Joey Schulze wrote: [..] > However > > flags = IPv4 IPv6 > > will only expose IPv4 and no IPv6 although it's a combination of > both arguments. This reports: Mar 28 23:07:35 firenze xinetd[13101]: Service ftp specified as both IPv4 and IPv6 - DISABLING > Instead > > flags = IPv6 > > will expose the FTP service to both services. Correct, as this is a 'transition mechanism'. Connections will seem to be coming in from ::ffff:a.b.c.d for IPv4 a.b.c.d. This is quite nasty for people with firewalls and logs. ::ffff:a.b.c.d is logged while a.b.c.d is meant, as such a.b.c.d should be logged. One can easily differentiate between IPv4 and IPv6 anyway, just check for the existence of a colon (:), if that is there it is IPv6, otherwise it is IPv4. IMHO this transition mechanism is more pain that it is worth. It also makes programmers lazy when porting software as for listen sockets they just use AF_INET6 and :: presto. They should be doing a getaddrinfo() loop and then binding to the AF's independently. They don't as that is actual work one has to perform then and you have to do a select() loop to handle the connections. Do also note that when one sets the following sysctl: net.ipv6.bindv6only = 1 That ::ffff:1.2.3.4 won't be used and it is properly bound to only IPv6. Also another annoying thing, if bound to IPv6 ::, one can _after that_ bind another program to 0.0.0.0 and that will handle those connections. IMHO Programs which use the compat addresses should be marked broken and need to be fixed properly. As such xinetd is broken. Greets, Jeroen
Attachment:
signature.asc
Description: OpenPGP digital signature