in learning mode I frequently find role definitions with role attribute like
role_allow_ip 127.0.0.6
when in fact I have logged in via IPv6. Is this the way how a policy can express this (until proper IPv6 addressing is introduced)?
Regards
role_allow_ip 127.0.0.6 ?
2 posts
• Page 1 of 1
role_allow_ip 127.0.0.6 ?
by countermode » Sat Apr 12, 2014 7:26 pm
Hello,
in learning mode I frequently find role definitions with role attribute like
when in fact I have logged in via IPv6. Is this the way how a policy can express this (until proper IPv6 addressing is introduced)?
Regards
in learning mode I frequently find role definitions with role attribute like
when in fact I have logged in via IPv6. Is this the way how a policy can express this (until proper IPv6 addressing is introduced)?
Regards
- countermode
- Posts: 27
- Joined: Mon Sep 16, 2013 6:59 pm
Re: role_allow_ip 127.0.0.6 ?
by christian. » Thu Nov 06, 2014 4:28 pm
Hey there,
had the same question, and found my answer with a bit of kernel code surfing.
It doesn't matter if you connect locally [::1] or remotely, the source IPv4 is always "127.0.0.6" if you actually connect via IPv6.
Though this is not the doing of Grsecurity. You can see the definition of the constant LOOPBACK4_IPV6 in the kernel tree and that it is set as the IPv4 source address when a IPv6 connection are established (for example in "/usr/src/linux/net/ipv6/tcp_ipv6.c")
So to answer your question: Probably the way to go until IPv6 is supported, since that constant is in the kernel source code for a long time now -- at least 9 years ...
Bye, Christian
had the same question, and found my answer with a bit of kernel code surfing.
It doesn't matter if you connect locally [::1] or remotely, the source IPv4 is always "127.0.0.6" if you actually connect via IPv6.
Though this is not the doing of Grsecurity. You can see the definition of the constant LOOPBACK4_IPV6 in the kernel tree and that it is set as the IPv4 source address when a IPv6 connection are established (for example in "/usr/src/linux/net/ipv6/tcp_ipv6.c")
So to answer your question: Probably the way to go until IPv6 is supported, since that constant is in the kernel source code for a long time now -- at least 9 years ...
Bye, Christian
- christian.
- Posts: 4
- Joined: Sun Dec 02, 2012 10:41 am
2 posts
• Page 1 of 1