Wandering Thoughts archives

2010-02-16

A Linux gotcha about daemons and bindv6only

First, the brief review. Linux's net.ipv6.bindv6only sysctl controls whether an IPv6 socket can also accept IPv4 traffic (with IPv4 mapped addresses), or whether it binds only to true IPv6 traffic. So if you want to turn off dual binding (which I think you should), you turn this sysctl on and then run around fixing up things to work.

Except there's a gotcha. Whether IPv6 sockets can also talk IPv4 is actually a per-socket property, and setting the bindv6only sysctl only sets the default value for new sockets. Programs can override this, as Apache does, and existing server sockets keep their current behavior.

(I expect that sockets created by accept() inherit this property from the listening socket, since that's basically the only sensible way to handle this.)

The net result is that if you enable bindv6only on an already running system, you can get various sorts of misleading and peculiar results. The big misleading result is that any running daemon with a bound IPv6 socket will continue to get connections from IPv4 machines and can probably still talk to them; this will make it look like your system's configuration is more single-bind-ready than it actually is, since the same daemon won't be working so well after a reboot.

The peculiar result is that daemons that sometimes open new connections will probably fail badly. When talking over their regular server socket they will have no problem since that is still dual-bound, but when they go to open a new connection they will fail; they'll create an IPv6 socket (because that matches both their server socket and the type of address they want to talk to) but it will reject their attempts to talk to the IPv4 address.

(I am pretty sure that this is what I saw with the Amanda client setup on one machine.)

The moral is that if you turn on bindv6only, you should immediately hunt down all programs with listening IPv6 sockets and fix any of them that need to talk to IPv4 machines (except for Apache, it handles this on its own). Don't assume that everything is fine just because things seem to still work; they may be subtly broken, and they may be fine only until you reboot.

linux/Bindv6onlyNote written at 01:49:30; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.