headers
Bernhard R. Link | 5 Dec 12:05
Favicon

Bug#507788: sysctl and modules

I'd like to note two things to this bug:

1) moving sysctl invocation later might open some subtile problems.
For example moving things like net.ipv4.conf.all.accept_redirects = 0
after network initialisation might open up a window for attacks.
Or some of the arp related stuff, that might break in more complex
settings when in the short time the wrong packages are received.

2) ipv6 is not the only thing that needs the module loaded first.
For example when doing an nfs4 mount, you might need to set the
tcp callback port. But you need to set it before mounting (as otherwise
the mount will not use it, and perhaps even fail due to some firewalls)
but usually the nfs module is only loaded in the init.d script also
doing the mount, so /proc/sys/fs/nfs/nfs_callback_tcpport does not exist
before, so currently you have to add nfs to /etc/modules and so you can
set that value in sysctl.conf, so you get a working mount despite of the
over-zealous firewalls.

While the best solution would of course some meachnism to load the
appropiate modules for a needed file, the lack of some usable catalog
for that most likely will not make that very scaleable.

Another way would be to just add an additional construct so that with
something like

!modprobe nfs
or
!modprobe ipv6

in sysctl config files will modprobe the appropiate module before
(Continue reading)

Permalink | Reply |
headers
martin f krafft | 5 Dec 12:20
Favicon

Bug#507788: sysctl and modules

also sprach Bernhard R. Link <brlink <at> debian.org> [2008.12.05.1207 +0100]:
> 1) moving sysctl invocation later might open some subtile
> problems. For example moving things like
> net.ipv4.conf.all.accept_redirects = 0 after network
> initialisation might open up a window for attacks.

The key you mention should thus be disabled by default, ideally in
the kernel. Same goes for all other settings that have no real-world
use anymore.

> Or some of the arp related stuff, that might break in more complex
> settings when in the short time the wrong packages are received.

Like what?

--

-- 
 .''`.   martin f. krafft <madduck <at> debian.org>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems
Permalink | Reply |
headers
Bernhard R. Link | 5 Dec 13:48
Favicon

Bug#507788: sysctl and modules

* martin f krafft <madduck <at> debian.org> [081205 12:20]:
> > Or some of the arp related stuff, that might break in more complex
> > settings when in the short time the wrong packages are received.
>
> Like what?

arp_ignore settings might be a case. As far as I do understand it, Linux
will answer on every interface to arp requests of every other interface
it has while arp_ignore changes this.
Thus not setting this option early enough opens a tiny timeframe in
which arp requests might be generated that are not wanted.
Such settings might be rare, but they are obviously not too rare for
this options to be in the kernel.
Also usually in most cases a short window where such bad responses could
be generated would not make that much a difference, but if it belongs to
the beginning of an connection that could cause a connection refused
that could cause some things to give up.
Or it might cause a dhcp server to think an address is already in use
and suddenly give some host another IP than usual and things like that.

All such situations are rare, as having multiple nets with the same IP
addresses or over-zealos arp watchers in them is not very common. But
this is only one of many options and mean that something else might have
some effects, too.

I do not think it will effect more than 1% of people and even those
it effects might not have significant problems, but is has effects and
those are hard to predict and when then happen they might very hard to
track down because of being a race condition.
(Continue reading)

Permalink | Reply |
headers
Didier Raboud | 5 Dec 12:39
Gravatar

Bug#507788: sysctl and modules

Le vendredi 5 décembre 2008 12:07:41 Bernhard R. Link, vous avez écrit :
> (…)
> 
> Of course for the ipv6 problems this bugreport is about, adding a
> comment that the ipv6 module is to be listed in /etc/modules might
> also be considered a "fix" in some way.
>
> Hochachtungsvoll,
> 	Bernhard R. Link

Hi tested this :

# cat ipv6 >> /etc/modules
# reboot

with net.ipv6.conf.all.autoconf=0 in /etc/sysctl.conf

It worked. BUT eth0 went autoconfigured and for some reason :

$ cat /proc/sys/net/ipv6/conf/all/autoconf
0
$ cat /proc/sys/net/ipv6/conf/eth0/autoconf
1

Putting net.ipv6.conf.eth0.autoconf=0 in /etc/sysctl.conf solves 'my' problem.

Still… Weird.

--

-- 
OdyX, Didier Raboud, proud Debian user.
(Continue reading)

Permalink | Reply |
headers
Craig Small | 5 Dec 12:59
Favicon

Bug#507788: sysctl and modules

On Fri, Dec 05, 2008 at 12:39:29PM +0100, Didier Raboud wrote:
> It worked. BUT eth0 went autoconfigured and for some reason :
> 
> $ cat /proc/sys/net/ipv6/conf/all/autoconf
> 0
> $ cat /proc/sys/net/ipv6/conf/eth0/autoconf

I'm a little fuzzy on what the all does, but here goes:
  all means "all interfaces I have NOW"
  default means "all interfaces I will have LATER"

I think, hence for some if they are using default and we shift the
runlevel to 40 it will break things.

I'm sure it all makes fabulous sense to someone in kernel-land :)
 - Craig

-- 
Craig Small      GnuPG:1C1B D893 1418 2AF4 45EE  95CB C76C E5AC 12CA DFA5
http://www.enc.com.au/                             csmall at : enc.com.au
http://www.debian.org/          Debian GNU/Linux, software should be Free 

--

-- 
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST <at> lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster <at> lists.debian.org
Permalink | Reply |
headers
Bernhard R. Link | 5 Dec 14:30
Favicon

Bug#507788: sysctl and modules

* Didier Raboud <didier <at> raboud.com> [081205 12:48]:
> It worked. BUT eth0 went autoconfigured and for some reason :
> 
> $ cat /proc/sys/net/ipv6/conf/all/autoconf
> 0
> $ cat /proc/sys/net/ipv6/conf/eth0/autoconf
> 1
> 
> Putting net.ipv6.conf.eth0.autoconf=0 in /etc/sysctl.conf solves 'my' problem.
> 
> Still??? Weird.

What value is in /proc/sys/net/ipv6/conf/default/autoconf ?

Hochachtungsvoll,
	Bernhard R. Link
Permalink | Reply |

Gmane