Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net: base IPV6_V6ONLY behaviour also on bindv6only (on linux) #12579

Closed
42wim opened this issue Sep 10, 2015 · 4 comments
Closed

net: base IPV6_V6ONLY behaviour also on bindv6only (on linux) #12579

42wim opened this issue Sep 10, 2015 · 4 comments
Labels
FrozenDueToAge

Comments

@42wim
Copy link

42wim commented Sep 10, 2015

Would it be possible to change the behaviour of tcp + "[::]" and tcp + "0.0.0.0" on linux based on the value of /proc/sys/net/ipv6/bindv6only ?

E.g. net.Listen("tcp",[::]:3000) and net.Listen("tcp",0.0.0.0:3000) now listen both on IPv4 and IPv6.

This may not be the behaviour an administrator expects.

If he has bindv6only enabled it should only listen on IPv6. Otherwise it may create a security risk, especially when using http.ListenAndServe where you can not specify a network.

Maybe net.probeIPv6Stack() can be extended to check for the bindv6only value on linux?
@bradfitz
Copy link
Contributor

I note also that the net.Listen documentation sucks:

http://golang.org/pkg/net/#Listen

Listen announces on the local network address laddr. The network net must be a stream-oriented network: "tcp", "tcp4", "tcp6", "unix" or "unixpacket". See Dial for the syntax of laddr.

Where the func Dial docs aren't very helpful about listening.

@bradfitz
Copy link
Contributor

/cc @mikioh @pmarks-net @mdempsky

@pmarks-net
Copy link
Contributor

With bindv6only=1, Listen("tcp", "[::]:port") is IPv6-only, and Listen("tcp", "0.0.0.0:port") / Listen("tcp", ":port") are IPv4-only. I would argue that "tcp" with any wildcard should always listen on both IPv4+IPv6 using either one dual-stack socket, or two single-stack sockets (unless the kernel is IPv4/IPv6-only, of course). The issues I filed back in #9334 still stand.

The "tcp4" and "tcp6" modes allow you to force single-stack sockets. For anything more advanced, the socket API is not a great place to put firewall rules.

@rsc
Copy link
Contributor

rsc commented Oct 23, 2015

I don't think we should change the default behaviors here at this point. Explicit opt-in to a different behavior is fine, but that already exists: use tcp4 or tcp6.

@rsc rsc closed this as completed Oct 23, 2015
@golang golang locked and limited conversation to collaborators Oct 24, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bradfitz @rsc @42wim @pmarks-net @gopherbot