On Fri, Mar 31, 2006 at 11:06:55AM -0800, Brooks Davis wrote:
> > One little problem here is that it is possible to disable the
> > IPv6-mapped IPv4 addresses at least under Linux and some BSD variants.
> > For Linux, have a look at sys.net.ipv6.bindv6only. Some authors even
> More specifically, KAME derived (BSD) stacks disable them by default so
In addition, OpenBSD doesn't provide mapped addresses. Though this
is a violation of RFC 4291, RFC 4038 "recommends" this approach:
Note that some systems will disable (by default) support for internal
IPv4-mapped IPv6 addresses. The security concerns regarding these
are legitimate, but disabling them internally breaks one transition
mechanism for server applications originally written to bind() and
listen() to a single socket by using a wildcard address. This forces
the software developer to rewrite the daemon to create two separate
sockets, one for IPv4 only and the other for IPv6 only, and then to
use select(). However, mapping-enabling of IPv4 addresses on any
particular system is controlled by the OS owner and not necessarily
by a developer. This complicates developers' work, as they now have
to rewrite the daemon network code to handle both environments, even
for the same OS.
> it might be best to assume it doesn't work since you'll probably have
> to support that case anyway.
ACK. But what does this imply? Do we already have select()ed
binds, in other words, can we simply spawn two listen()-sockets?
If we conclude not to use mapped addresses, will we end up
with btl/tcp and btl/tcp6?
The OS support issue can be handled this way:
union sockaddr_union {
struct sockaddr sa;
struct sockaddr_in sin;
#ifdef HAVE_IPV6
struct sockaddr_in6 sin6;
#endif
};
and later:
/* copy IP to sockaddr */
static inline void
sin_set_ip(union sockaddr_union *so, const struct ip_addr *ip)
{
if (ip == NULL) {
#ifdef HAVE_IPV6
so->sin6.sin6_family = AF_INET6;
so->sin6.sin6_addr = in6addr_any;
#else
so->sin.sin_family = AF_INET;
so->sin.sin_addr.s_addr = INADDR_ANY;
#endif
return;
}
(code shamelessly borrowed from dovecot/src/lib/network.c)
It might be a little harder to read, but it keeps both
versions (IPv4-only and IPv6) close together.
--
mail: a...@thur.de http://adi.thur.de PGP: v2-key via keyserver
Scheiße wird nicht dadurch besser oder sicherer, dass man ein paar
Shareware-Warnlämpchen dranpappt. (Robin S. Socha über "Desktop-Firewalls")
