On Jun 28, 8:06pm, ***@fz-juelich.de (Matthias Drochner) wrote:
-- Subject: Re: tcpdrop vs ipv6

| ***@astron.com said:
| > I don't think that this is needed since the v4 sysctl node should be
| > able to handle v6.
|
| Yes, but since seperate sysctl nodes are created, I assumed
| this was on purpose.
|
| There is some code in sysctl_net_inet_tcp_ident():
| pf = name[-3];
| [...]
| if (pf != sa[0].ss_family [...]
| which enforces that the AF in the sysctl mib matches
| the pf in the socket addresses. It might be sufficient to just
| replace that by something like
| pf = sa[0].ss_family
|
| > The kernel
| > support for v6 is there, but I am not sure if it deals with scoped
| > addresses.
|
| The scope information is not passed to inet6_ident_core().
| I've tried with my patch: global addresses work, link-local not.

Ok, I see. I will fix the userland portion. Anon Ymous is looking at
the scoped address issue.

christos

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

IMO, it is desirable (also, harmless and unsurprising) to enforce this.
We may in the future want to restrict processes to operating on a subset
of the sysctl tree. If a process may rely on the PF_INET sysctl sub-tree
to kill PF_INET6 sockets, then when I give a process the privilege to
read/write the net.inet.tcp sub-tree, I cannot help but grant it the
privilege to kill both IPv6 and IPv4 connections, which may defeat my
purpose in restricting the privileges of the process. I am concerned
with running processes with least privileges, you see.

Dave