From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=FUBu/nQW;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTP id 2EA3F5A0275
	for <passt-dev@passt.top>; Fri, 16 Aug 2024 07:45:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1723787143;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=UO2iEB0o6HXb28Hq9hKxDEhsdNIIDFriN6oZV0G1nno=;
	b=FUBu/nQW44bO6H/Rq/rk/IydFXP4JdQlKmpwmb69xo9yNQhmyqtWgErxhb3BW0XXYiVPXA
	XYgFT5g8R366HlFz27pBc1cFgSobMmsXpqVM0yXqIJB67MMB3yy0zvZ9g2BWhEj8gpcnX6
	VvgbWZVx/aElO3fg1CnyZQjdx4PF0QY=
Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com
 [209.85.167.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-3-pgoOfA2wO0iaBpRdG-1m-w-1; Fri, 16 Aug 2024 01:45:42 -0400
X-MC-Unique: pgoOfA2wO0iaBpRdG-1m-w-1
Received: by mail-lf1-f71.google.com with SMTP id 2adb3069b0e04-530db30018aso1550883e87.2
        for <passt-dev@passt.top>; Thu, 15 Aug 2024 22:45:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1723787139; x=1724391939;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=UO2iEB0o6HXb28Hq9hKxDEhsdNIIDFriN6oZV0G1nno=;
        b=OqguCoGMb2HAzpsEYaNNIk5vkn7Vu8sOvKBt16f3ZFf1tC32hgUozdrmm7DGXtw0y4
         J1DL9WSecjETq3JgZR2HXCqFImM+H+eLmVceR+zV04uRDeLTKBexDsG/XKuz/iBWnoeS
         ecpzhCZnAX8LNAnyR2qaj9DXTqwcl6G+W1qrSanTjYWGAIzx8xh8wwXt9viKMmbGpAMX
         5ZCPZRhs+xg7FS4yb2L7l5CIguAl3AGUWpnhry92CCyo1J+GP21BWJCN6krRgPsEUNDN
         Uy+eijgyA8GTMEkXJKcZPwla4XCUbtpXXjTPbFkTcx6DgsGsocmOfLtQQMfvpi7bCWJ0
         bv/Q==
X-Gm-Message-State: AOJu0Ywsv7IDldQYA+e1avdka7V/fxwdl8ThSu5EiAGsHpzMZgAfOB52
	hU1K8C8H5wjcpY3gcIQZL1kzleEVcOzuLJSdKTYXMjmqosMi7gnmO1AD/VUUwUL+pARBZ3uvgM2
	UOXdfDAPZiilAun9hWc99s45YEQ5Ol7IAUvlItXEIUFbcROrdWqT4e+vHwQ==
X-Received: by 2002:a05:6512:ea1:b0:52e:9ab9:da14 with SMTP id 2adb3069b0e04-5331c6b3b76mr1190947e87.31.1723787139287;
        Thu, 15 Aug 2024 22:45:39 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEqCyIiqNPpmVUE21vrTFfbs6E7PElw6EGmgU7LDDMPkfCHIRBrg2HSzbsadvNqBjbgSJtSVA==
X-Received: by 2002:a05:6512:ea1:b0:52e:9ab9:da14 with SMTP id 2adb3069b0e04-5331c6b3b76mr1190940e87.31.1723787138616;
        Thu, 15 Aug 2024 22:45:38 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-429ed78480fsm12716325e9.34.2024.08.15.22.45.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 15 Aug 2024 22:45:37 -0700 (PDT)
Date: Fri, 16 Aug 2024 07:45:35 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH v2 4/7] netlink, pasta: Disable DAD for link-local
 addresses on namespace interface
Message-ID: <20240816074535.21d7f961@elisabeth>
In-Reply-To: <Zr6jkRZJNCg_Tx7H@zatzit.fritz.box>
References: <20240815083649.4188007-1-sbrivio@redhat.com>
	<20240815083649.4188007-5-sbrivio@redhat.com>
	<Zr3amZdB97Mog2oz@zatzit.fritz.box>
	<20240815125932.53f38296@elisabeth>
	<Zr6jkRZJNCg_Tx7H@zatzit.fritz.box>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: ELU7ZFJPZLMUDN6UMYKFC7XXWK6A225V
X-Message-ID-Hash: ELU7ZFJPZLMUDN6UMYKFC7XXWK6A225V
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240816074535.21d7f961@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/ELU7ZFJPZLMUDN6UMYKFC7XXWK6A225V/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Fri, 16 Aug 2024 10:55:45 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:

> On Thu, Aug 15, 2024 at 12:59:32PM +0200, Stefano Brivio wrote:
> > On Thu, 15 Aug 2024 20:38:17 +1000
> > David Gibson <david@gibson.dropbear.id.au> wrote:
> >   
> > > On Thu, Aug 15, 2024 at 10:36:46AM +0200, Stefano Brivio wrote:  
> > > > It makes no sense for a container or a guest to try and perform
> > > > duplicate address detection for their link-local address, as we'll
> > > > anyway not relay neighbour solicitations with an unspecified source
> > > > address.
> > > > 
> > > > While they perform duplicate address detection, the link-local address
> > > > is not usable, which prevents us from bringing up especially
> > > > containers and communicate with them right away via IPv6.
> > > > 
> > > > This is not enough to prevent DAD and reach the container right away:
> > > > we'll need a couple more patches.
> > > > 
> > > > As we send NLM_F_REPLACE requests right away, while we still have to
> > > > read out other addresses on the same socket, we can't use nl_do():
> > > > keep a count of messages we send (addresses we change) and deal with
> > > > the answer to those NLM_F_REPLACE requests in a separate loop, later.
> > > > 
> > > > Link: https://github.com/containers/podman/pull/23561#discussion_r1711639663
> > > > Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> > > > ---
> > > >  netlink.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > >  netlink.h |  1 +
> > > >  pasta.c   |  6 ++++++
> > > >  3 files changed, 62 insertions(+)
> > > > 
> > > > diff --git a/netlink.c b/netlink.c
> > > > index 873e6c7..59f2fd9 100644
> > > > --- a/netlink.c
> > > > +++ b/netlink.c
> > > > @@ -673,6 +673,61 @@ int nl_route_dup(int s_src, unsigned int ifi_src,
> > > >  	return 0;
> > > >  }
> > > >  
> > > > +/**
> > > > + * nl_addr_set_ll_nodad() - Set IFA_F_NODAD on IPv6 link-local addresses
> > > > + * @s:		Netlink socket
> > > > + * @ifi:	Interface index in target namespace
> > > > + *
> > > > + * Return: 0 on success, negative error code on failure
> > > > + */
> > > > +int nl_addr_set_ll_nodad(int s, unsigned int ifi)
> > > > +{
> > > > +	struct req_t {
> > > > +		struct nlmsghdr nlh;
> > > > +		struct ifaddrmsg ifa;
> > > > +	} req = {
> > > > +		.ifa.ifa_family    = AF_INET6,
> > > > +		.ifa.ifa_index     = ifi,
> > > > +	};
> > > > +	unsigned ll_addrs = 0;
> > > > +	struct nlmsghdr *nh;
> > > > +	char buf[NLBUFSIZ];
> > > > +	ssize_t status;
> > > > +	uint32_t seq;
> > > > +
> > > > +	seq = nl_send(s, &req, RTM_GETADDR, NLM_F_DUMP, sizeof(req));
> > > > +	nl_foreach_oftype(nh, status, s, buf, seq, RTM_NEWADDR) {
> > > > +		struct ifaddrmsg *ifa = (struct ifaddrmsg *)NLMSG_DATA(nh);
> > > > +		struct rtattr *rta;
> > > > +		size_t na;
> > > > +
> > > > +		if (ifa->ifa_index != ifi || ifa->ifa_scope != RT_SCOPE_LINK)
> > > > +			continue;
> > > > +
> > > > +		ifa->ifa_flags |= IFA_F_NODAD;
> > > > +
> > > > +		for (rta = IFA_RTA(ifa), na = IFA_PAYLOAD(nh); RTA_OK(rta, na);
> > > > +		     rta = RTA_NEXT(rta, na)) {
> > > > +			/* If 32-bit flags are used, add IFA_F_NODAD there */
> > > > +			if (rta->rta_type == IFA_FLAGS)
> > > > +				*(uint32_t *)RTA_DATA(rta) |= IFA_F_NODAD;
> > > > +		}
> > > > +
> > > > +		nl_send(s, nh, RTM_NEWADDR, NLM_F_REPLACE, nh->nlmsg_len);
> > > > +		ll_addrs++;
> > > > +	}
> > > > +
> > > > +	if (status < 0)
> > > > +		return status;    
> > > 
> > > Ah... one gotcha with the nl_send() in the loop.  We should make sure
> > > we get the responses from any of those we sent, even if the original
> > > request failed.  Otherwise we'll be out of sync on the netlink socket again.  
> > 
> > I'm ignoring the return code of nl_send(), so, minus the issue you're
> > raising about nl_foreach() below, that should already be sorted, right?  
> 
> No.  The return code from nl_send() is mostly irrelevant - it's just
> the sequence number (other errors die()).  But the point is you've
> queued requests, so the kernel will queue responses and if you exit
> the function here, nothing will consume them.

Oh, that's what I missed: you were referring to this return statement.
Sure, I understand that we need to consume those, hence the
nl_foreach() later, but I missed the fact that, of course, we wouldn't
necessarily reach it.

> > > > +	seq += ll_addrs;
> > > > +
> > > > +	nl_foreach(nh, status, s, buf, seq)
> > > > +		warn("netlink: Unexpected response message");    
> > > 
> > > I don't think this will work right if there's > 1 address.  It will be
> > > looking for the last sequence number on the first iteration and will
> > > die in nl_status() when it mismatches.  
> > 
> > Ah, oops, right.
> >   
> > > Maybe just loop on nl_next() until you get the last seq number, then
> > > call nl_status()?  
> > 
> > How do I check for errors on the answers before the next one? I mean,
> > nl_foreach() should fit here, it's just that I need to start from the
> > right sequence number.
> >   
> > > That also means you could just save the seq each
> > > time you nl_send(), overwriting the previous one, rather than relying
> > > on the fact that we allocate seqs, well, sequentially.  
> > 
> > I don't understand how this fits with calling nl_next() until I get
> > to the last sequence number. Letting that aside, can't I simply use
> > nl_foreach(), but start with the sequence of the first nl_send()
> > instead of the last one?  
> 
> Uh.. yeah, it's a bit fiddly.  Especially since in those foreach loops
> status does double duty as the remaining data in the current message
> and as the status code.
> 
> # Option 1
> 
> Assuming contiguous sequence numbers, which is true for now.
> 
> - Change the nl_send() within the first loop to
> 	last_seq = nl_send(...)
> 
> Then immediately after the first loop
> 
> int status2 = status;
> 
> for (seq++; seq <= last_seq; seq++) {
> 	nl_foreach(nh, status2, s, buf, seq)
> 		;
> 	if (status == 0)
> 		status = status2;
> }
> At this point you will have consumed all the responses and status will
> have the first reported error code.

This looks to me like the easiest to follow, thanks for the thorough
descriptions! I'm going with this one in v3.

> # Option 2
> 
> Refactor nl_status() to have a version that reports sequence number
> instead of taking & checking it. Loop on nl_next() until
> nl_status_variant() returns <= 0 *and* the last sequence number.
> 
> # Option 3
> 
> Open-coded version of (2)
> 
> ssize_t err = status;
> 
> do {
> 	nh = nl_next(s, buf, nh, &status);
> 	if (err == 0 && nh->nl_msg_type == NLMSG_ERR) {
> 		struct nlmsgerr *errmsg = (struct nlmsgerr *)NLMSG_DATA(nh);
> 		err = errmsg->error;
> 	}
> } while (ng->nlmsg_seq != last_seq ||
> 	(nh->nlmsg_type != NLMSG_DONE && nh->nlmsg_type != NLMSG_ERROR));
> 
> And at this point, again, you've consumed all the responses and 'err'
> has the first error code.  I think this is roughly what I was
> suggesting originally, but it is messier than I thought.

-- 
Stefano