From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=fail reason="key not found in DNS" header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202312 header.b=ibjwXnyR; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id A19915A026E for ; Sat, 17 Aug 2024 09:59:57 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1723881593; bh=6HbuapWdiqAXAy81C0tn+olfPQXWFy8r6xMgpMbhsvA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ibjwXnyRe+yMoG6MqPS/Xd55qmPV8VCZK3jFN7vmHpENTSq/vJWDSNXLbuOzOMaYT CF7KX6NYAxHmkLt4irxS1xb/HuU+OQ8YVkpPRWUWNE/57laHDGTbQESFkKB/8XGUlX IaRr485qLFmxydrC+LCKWwktIjVV22E6UNZWB6q3dAttJBFEjODLHQxZUm0KmE6UHo nsAz+LRCWHJ2r7uJ8K749kMn4VLYB+eo2g68kc+HeE1W8747NBkSTlM7pHv+De4nIR WdN/Bsp0n/z6DN4r9I3CbWOkz5oGJ1uYbHVgY4cCcB0I7kQ6LDN1Bcn46+uy/f0aGa VSpZtD9xK+aqA== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4WmB952F84z4wc3; Sat, 17 Aug 2024 17:59:53 +1000 (AEST) Date: Sat, 17 Aug 2024 17:59:45 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH v3 4/7] netlink, pasta: Disable DAD for link-local addresses on namespace interface Message-ID: References: <20240816073918.1483136-1-sbrivio@redhat.com> <20240816073918.1483136-5-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fEe+es6GFq8uKvW7" Content-Disposition: inline In-Reply-To: <20240816073918.1483136-5-sbrivio@redhat.com> Message-ID-Hash: 2RDBKRY6SRUCY3LGJHMRTLQ3RGD4RM4L X-Message-ID-Hash: 2RDBKRY6SRUCY3LGJHMRTLQ3RGD4RM4L X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --fEe+es6GFq8uKvW7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 16, 2024 at 09:39:15AM +0200, Stefano Brivio wrote: > It makes no sense for a container or a guest to try and perform > duplicate address detection for their link-local address, as we'll > anyway not relay neighbour solicitations with an unspecified source > address. >=20 > While they perform duplicate address detection, the link-local address > is not usable, which prevents us from bringing up especially > containers and communicate with them right away via IPv6. >=20 > This is not enough to prevent DAD and reach the container right away: > we'll need a couple more patches. >=20 > As we send NLM_F_REPLACE requests right away, while we still have to > read out other addresses on the same socket, we can't use nl_do(): > keep track of the last sequence we sent (last address we changed), and > deal with the answers to those NLM_F_REPLACE requests in a separate > loop, later. >=20 > Link: https://github.com/containers/podman/pull/23561#discussion_r1711639= 663 > Signed-off-by: Stefano Brivio > --- > netlink.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ > netlink.h | 1 + > pasta.c | 6 ++++++ > 3 files changed, 62 insertions(+) >=20 > diff --git a/netlink.c b/netlink.c > index 873e6c7..59f2fd9 100644 > --- a/netlink.c > +++ b/netlink.c > @@ -673,6 +673,61 @@ int nl_route_dup(int s_src, unsigned int ifi_src, > return 0; > } > =20 > +/** > + * nl_addr_set_ll_nodad() - Set IFA_F_NODAD on IPv6 link-local addresses > + * @s: Netlink socket > + * @ifi: Interface index in target namespace > + * > + * Return: 0 on success, negative error code on failure > + */ > +int nl_addr_set_ll_nodad(int s, unsigned int ifi) > +{ > + struct req_t { > + struct nlmsghdr nlh; > + struct ifaddrmsg ifa; > + } req =3D { > + .ifa.ifa_family =3D AF_INET6, > + .ifa.ifa_index =3D ifi, > + }; > + unsigned ll_addrs =3D 0; > + struct nlmsghdr *nh; > + char buf[NLBUFSIZ]; > + ssize_t status; > + uint32_t seq; > + > + seq =3D nl_send(s, &req, RTM_GETADDR, NLM_F_DUMP, sizeof(req)); > + nl_foreach_oftype(nh, status, s, buf, seq, RTM_NEWADDR) { > + struct ifaddrmsg *ifa =3D (struct ifaddrmsg *)NLMSG_DATA(nh); > + struct rtattr *rta; > + size_t na; > + > + if (ifa->ifa_index !=3D ifi || ifa->ifa_scope !=3D RT_SCOPE_LINK) > + continue; > + > + ifa->ifa_flags |=3D IFA_F_NODAD; > + > + for (rta =3D IFA_RTA(ifa), na =3D IFA_PAYLOAD(nh); RTA_OK(rta, na); > + rta =3D RTA_NEXT(rta, na)) { > + /* If 32-bit flags are used, add IFA_F_NODAD there */ > + if (rta->rta_type =3D=3D IFA_FLAGS) > + *(uint32_t *)RTA_DATA(rta) |=3D IFA_F_NODAD; > + } > + > + nl_send(s, nh, RTM_NEWADDR, NLM_F_REPLACE, nh->nlmsg_len); > + ll_addrs++; > + } Uh.. did you forget to push an update. This looks like the last version. > + if (status < 0) > + return status; You still have this early return. > + > + seq +=3D ll_addrs; > + > + nl_foreach(nh, status, s, buf, seq) > + warn("netlink: Unexpected response message"); And you need an outer loop over this nl_foreach() for each value of seq from the one from the RTM_GETADDR to the last one from NLM_F_REPLACE. > + > + return status; > +} > + > /** > * nl_addr_get() - Get most specific global address, given interface and= family > * @s: Netlink socket > diff --git a/netlink.h b/netlink.h > index 178f8ae..66a44ad 100644 > --- a/netlink.h > +++ b/netlink.h > @@ -19,6 +19,7 @@ int nl_addr_get(int s, unsigned int ifi, sa_family_t af, > void *addr, int *prefix_len, void *addr_l); > int nl_addr_set(int s, unsigned int ifi, sa_family_t af, > const void *addr, int prefix_len); > +int nl_addr_set_ll_nodad(int s, unsigned int ifi); > int nl_addr_dup(int s_src, unsigned int ifi_src, > int s_dst, unsigned int ifi_dst, sa_family_t af); > int nl_link_get_mac(int s, unsigned int ifi, void *mac); > diff --git a/pasta.c b/pasta.c > index 96545b1..17eed15 100644 > --- a/pasta.c > +++ b/pasta.c > @@ -340,6 +340,12 @@ void pasta_ns_conf(struct ctx *c) > } > =20 > if (c->ifi6) { > + rc =3D nl_addr_set_ll_nodad(nl_sock_ns, c->pasta_ifi); > + if (rc < 0) { > + warn("Can't set nodad for LL in namespace: %s", > + strerror(-rc)); > + } > + > if (c->ip6.no_copy_addrs) { > rc =3D nl_addr_set(nl_sock_ns, c->pasta_ifi, > AF_INET6, &c->ip6.addr, 64); --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --fEe+es6GFq8uKvW7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmbAWFsACgkQzQJF27ox 2Gfy5Q/9Hs5wU1YoSf3utnSIt3rdGeY+wnAh6LMGJqMoxstsRXnVzcTYF+jZ46RR qGFYgOPVpDvCQAPY3HCG0Iz2zovtA1irUU7du4k3xDIE8skGKljQ2mAFKpifxciW 2hyjh2oTusrh3SX1mO3GceQbBK2rLNKgJdwxqGfJ3yfxxuREqhIJ03djyUDJxyaq jKwJ9h6+14yh8fjpDjaQK6o22iA+DR3JOxTfasg1r1nawMS0WgKEkUqhPttlv/QU zJsF7bSQwEH+tkHmYqveJAe82uky2wOP3PzFxjJTOjRVKOWSFNLeziyRILr/hGRj WK/ZHhE8qnNk1MRA0gJ3HuT57nb1jFttf0qWKnBPuQo+qWMwBUkAGgmjeKjI4gWA 1RWMB1+Wh5hbD6VE6z+Mutcz6dT5kbjVQUT4yqFhv+0IwPHJG+VhrEr1JaRyNpSD Lwv82RdBWTWXEqJ0RKnjdeaqKx4hsmsC7oa4vdgKSfl7rPwjo/rGsbJ48nv8EZYS hz8qeHE1EiWuZB+pgE3vteamfR9CpjWBcaaAVy3r+T268cOqWlOreoxzZLCYfkl/ 5FZbJX8RAChi1+Vc7Xv8pOLMwHp9ILIBXkNsoQ4+so9n4xUwjr3lvakl31i7hTAn 0Sa3+4V32809e4VOlO2DTOtjqRVLperjpNIlT5+I8SbSlGCzs2U= =dRN8 -----END PGP SIGNATURE----- --fEe+es6GFq8uKvW7--