From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=CpdHcG1k; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id 1A25F5A0271 for ; Sun, 11 Jan 2026 00:33:35 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1768088014; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=r4DRQFsGE3m1Tp6qEbyDwA+Azvqpm97Ch36X9wYkJic=; b=CpdHcG1k1DNIpsBhWGts62KVqTG8CttHWgiBTEbBjL0vlw9gF46mHXZNezvUHsQjMPiIyW 9Sb56RiAC8wDNF1YGBk3ClKQOfnK4y6qPzmhrX/DdTfdRorqluDGfFjy3JnaRM/R7U774a 0atfDA5ovSs60a1nRRUVk5/f3viWmXY= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-526-49YY1FmwNmi1t0VpsuR3Wg-1; Sat, 10 Jan 2026 18:33:32 -0500 X-MC-Unique: 49YY1FmwNmi1t0VpsuR3Wg-1 X-Mimecast-MFC-AGG-ID: 49YY1FmwNmi1t0VpsuR3Wg_1768088011 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-430fd96b440so2686536f8f.1 for ; Sat, 10 Jan 2026 15:33:32 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768088011; x=1768692811; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=r4DRQFsGE3m1Tp6qEbyDwA+Azvqpm97Ch36X9wYkJic=; b=WIGm1CCDnnR2J8w9Qtc+dbSMN368YrneKNi8QZc7tgaIbKETuEO1vR9xG7CFFNdIXo gyP/fMKXScr3AB5m7ygXqk5svFL0ivTD30oe8+ctMbATh+9I4gK3ZY/gKQY+TK2p9IUS PFwLR91SbTCOSUtr+Xx89nfrEYz3IvHy0Ga+J8ltnrIGkBbuQpA/QgaiKPSJkIU8EiKd POEPiA+J1ifJlBuiS6oQCiTh3wmr4GPx4ziJW4Ld9k/UBV/Z667yHip+2g9bbPWfASFC 3JfVK9563A1Guei11EEPEMi6L5SeAbjtDcuu+eTzYbS8iD6d6xclUT1lru0jumzvwsNa Xrwg== X-Gm-Message-State: AOJu0YwEPJ9FNg5xA/1pUzXLdOyxYz+0y/0R54GFx0+T9Rm4ti/NobVZ fUebUtohaaauo7ACy5XoIOZXUPs7lXc8H8UpJw9ai7mqsPOj7oLMk8bH6fMlkYkEgX9+pfxuTq5 oBZ9EQp+oh7nq5lEQdsAqJdlieBJ5tXdqXpXm9gNEsUeDfrShrHU2lhj/OaK9YQ== X-Gm-Gg: AY/fxX4yU7MKQwB6uzoeiz4eeETgZTu0ggJlQldYlQod39115Fil26sQOL2vfL3fNpX xWzma8j9vydnDkDYP8fGOl+6RDlshUQf/5f6rbZC5/2gLI+iIDU3EXofCAiCcOyxjyaLc08pyhd geBNeH0X1sxlwhm8D2UYM08ahZZ+WQJ4Ndm1kHrXaChMWkqqKQgUMLEw+MH7alAUYWPzgFTFA+C efySr9chiXI6pX8NQ/qHjh1BZI7ZuOGtak89v97heSXsgQ6zmZSFAngpZsLlmDw6OiqLRLvm54/ 1tJ3Vx6Xp8CuT8XFbCcoFl9nRQbXDPzm0U/ZMm3aatFaagBpiCUp3vgyi64epFEtxsp84M6JhLh ta47RRf9t1ktMBLNpKStRROk0OCdUi96AgNNZHw== X-Received: by 2002:a5d:5f44:0:b0:430:f6c0:6c5e with SMTP id ffacd0b85a97d-432c364491dmr17157092f8f.28.1768088010676; Sat, 10 Jan 2026 15:33:30 -0800 (PST) X-Google-Smtp-Source: AGHT+IG8i2FCr7PufJvslUrcpojCKoebZpO+kPxmoRoU2eK1CqMw2XZf2EnSPwmltQrL6tbiD+wUwg== X-Received: by 2002:a5d:5f44:0:b0:430:f6c0:6c5e with SMTP id ffacd0b85a97d-432c364491dmr17157087f8f.28.1768088010271; Sat, 10 Jan 2026 15:33:30 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd5fe83bsm30365661f8f.38.2026.01.10.15.33.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Jan 2026 15:33:29 -0800 (PST) Date: Sun, 11 Jan 2026 00:33:28 +0100 From: Stefano Brivio To: David Gibson Subject: Re: [PATCH 2/3] tcp, udp, conf: Don't silently ignore listens on unsupported IP versions Message-ID: <20260111003328.7e5f22ec@elisabeth> In-Reply-To: <20260105082850.1985300-3-david@gibson.dropbear.id.au> References: <20260105082850.1985300-1-david@gibson.dropbear.id.au> <20260105082850.1985300-3-david@gibson.dropbear.id.au> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: t3EL0TglINMaF3uNQu2v8XKuZMb3J4ClsBznqPcdoeM_1768088011 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: UNHHF7YT3FQOMSFF35EEDLE2GQZBPXCA X-Message-ID-Hash: UNHHF7YT3FQOMSFF35EEDLE2GQZBPXCA X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Mon, 5 Jan 2026 19:28:49 +1100 David Gibson wrote: > Currently, it's possible to explicitly ask for forwarding from an IPv4 > address, while disabling IPv4: > $ pasta -t 192.0.2.1/12345 -6 > or vice versa: > $ pasta -t 2001:db8::1/12345 -4 > > Currently, the impossible to implement forwarding option will be silently > ignored. That's potentially confusing since in a complex setup, it might > not be obvious why the requested forward isn't taking effect. > > Specifically, it's ignored at a fairly low level: tcp_listen() and > udp_listen() ignore it and return 0. Those run kind of late to give a > good error message. Change the low-level functions to return -EACCES > (chosen because that's what the kernel will return if you request IPv6 > when it's disabled by sysctl). I couldn't quite find out in which case EACCES is returned by the kernel. If I set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and then bind() an IPv6 address, after setting IPV6_FREEBIND, I get 0. If I disable IPv6 via command line (ipv6.disable=1) I get EAFNOSUPPORT on bind(), and EOPNOTSUPP on setting addresses and routes. EACCES, I couldn't quite spot it yet. > Most callers of {tcp,udp}_listen() ignore > the return code, so this is a no-op for them. In the remaining caller, > conf_ports_range_except() check for the case explicitly, and provide a > meaningful error message. > > Of itself, this bug is insignificant, but this is a roadblock to having > {tcp,udp}_listen() return socket fds, which in turn is a roadblock to my > flexible forwarding work. So, might as well fix it. > > Link: https://bugs.passt.top/show_bug.cgi?id=186 > > Signed-off-by: David Gibson > --- > conf.c | 10 ++++++++++ > tcp.c | 6 ++---- > udp.c | 6 ++---- > 3 files changed, 14 insertions(+), 8 deletions(-) > > diff --git a/conf.c b/conf.c > index 70ea168c..cc3c20a9 100644 > --- a/conf.c > +++ b/conf.c > @@ -162,6 +162,16 @@ static void conf_ports_range_except(const struct ctx *c, char optname, > optname, optarg); > } > > + if (addr) { > + if (!c->ifi4 && inany_v4(addr)) { > + die("IPv4 is disabled, can't use -%c %s", > + optname, optarg); > + } else if (!c->ifi6 && !inany_v4(addr)) { > + die("IPv6 is disabled, can't use -%c %s", > + optname, optarg); > + } > + } > + > for (i = first; i <= last; i++) { > if (bitmap_isset(exclude, i)) > continue; > diff --git a/tcp.c b/tcp.c > index e7fa85f3..67007c05 100644 > --- a/tcp.c > +++ b/tcp.c > @@ -2700,16 +2700,14 @@ int tcp_listen(const struct ctx *c, uint8_t pif, > /* Restrict to v6 only */ > addr = &inany_any6; > else if (inany_v4(addr)) > - /* Nothing to do */ > - return 0; > + return -EACCES; > } > if (!c->ifi6) { > if (!addr) > /* Restrict to v4 only */ > addr = &inany_any4; > else if (!inany_v4(addr)) > - /* Nothing to do */ > - return 0; > + return -EACCES; > } > > if (pif == PIF_HOST) { > diff --git a/udp.c b/udp.c > index eda55c39..8cfa1e1f 100644 > --- a/udp.c > +++ b/udp.c > @@ -1162,16 +1162,14 @@ int udp_listen(const struct ctx *c, uint8_t pif, > /* Restrict to v6 only */ > addr = &inany_any6; > else if (inany_v4(addr)) > - /* Nothing to do */ > - return 0; > + return -EACCES; > } > if (!c->ifi6) { > if (!addr) > /* Restrict to v4 only */ > addr = &inany_any4; > else if (!inany_v4(addr)) > - /* Nothing to do */ > - return 0; > + return -EACCES; > } > > s = pif_sock_l4(c, EPOLL_TYPE_UDP_LISTEN, pif, The rest looks good to me. -- Stefano