From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202512 header.b=lS93fO8x; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id DA8865A004E for ; Mon, 12 Jan 2026 04:50:35 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202512; t=1768189832; bh=fEZoLkDkoL+MNT5mx38hHI4zF1vLLdH8gtUamAEvK60=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=lS93fO8xJbNlDc9890ccoGB3WxEVse+Ikf/sna2AUgneeiWuINQQ00pKjgxFNpq+M 5s8RNTVZmGB5VgzoAXnqW/+ee0qC5jdvp2ol9EoWigaHuHSrwYq0IRd+ej6A7j7tKf piHwyp8GJvuHWCak4DzdEcfeUQQwzu3ATlfHcratIUC0mYNxwNtOKYiat1CDOEeEeG gUw5hsiYJbxnB5ngwaxEMayhTsP3vkRMfexZ7B/jgCdZ0IbGNijbExftnPrEldB86S FmJUtZxq1pdmKSZQ25Ra7IXr3Cc6HjvprrnPc4w8nDQaFhJhRQdAEj6f14785cQcLv alILl0tVW3Dzw== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4dqJLc3hyNz4w11; Mon, 12 Jan 2026 14:50:32 +1100 (AEDT) Date: Mon, 12 Jan 2026 14:48:54 +1100 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH 2/3] tcp, udp, conf: Don't silently ignore listens on unsupported IP versions Message-ID: References: <20260105082850.1985300-1-david@gibson.dropbear.id.au> <20260105082850.1985300-3-david@gibson.dropbear.id.au> <20260111003328.7e5f22ec@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="bNI+/ruJrR9Btgti" Content-Disposition: inline In-Reply-To: <20260111003328.7e5f22ec@elisabeth> Message-ID-Hash: YLBPXG7OJHWKMDHUZEMT23B75XELGOQD X-Message-ID-Hash: YLBPXG7OJHWKMDHUZEMT23B75XELGOQD X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --bNI+/ruJrR9Btgti Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jan 11, 2026 at 12:33:28AM +0100, Stefano Brivio wrote: > On Mon, 5 Jan 2026 19:28:49 +1100 > David Gibson wrote: >=20 > > Currently, it's possible to explicitly ask for forwarding from an IPv4 > > address, while disabling IPv4: > > $ pasta -t 192.0.2.1/12345 -6 > > or vice versa: > > $ pasta -t 2001:db8::1/12345 -4 > >=20 > > Currently, the impossible to implement forwarding option will be silent= ly > > ignored. That's potentially confusing since in a complex setup, it mig= ht > > not be obvious why the requested forward isn't taking effect. > >=20 > > Specifically, it's ignored at a fairly low level: tcp_listen() and > > udp_listen() ignore it and return 0. Those run kind of late to give a > > good error message. Change the low-level functions to return -EACCES > > (chosen because that's what the kernel will return if you request IPv6 > > when it's disabled by sysctl). >=20 > I couldn't quite find out in which case EACCES is returned by the > kernel. If I set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and then > bind() an IPv6 address, after setting IPV6_FREEBIND, I get 0. Huh. EAFNOSUPPORT seems like it makes more sense, but oddly didn't spot it. I was looking at: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree= /net/ipv6/addrconf.c#n1098 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree= /net/ipv6/addrconf.c#n2565 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree= /net/ipv6/route.c#n3664 Happy enough to change it to EAFNOSUPPORT if you'd prefer. > If I disable IPv6 via command line (ipv6.disable=3D1) I get EAFNOSUPPORT > on bind(), and EOPNOTSUPP on setting addresses and routes. EACCES, I > couldn't quite spot it yet. Huh. Kind of weird it only fails on bind(), not on socket(). > > Most callers of {tcp,udp}_listen() ignore > > the return code, so this is a no-op for them. In the remaining caller, > > conf_ports_range_except() check for the case explicitly, and provide a > > meaningful error message. > >=20 > > Of itself, this bug is insignificant, but this is a roadblock to having > > {tcp,udp}_listen() return socket fds, which in turn is a roadblock to my > > flexible forwarding work. So, might as well fix it. > >=20 > > Link: https://bugs.passt.top/show_bug.cgi?id=3D186 > >=20 > > Signed-off-by: David Gibson > > --- > > conf.c | 10 ++++++++++ > > tcp.c | 6 ++---- > > udp.c | 6 ++---- > > 3 files changed, 14 insertions(+), 8 deletions(-) > >=20 > > diff --git a/conf.c b/conf.c > > index 70ea168c..cc3c20a9 100644 > > --- a/conf.c > > +++ b/conf.c > > @@ -162,6 +162,16 @@ static void conf_ports_range_except(const struct c= tx *c, char optname, > > optname, optarg); > > } > > =20 > > + if (addr) { > > + if (!c->ifi4 && inany_v4(addr)) { > > + die("IPv4 is disabled, can't use -%c %s", > > + optname, optarg); > > + } else if (!c->ifi6 && !inany_v4(addr)) { > > + die("IPv6 is disabled, can't use -%c %s", > > + optname, optarg); > > + } > > + } > > + > > for (i =3D first; i <=3D last; i++) { > > if (bitmap_isset(exclude, i)) > > continue; > > diff --git a/tcp.c b/tcp.c > > index e7fa85f3..67007c05 100644 > > --- a/tcp.c > > +++ b/tcp.c > > @@ -2700,16 +2700,14 @@ int tcp_listen(const struct ctx *c, uint8_t pif, > > /* Restrict to v6 only */ > > addr =3D &inany_any6; > > else if (inany_v4(addr)) > > - /* Nothing to do */ > > - return 0; > > + return -EACCES; > > } > > if (!c->ifi6) { > > if (!addr) > > /* Restrict to v4 only */ > > addr =3D &inany_any4; > > else if (!inany_v4(addr)) > > - /* Nothing to do */ > > - return 0; > > + return -EACCES; > > } > > =20 > > if (pif =3D=3D PIF_HOST) { > > diff --git a/udp.c b/udp.c > > index eda55c39..8cfa1e1f 100644 > > --- a/udp.c > > +++ b/udp.c > > @@ -1162,16 +1162,14 @@ int udp_listen(const struct ctx *c, uint8_t pif, > > /* Restrict to v6 only */ > > addr =3D &inany_any6; > > else if (inany_v4(addr)) > > - /* Nothing to do */ > > - return 0; > > + return -EACCES; > > } > > if (!c->ifi6) { > > if (!addr) > > /* Restrict to v4 only */ > > addr =3D &inany_any4; > > else if (!inany_v4(addr)) > > - /* Nothing to do */ > > - return 0; > > + return -EACCES; > > } > > =20 > > s =3D pif_sock_l4(c, EPOLL_TYPE_UDP_LISTEN, pif, >=20 > The rest looks good to me. >=20 > --=20 > Stefano >=20 --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --bNI+/ruJrR9Btgti Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmlkbyUACgkQzQJF27ox 2Gf37xAAgfMieItFdyNZxuddq9eD6cXtShGvX7b6FiLD+iBSys5gKkmrab57vdYL WEZQ2rMfN6oiIDrIe1Tqe512upqsLuQw2qaUqij5Yg9FHzm53VoIr/o3eEpe3O3/ 7KTbLTUKI3HttjJN+BNIpsJlOXriYGVtahO4xh6cGJAyZxXlae7+ZyeOta6yU4H/ DlOYTHJGGqXSeU/FpB4aJOVnsu8VehBzjzh6z9KLJZhx2xiuesJ/Uew2nvUVrVD1 gcm+uPn0ha+/MdzfQuZClOq7W8OW8+9+FGQkRgpx1biNyDvdLHIvVRQFFug/ujuC oAIWW0Asogj7y4ElhdC3M+uO6cVbk4LPZvEkBrVP0SG/zqaq69XFNYd6yagYAAj/ rHTjB1Hms8kjAaQ9RWA5R2ZTXu9gjw4BDQHR6ALcnf8x6XkFUlADawDRxpHFPziw Pz6bIlfkHh+lt35VDEaYUVIcROfBPJhZGzdMN3F1Voc1w0gGbh/HOmLwu6VCgY01 f3Tn21lNHdCjBxHDFO/hzAytwEfJeZ0ggqJk4BUVUFP+vNSpIvRdCjo6AbeVHwCa yaw1qOzIvhfYbkWUA452bMccRa8QXwZ3bcTdtTzUQMvvmEdzCIaItW0kikdVXO1i LBQy3vRFPhELorN4YtCuBOK381A9WidQqJnYMea8qY+Y2bWWFA0= =pki2 -----END PGP SIGNATURE----- --bNI+/ruJrR9Btgti--