Re: Default value of net.ipv6.bindv6only should revert to 0
Salvo Tomaselli <firstname.lastname@example.org> writes:
> On Monday 12 April 2010 18:19:08 Marco d'Itri wrote:
>> You keep missing the point. Let me try with shorter sentences, if you
>> still do not get it maybe I can try a puppets show.
> I keep on missing the point because you keep on changing it. Try to be
> coherent please. You have removed the bsd thing, did you notice?
Marco is not changing the point. What Marco describes has been the
objection that several of us have had with bindv6only=0 from the very
beginning. He's just more persistant about continuing to repeat the same
point when people keep raising the same arguments against it without
apparently being familiar with the previous discussion.
>> Root configures daemon on IPv4-only system.
>> Daemon can only bind to 0.0.0.0.
>> Configuration works.
>> IPv6 is enabled.
>> Daemon now can bind to ::.
>> Daemon accepts IPv4 connection on the IPv6 socket.
>> Configuration broken.
> So we introduce bugs in kernel to workaround bugs in daemons?
The way to fix the bug in the daemon is to always use IPV6_V6ONLY in the
networking code because no other way of handling listening sockets with a
dual stack is even remotely sane.
Until the daemon is modified to either use IPV6_V6ONLY or to deal with
IPv4-mapped addresses, it's going to be broken, possibly in
security-sensitive ways since the incoming IP addresses won't be what it
expects. (If, for instance, you've blacklisted a particular IPv4 address,
suddenly that address gets through without difficulty in an unmodified
daemon because it's now showing up as an IPv6 address.) So it's a
question of what bug do you want to have by default: not listening to IPv4
addresses when you bind an IPv6 socket, or getting incoming IP addresses
unexpectedly and strangely transformed?
Java assumed you wanted the second bug. BSD picked the first bug. We
have to pick one or the other. Neither choice is attractive.
> Open a bugreport _IF_ you can find any real daemon with this kind of
Just about every daemon I've ever seen had this problem in its original
conversion to IPv6 support. I've fixed it in all of my code by using
IPV6_V6ONLY as soon as I became aware of its existence.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>