On 2015/11/28 15:57, Reyk Floeter wrote: > On Sat, Nov 28, 2015 at 03:19:20PM +0100, Gregor Best wrote: > > Hi bugs@, > > > > it turns out it was just a concidence that I've only noticed the > > broken IPv6 setup after the upgrade. The real cause of the problem > > was a half-set up iked which installed > > > > flow esp out from ::/0 to ::/0 type deny > > > > as a default IPSEC flow. This persisted after a reboot because I had > > already enabled iked to be started by default. Martin requesting > > configuration files then caused me to cut down the set up so I could > > provide a minimal configuration that yields the problem and of > > course after disabling iked and rebooting, everything worked fine. > > > > The bottom line is: nothing to see here but a stupid operator. > > Thanks and sorry for wasting your time :) > > > > You're not the only one who fell into this trap. > > But it is documented, right in the beginning of the iked(8) manpage: > ---snip--- > The options are as follows: > > -6 Disable automatic blocking of IPv6 traffic. By default, iked > blocks any IPv6 traffic unless a flow for this address family has > been negotiated. This option is used to prevent VPN traffic > leakages on dual stack hosts. > ---snap--- > > So what should I do, disable this because people don't read the main > and well-written manpage?
It's an important feature and good to have by default. A possible alternative would be to reject the config with an explicit error unless either "flow esp out from ::/0 to ::/0 type deny" or -6 is used. I don't think that would be worth the trouble though.
