From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202512 header.b=sBlUgbi4; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 577225A0271 for ; Tue, 13 Jan 2026 04:06:19 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202512; t=1768273576; bh=pWsm1UxZ+xB9PRW8F2vonFuQUIVrAJAd4EKR9Yq4znc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=sBlUgbi4EQYz62pQTeqSTlgGTV4q/zKH+lx73u3imTB6Yg5O/xjW4zR6jSqKLxSsz NSCWW/NjlHv1mBkMcdOisr3ti3un2Ns2q3W+Kc4PYMg3bisYpy1ROHCX7OPt/AsH4+ Iw4e6YbwpXbQMbYnly5PthP9tLoEa/QsilxNI/3rkS5U+B0/EcYjjI4PL6mMJtlafS GGhvdY+D71M5xeiXsikTs6CYz2gwbwJeC3CTvTud3CkGwrs7WzdY2fzC+5jQ4pC8XW r1wNJaZ45Fbc61S0iavmCgxyMeUvW9zWrppJZnALCbRMIULcCEph0lh59d73MK47b2 hM1geDYutDPzA== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4dqvK41YZxz4wR9; Tue, 13 Jan 2026 14:06:16 +1100 (AEDT) Date: Tue, 13 Jan 2026 14:05:09 +1100 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH 2/3] tcp, udp, conf: Don't silently ignore listens on unsupported IP versions Message-ID: References: <20260105082850.1985300-1-david@gibson.dropbear.id.au> <20260105082850.1985300-3-david@gibson.dropbear.id.au> <20260111003328.7e5f22ec@elisabeth> <20260113011206.67b52012@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Zq2kGCW0/twsj9G9" Content-Disposition: inline In-Reply-To: <20260113011206.67b52012@elisabeth> Message-ID-Hash: QWT4WEIYJFJXKZWNT4EAY3JXKHU3UH3F X-Message-ID-Hash: QWT4WEIYJFJXKZWNT4EAY3JXKHU3UH3F X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --Zq2kGCW0/twsj9G9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 13, 2026 at 01:12:06AM +0100, Stefano Brivio wrote: > On Mon, 12 Jan 2026 14:48:54 +1100 > David Gibson wrote: >=20 > > On Sun, Jan 11, 2026 at 12:33:28AM +0100, Stefano Brivio wrote: > > > On Mon, 5 Jan 2026 19:28:49 +1100 > > > David Gibson wrote: > > > =20 > > > > Currently, it's possible to explicitly ask for forwarding from an I= Pv4 > > > > address, while disabling IPv4: > > > > $ pasta -t 192.0.2.1/12345 -6 > > > > or vice versa: > > > > $ pasta -t 2001:db8::1/12345 -4 > > > >=20 > > > > Currently, the impossible to implement forwarding option will be si= lently > > > > ignored. That's potentially confusing since in a complex setup, it= might > > > > not be obvious why the requested forward isn't taking effect. > > > >=20 > > > > Specifically, it's ignored at a fairly low level: tcp_listen() and > > > > udp_listen() ignore it and return 0. Those run kind of late to giv= e a > > > > good error message. Change the low-level functions to return -EACC= ES > > > > (chosen because that's what the kernel will return if you request I= Pv6 > > > > when it's disabled by sysctl). =20 > > >=20 > > > I couldn't quite find out in which case EACCES is returned by the > > > kernel. If I set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and th= en > > > bind() an IPv6 address, after setting IPV6_FREEBIND, I get 0. =20 > >=20 > > Huh. EAFNOSUPPORT seems like it makes more sense, but oddly didn't > > spot it. I was looking at: > >=20 > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/= tree/net/ipv6/addrconf.c#n1098 > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/= tree/net/ipv6/addrconf.c#n2565 > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/= tree/net/ipv6/route.c#n3664 >=20 > Weird, I guess it eventually gets translated to EOPNOTSUPP later > (perhaps in netlink code), because: Yeah, I guess it must. > # strace ip addr add db8::1 dev ens3 >=20 > [...] >=20 > recvmsg(3, {msg_name=3D{sa_family=3DAF_NETLINK, nl_pid=3D0, nl_groups=3D0= 0000000}, msg_namelen=3D12, msg_iov=3D[{iov_base=3D[{nlmsg_len=3D84, nlmsg_= type=3DNLMSG_ERROR, nlmsg_flags=3D0, nlmsg_seq=3D1768262003, nlmsg_pid=3D15= 98}, {error=3D-EOPNOTSUPP, msg=3D[{nlmsg_len=3D64, nlmsg_type=3DRTM_NEWADDR= , nlmsg_flags=3DNLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq= =3D1768262003, nlmsg_pid=3D0}, {ifa_family=3DAF_INET6, ifa_prefixlen=3D128,= ifa_flags=3D0, ifa_scope=3DRT_SCOPE_UNIVERSE, ifa_index=3Dif_nametoindex("= ens3")}, [[{nla_len=3D20, nla_type=3DIFA_LOCAL}, inet_pton(AF_INET6, "db8::= 1")], [{nla_len=3D20, nla_type=3DIFA_ADDRESS}, inet_pton(AF_INET6, "db8::1"= )]]]}], iov_len=3D32768}], msg_iovlen=3D1, msg_controllen=3D0, msg_flags=3D= 0}, 0) =3D 84 > write(2, "RTNETLINK answers: Operation not"..., 43RTNETLINK answers: Oper= ation not supported >=20 > it's EOPNOTSUPP in the NLMSG_ERROR message. Heh, that's a third option. > > Happy enough to change it to EAFNOSUPPORT if you'd prefer. >=20 > I think it would make a lot more sense, EACCES would confuse pretty > much anybody (and I can't get the kernel to return that over netlink > anyway). Ok, done. > > > If I disable IPv6 via command line (ipv6.disable=3D1) I get EAFNOSUPP= ORT > > > on bind(), and EOPNOTSUPP on setting addresses and routes. EACCES, I > > > couldn't quite spot it yet. =20 > >=20 > > Huh. Kind of weird it only fails on bind(), not on socket(). >=20 > Oops, I was fooled by the error message we print in that case. It > actually fails on socket(): >=20 > socket(AF_INET6, SOCK_STREAM|SOCK_NONBLOCK, IPPROTO_TCP) =3D -1 EAFNOSUPP= ORT (Address family not supported by protocol) >=20 > but we print: >=20 > L4 socket: Address family not supported by protocol > Failed to bind port 2548 (Address family not supported by protocol) for o= ption '-t 2b8::1/2548' >=20 > which makes sense because that's what we're doing with that port (just > not with that socket). Ah, ok, that makes sense. --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --Zq2kGCW0/twsj9G9 Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmlltmQACgkQzQJF27ox 2GeU6RAAgHxw9XOYJaaeZpTFY3rN0J2SgNrMBhhXhjmavi+4qLsyIx0dg+JwFZGb l/sJ+GAY2QB44JQSFThFavQUVidhXBK9uBgnywrFJzR+8PIxaKLWOHcYFkwkbOwS uXJdNl3nYv3Mb7p5x4TtJQRNUEFHx8mw6HKtO/DqndHjUDNyH7B1PdzCatdZHtBN t14D5bzLq5UFmPDeg2PSVRvDuwZ7v/cun9HCIZOnEFmj50vU/uGjkhBdOWJbb4n9 c85W+G03tm1lltkchwOGssnkodPG7mVe2wfE4aZw7D6vV0Znh4Q9dxkA6K9fccYz 5ZbC6ppwDl5N5ihv3pqnnUMjumIjsSgpCBmN7Yw0jTUKeYGvT/oUZ2nawN9SCxyR fX5j9ibWKxuQWWEz1FMg0ytmAKOUcakPWA+2iEi2EhdZV5wOJMkCL+1xmNAMvIYw 2rVlPu0gjrO0AKLPiqeQdl1Zd6PFYNSlWFkMZw0OuRIR/vRY1eOHvPAKUCfz4GBm UCgj5ATd0znt6AHl8T21Nx0rAa+VBrv7mgdqAkwdrtfx14xiz9WVy7RauZW4Gpd0 p1sAogdNk4eaVkygSEHR7JaSogTHduUSlzhwvtQ4n7wAFWnIasyB9A3zQ8Z9rkGh RCqXZyXxtO8lykSDWZzdMl8ep+LMXICYQ+Wk1ttb8jy6XTj+6fo= =wDrM -----END PGP SIGNATURE----- --Zq2kGCW0/twsj9G9--