On 3.11.2015 18:50, Moez Roy wrote: > Hi Pavel Simerda, > > The IPv6 updates are breaking stuff (and probably increasing the > attack surface): > > Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 > in /etc/sysctl.conf > https://bugzilla.redhat.com/show_bug.cgi?id=1231946 > > Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 > in /etc/sysctl.conf > https://bugzilla.redhat.com/show_bug.cgi?id=1251762 > > (maybe other software like avahi also don't remember right now) > > You can reproduce this by putting "ipv6.disable=1" in the kernel command line. > > Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the > security provided by SELinux so it is not an option. > > Would appreciate fixes please. Thanks. "ipv6.disable=1" or blacklisting ipv6 modules is going against contemporary ways how network APIs. Many contemporary software projects are using IPv6-enabled network calls by default because both IPv6 and IPv4 share the same name space on the machine so you only need to listen on a IPv6 port to accept both IPv4 and IPv6. Apparently this is not Fedora-specific in any way because ArchLinux says the same: https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6 "net.ipv6.conf.all.disable_ipv6=1" is good enough and should not have negative side-effects of "ipv6.disable=1". Having said that, I'm proposing to close all issues caused by "ipv6.disable=1" as WONTFIX. -- Petr Spacek @ Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
