Mailing List Archive

Freshclam IPv6 error messages on IPv4-only systems
This has been mentioned at various points in several threads over the past
week or two (sometimes off-hand), but just wanted to somewhat consolidate
them here and also add my +1 to getting this bug addressed in ClamAV soon!

Per [1]:

> This is a ipv4 site, and I occasionally get ipv6 error messages --
> maybe 4 a week. They don't seem to cause any particular problem. A
> freshclam.config option to disable ipv6 would fix that. Or maybe a
> "protocol {ipv4|ipv6|any}" option.

I whole-heartily agree with this, although I seem to run into these error
messages more often (maybe due to my update frequency). It seems that
db.us.clamav.net used to be only IPv4 addresses, since there's also a
db.us.ipv6.clamav.net option, but that seems to have changed in at least
the past month or so, as it now it lists half IPv4 and half ipv6 addresses
[2]. database.clamav.net is also the same way now [3]. This causes issues
for IPv4-only sites (out of my control to use IPv6), as we consistently get
error messages in the logs like

ERROR: Can't create new socket: Address family not supported by protocol

when running freshclam. It seems to still work, as it eventually tries an
IPv4 address, but it's really annoying to get all these error messages and
seems like it wouldn't be too hard to fix (although I know I don't know all
the details that might be involved). Any reason to not have a real
IPv4-only option? Or make the db.us.clamav.net actually only use IPv4
addresses again?

This was also brought up also at [4] but there was no response.

Joel Esler mentioned it was on their radar and that "Micah may want to
comment further." [5], when responding to this being a bug in freshclam to
try IPv6 addresses on IPv4-only systems, but nothing more came from that
discussion.

As was mentioned in another thread on here [6], it makes sense to
completely disable the IPv6 stack completely on systems that have no IPv6
connectivity, as that negates having to worry about any security controls
for IPv6 at all. We disable IPv6 globally on all our system through a
kernel parameter.

Is there any discussion or headway on getting this bug addressed sometime
soon?

Thanks.


[1]
http://lists.clamav.net/pipermail/clamav-users/2018-July/006458.html

[2]
~]# host db.us.clamav.net
db.us.clamav.net is an alias for db.us.clamav.net.cdn.cloudflare.net.
db.us.clamav.net.cdn.cloudflare.net has address 104.16.187.138
db.us.clamav.net.cdn.cloudflare.net has address 104.16.188.138
db.us.clamav.net.cdn.cloudflare.net has address 104.16.186.138
db.us.clamav.net.cdn.cloudflare.net has address 104.16.189.138
db.us.clamav.net.cdn.cloudflare.net has address 104.16.185.138
db.us.clamav.net.cdn.cloudflare.net has IPv6 address
2400:cb00:2048:1::6810:ba8a
db.us.clamav.net.cdn.cloudflare.net has IPv6 address
2400:cb00:2048:1::6810:bc8a
db.us.clamav.net.cdn.cloudflare.net has IPv6 address
2400:cb00:2048:1::6810:b98a
db.us.clamav.net.cdn.cloudflare.net has IPv6 address
2400:cb00:2048:1::6810:bd8a
db.us.clamav.net.cdn.cloudflare.net has IPv6 address
2400:cb00:2048:1::6810:bb8a

[3]
~]# host database.clamav.net
database.clamav.net is an alias for database.clamav.net.cdn.cloudflare.net.
database.clamav.net.cdn.cloudflare.net has address 104.16.185.138
database.clamav.net.cdn.cloudflare.net has address 104.16.188.138
database.clamav.net.cdn.cloudflare.net has address 104.16.187.138
database.clamav.net.cdn.cloudflare.net has address 104.16.189.138
database.clamav.net.cdn.cloudflare.net has address 104.16.186.138
database.clamav.net.cdn.cloudflare.net has IPv6 address
2400:cb00:2048:1::6810:bb8a
database.clamav.net.cdn.cloudflare.net has IPv6 address
2400:cb00:2048:1::6810:bc8a
database.clamav.net.cdn.cloudflare.net has IPv6 address
2400:cb00:2048:1::6810:b98a
database.clamav.net.cdn.cloudflare.net has IPv6 address
2400:cb00:2048:1::6810:bd8a
database.clamav.net.cdn.cloudflare.net has IPv6 address
2400:cb00:2048:1::6810:ba8a

[4]
http://lists.clamav.net/pipermail/clamav-users/2018-June/006398.html

[5]
http://lists.clamav.net/pipermail/clamav-users/2018-July/006442.html

[6]
http://lists.clamav.net/pipermail/clamav-users/2018-July/006409.html

--
Matt Vander Werf
HPC System Administrator
University of Notre Dame
Center for Research Computing - Union Station
506 W. South Street
South Bend, IN 46601
Phone: (574) 631-0692
Re: Freshclam IPv6 error messages on IPv4-only systems [ In reply to ]
On 04.07.2018 15:00, Matt Vander Werf wrote:
> This has been mentioned at various points in several threads over the
> past week or two (sometimes off-hand), but just wanted to somewhat
> consolidate them here and also add my +1 to getting this bug addressed
> in ClamAV soon!
>
> Per [1]:
>
> > This is a ipv4 site, and I occasionally get ipv6 error messages --
> > maybe 4 a week. They don't seem to cause any particular problem. A
> > freshclam.config option to disable ipv6 would fix that. Or maybe a
> > "protocol {ipv4|ipv6|any}" option.
just a hint
even if your host is IPv4 only, is IPv6 enabled and do you have a
fe80::xxx address?
just try to really disable IPv6 at host/kernel layer
e.g.

this entry in /etc/sysctl.conf
net.ipv6.conf.eth1.disable_ipv6 = 1

disables IPv6 at port eth1 at all, there is no fe80:xxx address at this
port ...

Walter
Re: Freshclam IPv6 error messages on IPv4-only systems [ In reply to ]
Am 04.07.2018 um 15:42 schrieb Walter H.:
> On 04.07.2018 15:00, Matt Vander Werf wrote:
>> This has been mentioned at various points in several threads over the
>> past week or two (sometimes off-hand), but just wanted to somewhat
>> consolidate them here and also add my +1 to getting this bug addressed
>> in ClamAV soon!
>>
>> Per [1]:
>>
>> > This is a ipv4 site, and I occasionally get ipv6 error messages --
>> > maybe 4 a week. They don't seem to cause any particular problem. A
>> > freshclam.config option to disable ipv6 would fix that. Or maybe a
>> > "protocol {ipv4|ipv6|any}" option.
> just a hint
> even if your host is IPv4 only, is IPv6 enabled and do you have a
> fe80::xxx address?
> just try to really disable IPv6 at host/kernel layer
> e.g.
>
> this entry in /etc/sysctl.conf
> net.ipv6.conf.eth1.disable_ipv6 = 1
>
> disables IPv6 at port eth1 at all, there is no fe80:xxx address at this
> port ...

The message Matt reported:

ERROR: Can't create new socket: Address family not supported by protocol

would seem to indicate that IPv6 is indeed completely disabled but
freshclam still tried to create an IPv6 socket anyway.

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Freshclam IPv6 error messages on IPv4-only systems [ In reply to ]
I always build ClamAV for our systems, and use the "--disable-ipv6"
option (among others) when building.

Part of the reason I build locally is so that I always have an old
version around in case something goes horribly wrong. Also, I can run
more realistic tests on the new build before cutting over.


On Wed, 4 Jul 2018 15:57:56 +0200
Tilman Schmidt <tschmidt@cardtech.de> wrote:

> Am 04.07.2018 um 15:42 schrieb Walter H.:
> > On 04.07.2018 15:00, Matt Vander Werf wrote:
> >> This has been mentioned at various points in several threads over
> >> the past week or two (sometimes off-hand), but just wanted to
> >> somewhat consolidate them here and also add my +1 to getting this
> >> bug addressed in ClamAV soon!
> >>
> >> Per [1]:
> >>
> >> > This is a ipv4 site, and I occasionally get ipv6 error messages
> >> > -- maybe 4 a week. They don't seem to cause any particular
> >> > problem. A freshclam.config option to disable ipv6 would fix
> >> > that. Or maybe a "protocol {ipv4|ipv6|any}" option.
> > just a hint
> > even if your host is IPv4 only, is IPv6 enabled and do you have a
> > fe80::xxx address?
> > just try to really disable IPv6 at host/kernel layer
> > e.g.
> >
> > this entry in /etc/sysctl.conf
> > net.ipv6.conf.eth1.disable_ipv6 = 1
> >
> > disables IPv6 at port eth1 at all, there is no fe80:xxx address at
> > this port ...
>
> The message Matt reported:
>
> ERROR: Can't create new socket: Address family not supported by
> protocol
>
> would seem to indicate that IPv6 is indeed completely disabled but
> freshclam still tried to create an IPv6 socket anyway.

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml