects of changing the
|
||||
|
@ -1,4 +1,15 @@
|
||||
**Exception**
|
||||
**Opt-in required**
|
||||
|
||||
Disabling IPv6 redirects can cause issues with OpenStack environments which
|
||||
have IPv6 enabled and are routing IPv6 traffic.
|
||||
Accepting ICMP redirects has few legitimate uses. It should be disabled unless
|
||||
it is absolutely required.
|
||||
|
||||
It is configurable by ``security_disable_icmpv6_redirects`` variable. This
|
||||
feature is disabled by default. Disabling IPv6 redirects can cause issues with
|
||||
OpenStack environments which have IPv6 enabled and are routing IPv6 traffic.
|
||||
|
||||
Deployers can opt-in to this change and disable ICMPv6 redirects by setting
|
||||
the following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_disable_icmpv6_redirects: yes
|
||||
|
8
releasenotes/notes/adding-v38548-9c51b30bf9780ff3.yaml
Normal file
8
releasenotes/notes/adding-v38548-9c51b30bf9780ff3.yaml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
A new task was added to disable ICMPv6 redirects per the requirements in
|
||||
V-38548. However, since this change can cause problems in running OpenStack
|
||||
environments, it is disabled by default. Deployers who wish to enable this
|
||||
task (and disable ICMPv6 redirects) should set
|
||||
``security_disable_icmpv6_redirects`` to ``yes``.
|
@ -208,3 +208,15 @@
|
||||
- kernel
|
||||
- cat2
|
||||
- V-38526
|
||||
|
||||
- name: V-38548 - The system must ignore ICMPv6 redirects by default
|
||||
sysctl:
|
||||
name: net.ipv6.conf.all.accept_redirects
|
||||
value: 0
|
||||
state: present
|
||||
sysctl_set: yes
|
||||
when: security_disable_icmpv6_redirects | bool
|
||||
tags:
|
||||
- kernel
|
||||
- cat2
|
||||
- V-38548
|
||||
|
Loading…
x
Reference in New Issue
Block a user