Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ipconfig: Support complete disabling of IPv6 and refactor
[ipconfig] Support complete disabling of IPv6 and refactor. JB#48769 Support complete disabling of IPv6 on both system and interface levels. Disabling of IPv6 completely albeit temporarily is required when there can be multiple connected technologies and a VPN is connected over IPv4 using an dual-stack transport and/or there is another technology with dual-stack or only IPv6 in use. This approach effectively ensures that no data from an IPv4 VPN leaks to any other interface. A DNS server returning replies to AAAA requests may return an IPv6 address, which could be then used over IPv6 routing on another technolology that is not acting as the transport of the VPN. Add a "ipv6_force_disabled" toggle to indicate that the particular device tied to ipconfig should not have IPv6 enabled. This toggle is to be used in scenarios where IPv6 should be prevented from reinstating unless forcefully enabled. The __connman_ipconfig_{enable,disable}_ipv6() now have additional boolean to control this behavior, and the enabling function returns either -EINVAL or -EOPNOTSUPP for errors and 0 when success. When checking IPv6 enabled state return false if ipv6_force_disabled is set as that is the real status of IPv6. The /proc disable_ipv6 can change when kernel processes ICMPv6 (RA/RS) packets and brings the IPv6 interface up so using only the disable_ipv6 value is not consistent enough in case when IPv6 has been forcefully disabled. This change will prevent from changing the IPv6 status until it has it has been forcefully enabled. The most prominent use case for this is to prevent data as well as DNS leak to IPv6 when IPv4 only VPN is connected over a transport supporting both IPv4 and IPv6 connectivity. In addition to changing disable_ipv6 value also the autoconf option is managed. This is done in order to control the address setup for the interface. Also accept_ra is managed to prevent from setting up the addressing according to route advertizements. The accept_ra value is backed up before disabling in order to restore it to the correct value when re-enabling. It is worthy to note that disable_ipv6 may be temporarily set to 0 by the kernel when RS packets are received and LL addess is temporarily set as a typical behavior of IPv6 on some configurations, and after a while the value of disable_ipv6 as well as LL address are reset/removed by kernel. Also refactor getting and setting the proc conf values, have read and write in their own respective general functions. If write/read is issued without interface name (NULL) then "all" section is used to follow the old behavior.
- Loading branch information