Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net: base IPV6_V6ONLY behaviour also on bindv6only (on linux) #12579

Closed
42wim opened this issue Sep 10, 2015 · 4 comments

Comments

Projects
None yet
5 participants
@42wim
Copy link

commented Sep 10, 2015

Would it be possible to change the behaviour of tcp + "[::]" and tcp + "0.0.0.0" on linux based on the value of /proc/sys/net/ipv6/bindv6only ?

E.g. net.Listen("tcp",[::]:3000) and net.Listen("tcp",0.0.0.0:3000) now listen both on IPv4 and IPv6.

This may not be the behaviour an administrator expects.

If he has bindv6only enabled it should only listen on IPv6. Otherwise it may create a security risk, especially when using http.ListenAndServe where you can not specify a network.

Maybe net.probeIPv6Stack() can be extended to check for the bindv6only value on linux?

@bradfitz

This comment has been minimized.

Copy link
Member

commented Sep 10, 2015

I note also that the net.Listen documentation sucks:

http://golang.org/pkg/net/#Listen

Listen announces on the local network address laddr. The network net must be a stream-oriented network: "tcp", "tcp4", "tcp6", "unix" or "unixpacket". See Dial for the syntax of laddr.

Where the func Dial docs aren't very helpful about listening.

@bradfitz

This comment has been minimized.

Copy link
Member

commented Sep 10, 2015

@pmarks-net

This comment has been minimized.

Copy link
Contributor

commented Sep 11, 2015

With bindv6only=1, Listen("tcp", "[::]:port") is IPv6-only, and Listen("tcp", "0.0.0.0:port") / Listen("tcp", ":port") are IPv4-only. I would argue that "tcp" with any wildcard should always listen on both IPv4+IPv6 using either one dual-stack socket, or two single-stack sockets (unless the kernel is IPv4/IPv6-only, of course). The issues I filed back in #9334 still stand.

The "tcp4" and "tcp6" modes allow you to force single-stack sockets. For anything more advanced, the socket API is not a great place to put firewall rules.

@rsc

This comment has been minimized.

Copy link
Contributor

commented Oct 23, 2015

I don't think we should change the default behaviors here at this point. Explicit opt-in to a different behavior is fine, but that already exists: use tcp4 or tcp6.

@rsc rsc closed this Oct 23, 2015

@golang golang locked and limited conversation to collaborators Oct 24, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.