net: base IPV6_V6ONLY behaviour also on bindv6only (on linux)

[42wim]

Would it be possible to change the behaviour of tcp + "[::]" and tcp + "0.0.0.0" on linux based on the value of /proc/sys/net/ipv6/bindv6only ?

E.g. net.Listen("tcp",[::]:3000) and net.Listen("tcp",0.0.0.0:3000) now listen both on IPv4 and IPv6.

This may not be the behaviour an administrator expects.

If he has bindv6only enabled it should only listen on IPv6. Otherwise it may create a security risk, especially when using http.ListenAndServe where you can not specify a network.

Maybe net.probeIPv6Stack() can be extended to check for the bindv6only value on linux?

[bradfitz]

I note also that the net.Listen documentation sucks:

http://golang.org/pkg/net/#Listen

Listen announces on the local network address laddr. The network net must be a stream-oriented network: "tcp", "tcp4", "tcp6", "unix" or "unixpacket". See Dial for the syntax of laddr.

Where the func Dial docs aren't very helpful about listening.

[bradfitz]

/cc @mikioh @pmarks-net @mdempsky

[pmarks-net]

With bindv6only=1, Listen("tcp", "[::]:port") is IPv6-only, and Listen("tcp", "0.0.0.0:port") / Listen("tcp", ":port") are IPv4-only. I would argue that "tcp" with any wildcard should always listen on both IPv4+IPv6 using either one dual-stack socket, or two single-stack sockets (unless the kernel is IPv4/IPv6-only, of course). The issues I filed back in #9334 still stand.

The "tcp4" and "tcp6" modes allow you to force single-stack sockets. For anything more advanced, the socket API is not a great place to put firewall rules.

[rsc]

I don't think we should change the default behaviors here at this point. Explicit opt-in to a different behavior is fine, but that already exists: use tcp4 or tcp6.