grsecurity forums

Are there plans to support IPv6 in grsec ?

For role_allow_ip, bind, connect, logging etc.

For example, I have in my policy following for some subject:

Code: Select all

bind 0.0.0.0/32:0 dgram udp
connect 192.168.200.254/32:53 dgram udp
connect 192.168.200.254/32:53 stream tcp

and it works for IPv4 limiting access to just one DNS server. I've found out that in 2.2.1 I need

Code: Select all

sock_allow_family inet6

in order to allow IPv6 to be used, but I don't know if it is possible to use /etc/grsec/policy to limit IPv6 access as it is possible for IPv4.

Since IPv6 is going to become more interesting now central IANA IPv4 pool is depleted (http://www.nro.net/news/ipv4-free-pool-depleted), and first RIRs may be running our of their pools already in 3-6 months, we'd like to set up IPv6 support in place. Which works fine, except we seem to lose ability for limiting IP access in grsec policy (which is pity).

There are plans for IPv6 support. I may end up doing it in multiple phases, as it will require a decent amount of code, particularly for the learning code and associated rule reductions.

-Brad

Bump.
I'm deploying IPv6 now and I want to see grsecurity with full IPv6 support!

Back in June I sent out an offer regarding supporting specific features and asking for sponsorship from those interested in the listed features: http://grsecurity.net/pipermail/grsecur ... 01085.html

I received no replies/inquiries in response to it, so anything listed there will likely have to be written by someone else unless I manage to have enough time/motivation to do it at some point in the future. I have to prioritize my time based on what is requested by sponsors -- currently that involves implementing umask enforcement to the RBAC system.

-Brad

Okay, not so important, just reminder