grsecurity forums

[mnalis]

Are there plans to support IPv6 in grsec ?

For role_allow_ip, bind, connect, logging etc.

For example, I have in my policy following for some subject:

Code: Select all

bind 0.0.0.0/32:0 dgram udp
connect 192.168.200.254/32:53 dgram udp
connect 192.168.200.254/32:53 stream tcp

and it works for IPv4 limiting access to just one DNS server. I've found out that in 2.2.1 I need

Code: Select all

sock_allow_family inet6

in order to allow IPv6 to be used, but I don't know if it is possible to use /etc/grsec/policy to limit IPv6 access as it is possible for IPv4.

Since IPv6 is going to become more interesting now central IANA IPv4 pool is depleted (http://www.nro.net/news/ipv4-free-pool-depleted), and first RIRs may be running our of their pools already in 3-6 months, we'd like to set up IPv6 support in place. Which works fine, except we seem to lose ability for limiting IP access in grsec policy (which is pity).

[spender]

There are plans for IPv6 support. I may end up doing it in multiple phases, as it will require a decent amount of code, particularly for the learning code and associated rule reductions.

-Brad

[Undine]

Bump.
I'm deploying IPv6 now and I want to see grsecurity with full IPv6 support!

[spender]

Back in June I sent out an offer regarding supporting specific features and asking for sponsorship from those interested in the listed features: http://grsecurity.net/pipermail/grsecur ... 01085.html

I received no replies/inquiries in response to it, so anything listed there will likely have to be written by someone else unless I manage to have enough time/motivation to do it at some point in the future. I have to prioritize my time based on what is requested by sponsors -- currently that involves implementing umask enforcement to the RBAC system.

-Brad

[Undine]

Okay, not so important, just reminder