On 9/25/24 7:26 AM, Eli Schwartz <eschwa...@gentoo.org> wrote:
On 9/25/24 6:00 AM, Walter Dnes wrote: > My system is actually very stable. In the shitstorm that erupted on > this list at "ipv6" enabling I did not see any mention of sysctl. In my > /etc/default/grub file I have... > > GRUB_CMDLINE_LINUX_DEFAULT="noexec=on net.ifnames=0 ipv6.disable=1" > > With this setting is it guaranteed that a program compiled with "ipv6" > flag will not try IPV6 first and timeout before dropping down to IPV4? (Note that the sysctl dynamically disables ipv6 support so that you can manually toggle it after boot, e.g. for testing. The kernel command line option hard-disables it at boot time. Your choice which to use, I guess.) If the kernel has disabled ipv6 there is no timeout because no attempt is made. If the kernel has enabled ipv6 then an attempt will be made and it may: - succeed, if your network has functioning ipv6 connectivity - fail instantly, if your network is correctly configured (you may not be in control of the network you use) - fail after a lengthy timeout after your network "valiantly" attempts to send your connection attempt into a black hole of doom
This was actually a pretty common failure mode around 10-15 years ago. An early Apple Airport Express had a bug where it would issue global-scope v6 addresses and send RAs even if it didn't have global connectivity. Those issues (and similar ones on less ubiquitus routers), fed a lot of the paranoia around desires to disable IPv6. It still can happen today, but IME it's more often in the form of an ISP with inferior IPv6 connectivity. -- Jay Faulkner
As Arsen mentioned, RFC 8305 defines the "Happy Eyeballs" mechanism for trying both ipv4 and ipv6 at the same time, incurring the cost of slightly more traffic for the benefit of avoiding timeouts (since ipv4 will still succeed just as fast regardless of whether a parallel ipv6 is timing out, and as soon as ipv4 succeeds, the ipv6 timeout is ignored and made redundant). Not all software uses Happy Eyeballs. In particular, emerge --sync does not, because the python library that portage uses to check for updated PGP keys used when validating manifests, does not. This pained me tremendously since "emerge --sync" would literally hang forever, until I disabled ipv6 via the kernel. Note that since Aug 31, 2021, Gentoo's package for python has not supported USE=ipv6, but the sysctl works quite well. > How OS-specific is this? I "asked Mr. Google" and the NordVPN web > page recommended for Redhat based distros... It is specific to the linux kernel, that is all. You may replace "all" with the name of a machine-specific interface (as listed by "ip addr") to express settings that are specific to a given interface. Most people do not need that flexibility and simply want all interfaces to look the same.
