Anomalous IPv6 behavior on Linux

Linux has some strange default IPv6 behavior. Here are a few things I noticed…

You can bind to a port on an IPv4 address while all of your tools will report that the port is on IPv6. For example, if your host is 198.51.100.1, you can bind to ::FFFF:198.51.100.1 and all state-checking tools like netstat, ss or lsof will report the listener as on an IPv6-port. You can do this in netcat with nc -6 -l ::FFFF:192.51.100.1.

Linux appears not to have a concept of default IPv6 rules with default ACCEPT everything. Instead, running ip6tables-save will simply return a blank output without an error code. In a small deployment you can catch this, but in a mass deployment scenario it becomes quite problematic.

By default, binding to all IPv6 addresses will also bind to all IPv4-addresses. This can be changed by setting the sysctl net.ipv6.bindv6only to 1. This seems like a very poor default.