Dne 4.11.2015 v 13:24 Petr Spacek napsal(a):
On 3.11.2015 18:50, Moez Roy wrote:
Hi Pavel Simerda,

The IPv6 updates are breaking stuff (and probably increasing the
attack surface):

Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
in /etc/sysctl.conf
https://bugzilla.redhat.com/show_bug.cgi?id=1231946

Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
in /etc/sysctl.conf
https://bugzilla.redhat.com/show_bug.cgi?id=1251762

(maybe other software like avahi also don't remember right now)

You can reproduce this by putting "ipv6.disable=1" in the kernel command line.

Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the
security provided by SELinux so it is not an option.

Would appreciate fixes please. Thanks.

"ipv6.disable=1" or blacklisting ipv6 modules is going against contemporary
ways how network APIs. Many contemporary software projects are
using IPv6-enabled network calls by default because both IPv6 and IPv4
share the same name space on the machine so you only need to listen on a
IPv6 port to accept both IPv4 and IPv6.

Apparently this is not Fedora-specific in any way because ArchLinux says the 
same:
https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6

"net.ipv6.conf.all.disable_ipv6=1" is good enough and should not have negative
side-effects of "ipv6.disable=1".

Having said that, I'm proposing to close all issues caused by "ipv6.disable=1"
as WONTFIX.

Hi

I strongly object against this idea.

System needs to work in  IPv4 environment  and with kernel without IPv6 enabled.

There is number of reasons for keeping this possibility enabled - e.g.
I want to use  older kernel for regression testing, I want to have disabled
IPv6 stack for security reasons and lots of other...

So please do not replace coder's inability to write correct code to handle dual socket interface with disabling usage of while Fedora on kernel with IPv6 disabled.

I'm fine if the particular software package would be  IPv6 only - as long
as there is no IPv4-only user who cares - it's correct way.

Just do NOT make such package a core system dependency - it has to remain optional.

Regards

Zdenek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Reply via email to