Page 1 of 1

role_allow_ip 127.0.0.6 ?

PostPosted: Sat Apr 12, 2014 7:26 pm
by countermode
Hello,

in learning mode I frequently find role definitions with role attribute like
role_allow_ip 127.0.0.6

when in fact I have logged in via IPv6. Is this the way how a policy can express this (until proper IPv6 addressing is introduced)?


Regards

Re: role_allow_ip 127.0.0.6 ?

PostPosted: Thu Nov 06, 2014 4:28 pm
by christian.
Hey there,

had the same question, and found my answer with a bit of kernel code surfing.

It doesn't matter if you connect locally [::1] or remotely, the source IPv4 is always "127.0.0.6" if you actually connect via IPv6.

Though this is not the doing of Grsecurity. You can see the definition of the constant LOOPBACK4_IPV6 in the kernel tree and that it is set as the IPv4 source address when a IPv6 connection are established (for example in "/usr/src/linux/net/ipv6/tcp_ipv6.c")

So to answer your question: Probably the way to go until IPv6 is supported, since that constant is in the kernel source code for a long time now -- at least 9 years ...

Bye, Christian