Re: Default value of net.ipv6.bindv6only should revert to 0

[Hendrik Sattler <post@hendrik-sattler.de>]

Am Montag 12 April 2010 18:19:08 schrieb Marco d'Itri:
> On Apr 12, Salvo Tomaselli <tiposchi@tiscali.it> wrote:
> > > If a kernel without IPv6 support is used then e.g. an ACL will contain
> > > plain IPv4 addresses as expected, but when a kernel with IPv6 support
> > > is installed in your scenario then that ACL will not work anymore
> > > (without special code) because now the IPv4 addresses would need to be
> > > converted to v6-mapped addresses.
> >
> > 1 - In a kernel without IPv6 support, trying to accept IPv6 connections
> > will simply fail, so for the server program to work without it, it is
> > safe to
> 
> You keep missing the point. Let me try with shorter sentences, if you
> still do not get it maybe I can try a puppets show.
> 
> Root configures daemon on IPv4-only system.
> Daemon can only bind to 0.0.0.0.

So it opens an AF_INET socket because using an AF_INET6 would fail.

> Configuration works.
> IPv6 is enabled.
> Daemon now can bind to ::.

No, AF_INET socket cannot bind to ::, only AF_INET6 sockets can. So you assume 
a program to try AF_INET6 first, then additionally AF_INET.

> Daemon accepts IPv4 connection on the IPv6 socket.
> Configuration broken.

So you try to fix some broken programs but asking other programs that assume 
the documented default to be fixed, instead? That really makes sense :-/

A socket option must be used for those programs that may fail with the default 
of bindv6only=1 because they use both AF_INET6 and AF_INET for the same port. 
However, your example above then just fails for the opposite case of 
bindv6only=0 and can by using the socket option correctly.

Why exactly makes that bindv6only=1 a good choice?

HS