[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Default value of net.ipv6.bindv6only should revert to 0

Hendrik Sattler <post@hendrik-sattler.de> writes:
> Zitat von Russ Allbery <rra@debian.org>:

>> It's not an assumption.  It's reality that one has to write code
>> against, because different platforms do different things.  Even if you
>> could remove the option from the Linux kernel (retroactively, changing
>> time to remove all the systems that already exist), that doesn't change
>> the fact that Solaris and BSD behave differently.

> But that was not the reason why the default was changed for _linux_ in
> Debian.  Since when do we need to adapt non-standard Solaris and BSD
> behaviour?

My understanding is that part (although certainly not all) of the reason
behind the default change is consistency with the kfreebsd architectures
which are expected to be part of Debian.  Debian has needed to adapt to
BSD behavior, non-standard or not, since the project decided to include
the kfreebsd architectures.  That's part of porting.

Also please note that I've stated several times that I think both
decisions have problems.  I'm not just defending the default change.  The
problem with Java is fairly serious, and it may be better for our users to
go back to setting bindv6only to 0.  But we should do so for the right
reasons and understanding the situation; that setting isn't *also* without
problems that we will have to deal with.

>>> Read about IPV6_ADDRFORM in ipv6(7). Use it. Change back to the
>>> default and forget about this discussion how hard it is to convert
>>> addresses to AF_INET style, so ACLs do match. Enjoy life :)

>> This doesn't have much to do anything to do with the conversation that
>> we're having, though.  Once you're modifying the application, there's a
>> bunch of things that you can do to address this problem in different
>> ways.  The question that we're debating is what the default should be
>> for applications that are not expressing an explicit preference.

> You forgot to cite yourself! This was an answer to your "BTW" question.

I don't see how this is related to the question that I'm asking:

    BTW, I've not tried this myself: does someone know what happens if a
    daemon called from an inetd equivalent calls getpeername() on a socket
    bound by an IPv6-aware inetd using mapped addresses?  For IPv4
    connections, does it get back an IPv4 address or an IPv6 mapped
    address?  Do the inetd implementations currently in Debian separately
    bind IPv4 and IPv6 sockets, or do they use mapped addresses?

Or are you saying that inetd implementations use IPV6_ADDRFORM before
running the underlying program?  (All of the ones in Debian?)  If so,
there's some missing connecting of the dots in your reply.

The point of the question is that programs run from inetd may get IPv6
sockets without knowing anything at all about IPv6 and without having any
special modifications made to use IPv6, particularly in the case of an
IPv6-aware inetd that uses mapped addresses.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: