8:34 a.m.
Hello, up to Fedora 15 including, there was ipv6 as loadable kernel
module and was not problem disable/not load it. But recent F15 and
F16 kernels have IPV6 support compiled in kernel, know anyone for
which reason? For IPv4-only sites (which is absolute majority) this
is unneeded...
9:45 p.m.
Frantisek Hanzlik wrote:
Reindl Harald wrote:
>
>
> Am 08.04.2012 14:07, schrieb Frantisek Hanzlik:
>> Networking code has especial position, as bugs / problems /
>> misconfigurations in it have strong impact to machine security.
>> And I simply do not want do any ip6tables and other ipv6
>> security configuration - because I do not want use ipv6
>> _entirely_
>
> so disable it
> what is your exactly problem?
>
> i maintain 20 public fedora machines and no
> single one has any ipv6 configuration becuase
> i disabled it as explained - why can you do
> not the same?
>
>>>> 2) something (NetworkManager or other malware;) can easily activate it.
>>>
>>> who told you so?
>>> how can NetworkManager override a KERNEL parameter?
>>
>> Have I after each update supervise whether NM or other stuff
>> made some unwanted changes - maybe even on kernel commandline?
>> And after each reboot again? No, I don´t want it.
>
> boah you have to disable it once for years as you
> gad to disable the odule all the years before
>
> NM is not in the position to overrdie kernel-parameters
> kernel-parameters are not changed by updates
>
> so again: what is your problem?
>
>>> in times where it was a loadable module it was the same
>>> you had to make sure to disable it AND it was loaded
>>> most of the time
>>>
>> even if I wipe it from disk most services was able reconstruct
>> it and load again ;)
>
> so and what is the difference now?
>
>>> the stack is disabled entirely and the memory footprint may
>>> be the same as unloaded module and code paths on different
>>> places which has to check this
>>
>> Here I eventually agree with You
>
> hm you agree about memory fooprint
> you can disable ipv6 entirely
>
> so again: what is your problem?
Yeah, finitely we are back at my beginning question, fine.
Maybe $SUBJECT is incomprehensible, my English is poor.
I was asked for any reason(s) why now is ipv6 compiled in
kernel instead of previous (several months ago) state when
it was kernel module, for years.
For the present I cannot see any good arguments or references.
I can't see any reason to beat this topic further, it's the default because
the
developers believe it is most useful to the majority of users. You can build
your kernel with as many things added or removed as you please and add patches
as you find are needed.
You understand how to solve what seems a trouble for you, you have the answer
"it's more generally useful" and you are entitled to your opinion but
it's not
done by vote. So I guess you live with it or fix it on your machines. I fix
things, many people do, I don't think any deiscussion here is likely to be more
useful to you.
--
Bill Davidsen <davidsen(a)tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
2:28 p.m.
Am 08.04.2012 21:24, schrieb Frantisek Hanzlik:
>>> the stack is disabled entirely and the memory footprint
may
>>> be the same as unloaded module and code paths on different
>>> places which has to check this
>>
>> Here I eventually agree with You
>
> hm you agree about memory fooprint
> you can disable ipv6 entirely
>
> so again: what is your problem?
Yeah, finitely we are back at my beginning question, fine.
Maybe $SUBJECT is incomprehensible, my English is poor.
I was asked for any reason(s) why now is ipv6 compiled in
kernel instead of previous (several months ago) state when
it was kernel module, for years.
For the present I cannot see any good arguments or references.
well, this link was posted as the last one came up
with this question some days ago:
http://lists.fedoraproject.org/pipermail/kernel/2011-June/003105.html
2:24 p.m.
Reindl Harald wrote:
Am 08.04.2012 14:07, schrieb Frantisek Hanzlik:
> Networking code has especial position, as bugs / problems /
> misconfigurations in it have strong impact to machine security.
> And I simply do not want do any ip6tables and other ipv6
> security configuration - because I do not want use ipv6
> _entirely_
so disable it
what is your exactly problem?
i maintain 20 public fedora machines and no
single one has any ipv6 configuration becuase
i disabled it as explained - why can you do
not the same?
>>> 2) something (NetworkManager or other malware;) can easily activate it.
>>
>> who told you so?
>> how can NetworkManager override a KERNEL parameter?
>
> Have I after each update supervise whether NM or other stuff
> made some unwanted changes - maybe even on kernel commandline?
> And after each reboot again? No, I don´t want it.
boah you have to disable it once for years as you
gad to disable the odule all the years before
NM is not in the position to overrdie kernel-parameters
kernel-parameters are not changed by updates
so again: what is your problem?
>> in times where it was a loadable module it was the same
>> you had to make sure to disable it AND it was loaded
>> most of the time
>>
> even if I wipe it from disk most services was able reconstruct
> it and load again ;)
so and what is the difference now?
>> the stack is disabled entirely and the memory footprint may
>> be the same as unloaded module and code paths on different
>> places which has to check this
>
> Here I eventually agree with You
hm you agree about memory fooprint
you can disable ipv6 entirely
so again: what is your problem?
Yeah, finitely we are back at my beginning question, fine.
Maybe $SUBJECT is incomprehensible, my English is poor.
I was asked for any reason(s) why now is ipv6 compiled in
kernel instead of previous (several months ago) state when
it was kernel module, for years.
For the present I cannot see any good arguments or references.
12:55 p.m.
Am 08.04.2012 14:07, schrieb Frantisek Hanzlik:
Networking code has especial position, as bugs / problems /
misconfigurations in it have strong impact to machine security.
And I simply do not want do any ip6tables and other ipv6
security configuration - because I do not want use ipv6
_entirely_
so disable it
what is your exactly problem?
i maintain 20 public fedora machines and no
single one has any ipv6 configuration becuase
i disabled it as explained - why can you do
not the same?
>> 2) something (NetworkManager or other malware;) can easily
activate it.
>
> who told you so?
> how can NetworkManager override a KERNEL parameter?
Have I after each update supervise whether NM or other stuff
made some unwanted changes - maybe even on kernel commandline?
And after each reboot again? No, I don´t want it.
boah you have to disable it once for years as you
gad to disable the odule all the years before
NM is not in the position to overrdie kernel-parameters
kernel-parameters are not changed by updates
so again: what is your problem?
> in times where it was a loadable module it was the same
> you had to make sure to disable it AND it was loaded
> most of the time
>
even if I wipe it from disk most services was able reconstruct
it and load again ;)
so and what is the difference now?
> the stack is disabled entirely and the memory footprint may
> be the same as unloaded module and code paths on different
> places which has to check this
Here I eventually agree with You
hm you agree about memory fooprint
you can disable ipv6 entirely
so again: what is your problem?
7:07 a.m.
Reindl Harald wrote:
Am 08.04.2012 13:05, schrieb Frantisek Hanzlik:
> Yes, I have it (as You wrote, on kernel cmdline - as having it in
> sysctl.conf seems not enough). But this nothing change on fact that
> 1) I have unwanted things included in kernel
not really relevant
we both can not say how much more overhead in kernel
code would be on different places to respect
if it is loaded or not compared with a "module"
which is aware that it is disabled
Networking code has especial position, as bugs / problems /
misconfigurations in it have strong impact to machine security.
And I simply do not want do any ip6tables and other ipv6
security configuration - because I do not want use ipv6
_entirely_
> 2) something (NetworkManager or other malware;) can easily
activate it.
who told you so?
how can NetworkManager override a KERNEL parameter?
Have I after each update supervise whether NM or other stuff
made some unwanted changes - maybe even on kernel commandline?
And after each reboot again? No, I don´t want it.
in times where it was a loadable module it was the same
you had to make sure to disable it AND it was loaded
most of the time
even if I wipe it from disk most services was able reconstruct
it and load again ;)
did you ever notice the dmesg messages about ipv6 is disabled and
you have to reboot to enable it again while it was loaded
all the time (this messages which appear if you remove "quiet"
from the kernel-parameters and most people do not recognize)
> As module, I can better control how use it and save memory too
> (although when ipv6 stack is disabled entirely, memory requirements
> may be lower - I not study about this)
the stack is disabled entirely and the memory footprint may
be the same as unloaded module and code paths on different
places which has to check this
Here I eventually agree with You.
6:42 a.m.
2012/4/8 Reindl Harald <h.reindl(a)thelounge.net>:
Am 08.04.2012 13:27, schrieb Alchemist:
> I have disabled ipv6 permanently since F14, and no problem. Just add
> "install ipv6 /bin/true to /etc/modprobe.d/dist.conf"(old variant) or
> "blacklist ipv6" to /etc/modprobe.d/blacklist.conf and
> "net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf. There is
> nothing you cant control in your Fedora setup.
but if you would take a look now you would recognize that
this all does no longer work since we are no longer
speak about a loadable module
and that is why you have to add "ipv6.disable=1" as kernel parameter
with recent kernel builds of F15/F16
> net.ipv6.conf.all.disable_ipv6 = 1
this is nice but only a part of the game and does
not disbale ipv6 completly!
try "netstat --numeric-hosts --numeric-ports --notrim --programs -u -t -l"
and you will see ntpd and samba as example listen on the ipv6 loopback
and also error messages in this context in several services if
you do this after machine has bootet
AGAIN: "ipv6.disable=1" as kernel-param is the only real way to
disable ipv6 at all in recent kernels and after that even your
proposed sysctl parameters will lead in errors because after
disable it they are no longer present
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
I have not ntpd or samba installed neither, but i will take deeper
research. On my systems i use lsof -i6, and everything seems ok.
6:33 a.m.
Am 08.04.2012 13:27, schrieb Alchemist:
I have disabled ipv6 permanently since F14, and no problem. Just add
"install ipv6 /bin/true to /etc/modprobe.d/dist.conf"(old variant) or
"blacklist ipv6" to /etc/modprobe.d/blacklist.conf and
"net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf. There is
nothing you cant control in your Fedora setup.
but if you would take a look now you would recognize that
this all does no longer work since we are no longer
speak about a loadable module
and that is why you have to add "ipv6.disable=1" as kernel parameter
with recent kernel builds of F15/F16
net.ipv6.conf.all.disable_ipv6 = 1
this is nice but only a part of the game and does
not disbale ipv6 completly!
try "netstat --numeric-hosts --numeric-ports --notrim --programs -u -t -l"
and you will see ntpd and samba as example listen on the ipv6 loopback
and also error messages in this context in several services if
you do this after machine has bootet
AGAIN: "ipv6.disable=1" as kernel-param is the only real way to
disable ipv6 at all in recent kernels and after that even your
proposed sysctl parameters will lead in errors because after
disable it they are no longer present
5:16 a.m.
Am 08.04.2012 05:13, schrieb Frantisek Hanzlik:
I think all know modular kernel advantages over modules fixly
compiled
into, thus I cannot understand why ipv6 should be exception. And about
some dependencies - from F15 new systemd should perhaps serve all
dependencies much better and easily, it's true?
> Download the
> kernel source and rebuild if it really bugs you on memory.
You mean it seriously? Of course, it is way... But switch to another
distro is in some cases more easier.
is this so?
and you are 100% sure that in the next release there will not happen the same?
so why do you simply not calm down and add "ipv6.disable=1" to
your kernel-parameters so you will not notice anything about ipv6
after the next boot?
6:27 a.m.
I have disabled ipv6 permanently since F14, and no problem. Just add
"install ipv6 /bin/true to /etc/modprobe.d/dist.conf"(old variant) or
"blacklist ipv6" to /etc/modprobe.d/blacklist.conf and
"net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf. There is
nothing you cant control in your Fedora setup.
6:05 a.m.
Reindl Harald wrote:
Am 08.04.2012 05:13, schrieb Frantisek Hanzlik:
> I think all know modular kernel advantages over modules fixly compiled
> into, thus I cannot understand why ipv6 should be exception. And about
> some dependencies - from F15 new systemd should perhaps serve all
> dependencies much better and easily, it's true?
>
>> Download the
>> kernel source and rebuild if it really bugs you on memory.
>
> You mean it seriously? Of course, it is way... But switch to another
> distro is in some cases more easier.
is this so?
and you are 100% sure that in the next release there will not happen the same?
so why do you simply not calm down and add "ipv6.disable=1" to
your kernel-parameters so you will not notice anything about ipv6
after the next boot?
Yes, I have it (as You wrote, on kernel cmdline - as having it in
sysctl.conf seems not enough). But this nothing change on fact that
1) I have unwanted things included in kernel, and
2) something (NetworkManager or other malware;) can easily activate
it.
As module, I can better control how use it and save memory too
(although when ipv6 stack is disabled entirely, memory requirements
may be lower - I not study about this).
6:15 a.m.
Am 08.04.2012 13:05, schrieb Frantisek Hanzlik:
Yes, I have it (as You wrote, on kernel cmdline - as having it in
sysctl.conf seems not enough). But this nothing change on fact that
1) I have unwanted things included in kernel
not really relevant
we both can not say how much more overhead in kernel
code would be on different places to respect
if it is loaded or not compared with a "module"
which is aware that it is disabled
2) something (NetworkManager or other malware;) can easily activate
it.
who told you so?
how can NetworkManager override a KERNEL parameter?
in times where it was a loadable module it was the same
you had to make sure to disable it AND it was loaded
most of the time
did you ever notice the dmesg messages about ipv6 is disabled and
you have to reboot to enable it again while it was loaded
all the time (this messages which appear if you remove "quiet"
from the kernel-parameters and most people do not recognize)
As module, I can better control how use it and save memory too
(although when ipv6 stack is disabled entirely, memory requirements
may be lower - I not study about this)
the stack is disabled entirely and the memory footprint may
be the same as unloaded module and code paths on different
places which has to check this
10:13 p.m.
Bill Davidsen wrote:
Frantisek Hanzlik wrote:
> Hello, up to Fedora 15 including, there was ipv6 as loadable kernel
> module and was not problem disable/not load it. But recent F15 and
> F16 kernels have IPV6 support compiled in kernel, know anyone for
> which reason? For IPv4-only sites (which is absolute majority) this
> is unneeded...
>
The only reason I can see is to allow the ip6tables firewall stuff to
work rather than take unknown protocol processing paths.
I think all know modular kernel advantages over modules fixly compiled
into, thus I cannot understand why ipv6 should be exception. And about
some dependencies - from F15 new systemd should perhaps serve all
dependencies much better and easily, it's true?
Download the
kernel source and rebuild if it really bugs you on memory.
You mean it seriously? Of course, it is way... But switch to another
distro is in some cases more easier.
12:20 p.m.
Frantisek Hanzlik wrote:
Hello, up to Fedora 15 including, there was ipv6 as loadable kernel
module and was not problem disable/not load it. But recent F15 and
F16 kernels have IPV6 support compiled in kernel, know anyone for
which reason? For IPv4-only sites (which is absolute majority) this
is unneeded...
The only reason I can see is to allow the ip6tables firewall stuff to
work rather than take unknown protocol processing paths. Download the
kernel source and rebuild if it really bugs you on memory.
--
Bill Davidsen <davidsen(a)tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
10:09 a.m.
Frantisek Hanzlik wrote:
Hello, up to Fedora 15 including, there was ipv6 as loadable kernel
module and was not problem disable/not load it. But recent F15 and
F16 kernels have IPV6 support compiled in kernel, know anyone for
which reason? For IPv4-only sites (which is absolute majority) this
is unneeded...
http://lists.fedoraproject.org/pipermail/kernel/2011-June/003105.html
It is future ;)
4430
days inactive
4446
days old
14 comments
4 participants
participants (4)
-
Alchemist -
Bill Davidsen -
Franta Hanzlík -
Reindl Harald