Re: 2.6.29 regression? Bonding tied to IPV6 in 29-rc5

From: David Miller
Date: Wed Feb 18 2009 - 00:29:49 EST


From: Valdis.Kletnieks@xxxxxx
Date: Tue, 17 Feb 2009 23:41:16 -0500

> What does a poor corporate user do if they're running a distro kernel that
> was built with CONFIG_IPV6, but local security policy says "Disable IPv6
> because we don't do it yet, or because it breaks mission-critical software
> package XYZ?" There's a *lot* of people who implement that by the "block
> the ipv6 module from loading" trick. And building a kernel that doesn't
> include IPv6 may not be feasible due to vendor certification issues...
>
> Heck, *I*'m almost in that boat - probably need to use bonded ethernet on some
> servers because we can't get 10GigE, but the software used in the project the
> servers were bought for blows chunks if it gets a whiff of an IPv6 address.
> Ended up spending 3 weeks doing a massive kludgery of one sort in DNS for the
> rest of the world, and equally massive lying in /etc/hosts for the hosts...
> (Don't ask - it was long and ugly, and just disabling the module would have
> saved me about 2.95 weeks of work, so I know where those people are coming
> from...)

Well, first of all, if you keep trying to push the box into the round
hole you get what you ask for :-)

Next, if it's just an issue of IPV6 traffic, install a packet
scheduler rule that rejects all packets with ethernet proto
ETH_P_IPV6

If openning up ipv6 sockets is problematic, that can be blocked
using the security layer, which your super-duper distro kernel
is guarenteed to have enabled. :-)

I'm sure there is someone who has legacy problems with ipv4
and that can't be disabled, and somehow people cope. Amazing.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/