Brief notes on IPv6 support in some Linux programs
Lately, I've been trying to actually use IPv6. This is a good way to find out various annoying things about how well programs support it, and so I'm going to write down some notes about what I've found out so far.
- tcpwrappers fully supports IPv6 based access restrictions, but not as
nicely as it does IPv4 ones, and subnet-based restrictions have a less
convenient notation. This is documented in the
(And wow, have modern versions of tcpwrappers picked up some useful features.)
- ssh supports using IPv6 addresses in from="..." restrictions in
authorized_keysfiles, but it doesn't document this and the degree of support varies between versions. In early versions you can only list full IPv6 addresses (written without '[...]' around them, unlike tcpwrappers); later versions also allow you to use the subnet prefix notation, but inconveniently require the subnet to be 'proper', having a host portion that is all zeros.
(This is the difference between writing '2002:8064:0333::1/48', which is how a lot of the actual IPv6 stuff is configured, and having to write '2002:8064:0333::/48'. Real examples may be more complicated.)
Fedora 8 has an earlier ssh; Fedora 11 has a later one.
- xinetd binds to IPv6 sockets by default, which is a problem if
you are turning off dual-binding,
which is what I think you should do. To specifically bind to
IPv4 sockets, set '
flags = ipv4' for a particular entry.
- Apache defaults to listening on an IPv6 socket. You might think that
this is a problem if you turn off dual-binding, but in fact Apache
is smarter than you; even if you turn off dual-binding, Apache
will turn it back on for its server socket.
(In fact Apache is so smart that if you carefully tell it to listen separately on IPv4 and IPv6 for the same port, it will combine them into one IPv6 socket. This can be really confusing if you've turned off dual-binding and are trying to make everything work and are suddenly doubting whether your configuration file change took because
netstat) says that Apache only has a single IPv6 socket.)
Apache's dual-binding support is almost completely perfect; if more programs were like it, dual-binding would have a better reputation. Notice that despite it using an IPv6 socket, you never see IPv4 mapped addresses in your logs and you never have to think about them in your configuration files; you just use and see IPv4 addresses, and Apache fixes everything up behind the scenes.
(I dock Apache style points because it does treat IPv4 compatible addresses differently from plain IPv4 addresses. This is defensible, since after all they're using IPv6 to talk to you, but I'm not sure it's desirable.)