From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=TZwsOHQ2; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id CCACE5A0269 for ; Tue, 09 Jun 2026 11:42:33 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780998152; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7CRzehTG08r25VMUsKXk+xM0zoX95wHytYgGETsMaTs=; b=TZwsOHQ2TD2airQ7+2S2Rsr0Xege7R61F9KPWxrHnShixCKacYSUN6ZtlPDRvPBcRhoIbt AKZqJyjYbrhJOXIHlBbh1THCrx2X3kaBYzONdjsTXXw0kjPhB2dUls8vJ+uqBzIWINx+iU 4gxbC06IWoc0yAWfsmavpTKGSxctcrg= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-668-p9SfSk-3M3mYFdJnqscCfw-1; Tue, 09 Jun 2026 05:42:31 -0400 X-MC-Unique: p9SfSk-3M3mYFdJnqscCfw-1 X-Mimecast-MFC-AGG-ID: p9SfSk-3M3mYFdJnqscCfw_1780998150 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-45ef93c359fso4323055f8f.0 for ; Tue, 09 Jun 2026 02:42:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780998150; x=1781602950; h=date:content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7CRzehTG08r25VMUsKXk+xM0zoX95wHytYgGETsMaTs=; b=RVncCT9ot8JMLxZ/VmDO4z0XXcuVp3Gh0e/lMwRBYAUv+ASpTF8TtYyuFxDrmZ1Ozc yDKPltlSvEZSUp8HSP3UdDNkcEty6ujrZzAkWX+iOhhSwJWrJ/Tvk7wTMGuGPHS9BqBj V6auBZLqavPsFu0JKnmBTvXunNp0oPd2RfINmNcD54fPVq+EyAPvLNhQH06MLK9qBh3P s4heLgJWgrNUKrZawCdBBEEDmVpzEXkvp3NqakftaYyI/piXjBVGngqZX3qVV+J4WfuI 9F9Lin5xWpHEWfFH/MaRiiikoNG1SLYz2LaI9N80ycynBrfGUixCgJ1bvtm02SmXBxaS E2dg== X-Gm-Message-State: AOJu0YyGD/iTdyqf+9+x19RdCYIEec1mwDD2+loLSAZ3JRDZmg3Lmrw9 htKby/7dz0u7Qua2NSCiVfZ3bHhP195zAmxKiMXoF5WIrQ2yrI6HSJQm4TK5SFLAnEyivF/sXGn WEqhId/xHirkkFCmMDyQq1iL7dyMg+SqZNAd10CtU/oIsS+ZCQx7Uiw== X-Gm-Gg: Acq92OFdKDUk80IgHuNwsNyjyb62gnfhNPF75mfvnC8cJsc/R4Hp6wze0ydnviEvsVW H7m86vnPqJbi6s+W2VNzRFTo/ivjubEPCl7WsgEDihOxR8wvKSC1z2jXyy5V0bl/YqcsGCNuKb2 3CfkdvaYvgigF1eWE6VpTe/rE11WH+WpyjLRFeeVrGPrHzdEKKNL8DGIfEaOFnuG4/RddzIhfhV OfhcPv26Cgfhmei+TG1DQpdt0JSnMDy6QMF61+BFtHFTFv0Kvx50Dun2/TQhbBq8P+sUQWzDEzC DgLQML+dbo1oxrpMQt6j2u64p/q7Zb2ZuWCMntyQP1HZr4zgQp5KOp3YLgQ+aKUy5TWDT4ZF8Rr A2wR5kkfHLvr0yWDAG+fAHLZybfgAJONVSKrCKHws0eAc2BWy9Nhl0T3Fm6tK X-Received: by 2002:a5d:6644:0:b0:45e:f780:6181 with SMTP id ffacd0b85a97d-46030501958mr20705656f8f.23.1780998150118; Tue, 09 Jun 2026 02:42:30 -0700 (PDT) X-Received: by 2002:a5d:6644:0:b0:45e:f780:6181 with SMTP id ffacd0b85a97d-46030501958mr20705613f8f.23.1780998149494; Tue, 09 Jun 2026 02:42:29 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4601f34413csm59654856f8f.21.2026.06.09.02.42.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jun 2026 02:42:28 -0700 (PDT) From: Stefano Brivio To: David Gibson Subject: Re: [PATCH] conf, util: Disable IPv6 if explicit IPv6 socket probe fails Message-ID: <20260609114227.5e64c77e@elisabeth> In-Reply-To: References: <20260608202448.3523957-1-sbrivio@redhat.com> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 Date: Tue, 09 Jun 2026 11:42:28 +0200 (CEST) X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: gJ0jF9d2L0T4bdXUSnjn3pAU0wtPzqkHv-yB-uJBxQY_1780998150 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: NWZ6PPZUZHULZ2IQHQIVZ7NWFVBBAZU6 X-Message-ID-Hash: NWZ6PPZUZHULZ2IQHQIVZ7NWFVBBAZU6 X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue, 9 Jun 2026 11:05:18 +1000 David Gibson wrote: > On Mon, Jun 08, 2026 at 10:24:48PM +0200, Stefano Brivio wrote: > > In https://bugs.passt.top/show_bug.cgi?id=188, I originally reported > > that if IPv6 is disabled in the kernel (for example via command line > > parameter ipv6.disable=1, or disabled in build configuration), and we > > attempt to forward any port, we'll exit right away after failing to > > set up dual-stack listening sockets. > > > > The original instance of that issue is now fixed for pasta by commit > > 75dcbc300bf0 ("pasta: Warn, disable matching IP version if not > > supported, in local mode") together with the new implementation of > > the rule forwarding table, starting from commit b223bec48213 ("fwd, > > tcp, udp: Set up listening sockets based on forward table"), because > > we first parse forwarding options, then probe for IPv6 support in the > > target namespace (and disable IPv6 as a result), and finally bind > > sockets once we already know that IPv6 support is disabled. > > > > But we don't do that when invoked as passt, because we have no target > > namespace and hence no probing for IPv6 support whatsoever. > > > > Add IPv6 to the socket features we test in sock_probe_features(), and, > > if we fail to create an IPv6 socket for whatever reason (which might > > include security policies as well), disable IPv6 support altogether, > > so that we won't attempt to use dual-stack sockets for port forwarding > > either. > > > > Note that the probe comes without any sort of debug message, because > > at this point we haven't parsed the configuration yet, and we would > > therefore print that regardless of the selected logging level and > > other options, including --ipv4-only, which would be rather confusing. > > I doubt we'll miss this kind of message though, IPv6 support being > > disabled is anyway obvious from the initial configuration dump. > > > > Reported-by: Chi Cuong HA > > Reported-by: Romain Geissler > > Link: https://bugs.passt.top/show_bug.cgi?id=188 > > Fixes: 4ddd59bc6085 ("conf: Separate local mode for each IP version, don't enable disabled IP version") > > Signed-off-by: Stefano Brivio > > Reviewed-by: David Gibson > > Follow up question, though: are the tests from 75dcbc300bf0 still > useful, or could they now be dropped as redundant? I was wondering for a moment as well, and concluded that they're not quite equivalent, because there might be reasons (LSMs?) why we can't set up IPv6 connectivity in a detached namespace but we can still create AF_INET6 sockets outside of it, so I think those checks are still good to have for robustness. Now, whether that presumed additional robustness justifies the added complexity, I'm not entirely sure. I'd tend to say yes but it's by no means a strong opinion. -- Stefano