Comment 60 for bug 24828

Howdy,

<snip>
>>> breaking ip6tables completely, since IPv6 autoloading got disabled,
>>> and any sane person will do firewall configuration before
>>> configuration the network interfaces.
> On my system, the upgrade also had the very unkind effect ofI usually
> load a firewall on given protocol once lo is up on that protocol for 2
> reasons
> I don't. Is it a reason to break my working system?
>
> Besides, it does not work either, since there were no need to set inet6
> explicitly on lo so far.
>
I have to say I am somewhat in agreeance that this should potentially be
made to apply "only to new installs", because it can break existing
machines that are only available via IPv6, etc.

<snip>
>> 2) it is always executed before any real interface is up.
>>
>
> That's a side effect. In practice, lo is created by the kernel, and the
> lo interface in /etc/network/interfaces is really a cosmetic entry.
>
That is not correct, the kernel creates 'lo' just like it creates eth0,
eth1, etc, but it does not configure an IP.
This is what that stanza does.
>
>> Another way to hook up a firewall script to a specific protocol is to
>> use the /etc/modprobe.d/ to run a script as soon as a certain module
>> is loaded.
>>
>
> If ipv6 gets loaded after some real interface is brought up, we get an
> unfirewalled time window, which was the precise reason for not doing it
> that way.
>
Put lo before any other interfaces in 'auto' and that should not happen
AFAIK.

<snip>
>> It appears somebody is using it this way and it was brought up as use
>> case. I will check this up again.
>>
>
> It appears many more people are using IPv6 and expect it to work out of
> the box on their Ubuntu Feisty, as it did in Dapper and Edgy. From
> reading the bug thread and the rants on freenode/#ipv6, I have a
> feeling I am not the only one.
>
> 18:44 remi@auguste ~% host basile.link
> basile.link has IPv6 address fe80::211:11ff:fe25:e6b4
> 18:44 remi@auguste ~% ssh basile.link
> ssh: connect to host basile.link port 22: Invalid argument
> 18:44 remi@auguste ~% ssh basile.link%eth0
> ssh: basile.link%eth0: Name or service not known
> 18:44 remi@auguste ~% ping6 basile.link
> connect: Invalid argument
> 18:44 remi@auguste ~% ping6 basile.link -I eth0 -c 1
> PING basile.link(basile.link) from fe80::20d:60ff:fe38:6d16 eth0: 56
> data bytes
> 64 bytes from basile.link: icmp_seq=1 ttl=64 time=0.167 ms
>
> --- basile.link ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> rtt min/avg/max/mdev = 0.167/0.167/0.167/0.000 ms
>
> ping6 is the only application that can handle this, which is of pretty
> limited use. Also, when you're down to doing link diagnostics, you
> probably cannot reach the DNS server, so you'd better use numerical
> addresses anyway.
>
Link local addresses aren't limited to just "link diagnostics", also
when using avahi/zeroconf, you may well have dns for just the local link.

It is true, and somewhat annoying, that using link local IPs require
interfaces to be specifically set, some applications will do this, some
won't, this is an ongoing issue in relation to Avahi right now.

<snip>

Cheers,
Trent