On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote: > iked by default blocks all IPv6 traffic on a host unless any > of the configured policies use v6. This was originally meant > as a measure to prevent VPN leakage for people who did not > think of IPv6 when configuring IPsec. With the -6 flag > set, iked does not install this IPv6 blocking flow. It it still considered a leakage prevention, altough I doubt its usefulness.
> I think we should discuss whether we can remove the flow > (and the -6 flag) as I constantly hear people complaining > that it broke their setups and I don't think anyone > expects some seemingly unrelated program breaking IPv6. iked(8) is the only tool I know going completely counter-intuitive with it's `-6' option; I expect those to behave like in nc(1). I'm in favour of removing the option and OK with your diff, but simply removing it is probably a bad idea given its nature. What about printing a deprecation warning so that users can safely adjust their rcctl flags instead of running into "iked(failed)" on the next snapshot.