Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2279155yba; Thu, 25 Apr 2019 13:41:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqyiMSOMA91uxaGfbYnZMGrF+eh0csBlYWFpJSVavnloCep98IxHCo7cfEbbyLTVyAo3+j6b X-Received: by 2002:a17:902:184:: with SMTP id b4mr41385859plb.26.1556224911440; Thu, 25 Apr 2019 13:41:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556224911; cv=none; d=google.com; s=arc-20160816; b=uleu/vswJzD4KtamVIb6+t2XsFesbmg7Tow3Mk2d0o/t52e/FSEXIqAdadS7ZidwPV 0GjNg5USXuK4MafM3MRLweMbMYXGj3Asva3trC3KcRdVMcCp6pEtFSg5mdd1ut5rqgcV HQPDUjcmRwjrCeybDaThbUqVlx9CVvjWuuvPqKkM1q2ck59OiNZ2b/QaeRnqQAJBD6W3 kiSZfSERuDV+rMRW3HTX69WIQgFWy4M/uuVcF5R/eNN0mAwWGNWpN4F7Y8qTie7otY/O 70crhx6CecRYFrCuueayy+8nlSxwZAIPYREU/9sT5iYk4ah2MN34K6k6NHx6sH2F6yTo P8PQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=qSStsY4eD5luVpGA66U4AX8K8PCNbXUM1q18Bxcphe8=; b=m0lZIHXUpYDAHFfmDElyiyWJycDxAhsJ0tyR8m8ILZtJVAB8afiDSTW6PqkOcidVe6 WJ8XhQY/MS/gDnihw+qTcFG/oPss9IYv+m//F444eA5D/MHdCVjbXYfo3onSsF/8lV3E vs8XGjxzhi4gZ1u3hIPO3tlu6TYv4W7wlZWLufDcI77xK/13e+jEir/rmFq80m5jbZye kgCoDKEFzCwnpxj/V6VWHY2hNU607TpLpXE5rRPeUr2dbWnAlPSb2MHrV+g3pB/lDZN4 dfcQSpzUEbv/idujq4Bze7UVjP8sVVcpQ/ELrq4OesBw1MAdm++/hS9GyFUquogQfd7J KrEQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j34si21939661pgb.64.2019.04.25.13.41.31; Thu, 25 Apr 2019 13:41:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387889AbfDYUjv (ORCPT + 99 others); Thu, 25 Apr 2019 16:39:51 -0400 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:33120 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387630AbfDYUjv (ORCPT ); Thu, 25 Apr 2019 16:39:51 -0400 X-Greylist: delayed 320 seconds by postgrey-1.27 at vger.kernel.org; Thu, 25 Apr 2019 16:39:50 EDT Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id x3PKYOhI015631; Thu, 25 Apr 2019 22:34:24 +0200 Date: Thu, 25 Apr 2019 22:34:24 +0200 From: Willy Tarreau To: Marco Davids Cc: linux-kernel@vger.kernel.org Subject: Re: How to turn off IPv4 without disabling IPv6 Message-ID: <20190425203424.GA14855@1wt.eu> References: <85740792-d244-ba03-3e72-fb576ddcb7dc@forfun.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <85740792-d244-ba03-3e72-fb576ddcb7dc@forfun.net> User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 25, 2019 at 06:42:52PM +0200, Marco Davids wrote: > Op Thu, Apr 25, 2019 at 13:22, Nico Schottelius wrote: > > if I cannot turn off IPv4, I cannot test what needs to be fixed. > > You know what? I actually agree with Nico on this. > > It's 2019 and the adoption of IPv6 is actually gaining momentum (at last). > > This is absolutely the time to seriously start thinking about unbundling > IP-stacks the kernel, so that IPv4 can be truly disabled at compile time. > > That will allow for further testing and fixes, just as Nico suggests. While I can understand the value in doing this, I think that there's much more value in being able to disable it at run time, precisely because if you have to reboot to a different kernel for each and every minor application issue you meet, it will take ages before you converge to something usable. Probably that for such tests instead you should use a sysctl to allow/deny IPv4 socket creation. It should be more than enough for program validation. Something like the following code (not even compile-tested) could possibly be sufficient. Just my two cents, Willy ------------- diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 104a666..aa9ac80 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -83,6 +83,8 @@ struct netns_ipv4 { struct xt_table *nat_table; #endif + int sysctl_disable; + int sysctl_icmp_echo_ignore_all; int sysctl_icmp_echo_ignore_broadcasts; int sysctl_icmp_ignore_bogus_error_responses; diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index eab3ebd..0784c41 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -255,6 +255,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, int try_loading_module = 0; int err; + if (net->ipv4.sysctl_disable) + return -EAFNOSUPPORT; + if (protocol < 0 || protocol >= IPPROTO_MAX) return -EINVAL; diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index eeb4041..73a7ead 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c @@ -555,6 +555,13 @@ static struct ctl_table ipv4_table[] = { static struct ctl_table ipv4_net_table[] = { { + .procname = "disable", + .data = &init_net.ipv4.sysctl_disable, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec + }, + { .procname = "icmp_echo_ignore_all", .data = &init_net.ipv4.sysctl_icmp_echo_ignore_all, .maxlen = sizeof(int),