unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Phil Mayers p.mayers at imperial.ac.uk
Wed Nov 4 11:35:23 UTC 2015


On 04/11/2015 00:32, Robert Edmonds via Unbound-users wrote:
> Paul Wouters via Unbound-users wrote:
>> FYI:
>>
>> rhbz#1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1231946
>>
>> Paul
>
> Hi, Paul:
>
> I'm a bit confused.  unbound-anchor is an ordinary program that uses the
> sockets API, so it should have no reason to read Linux kernel specific
> sysctl's or change behavior based on their values, since sysctl's are
> parameters for the kernel.

Agreed. What's happening here is a user-space attempt to open an 
AF_INET6 socket is causing a modprobe, likely because the reporter has 
blocked the IPv6 kernel module from loading ("I don't trust IPv6").

They erroneously believe the sysctl would stop this, when all it does is 
disable IPv6 on all interfaces - it's nothing to do with application 
behaviour or module loading control.

If there's a bug anywhere here, it's in the SELinux policy blocking the 
module_request, but I doubt even that.

Trying to force IPv6 to not load on a Linux system causes all sorts of 
subtle errors these days, and should not IMHO be a supported use-case.



More information about the Unbound-users mailing list