From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202606 header.b=dli2KAIm; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id EB3745A0265 for ; Tue, 09 Jun 2026 03:05:29 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202606; t=1780967126; bh=G7SjtLaPrwB09FNNBb53H5177wN76O/thV1KG0fYsMI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=dli2KAImazvzJdUdAdB/LgqPUqvvmRIkCNk0XuvTeczwiE9ktwZeRaSa8HjSMJJ+v QKr3HmCyL1xISYG8EiFOFaA0ZOJiiTnS5f+DKMKEzm204K2AF2Q1dOQE1fgcCffQHi NdgQ8QTkjSqFvZg21oNyi0JtUrj0Dmu9U6J1Olv8coKuekuwckOMy6C31DCuNFzlS+ Ju+mhjxPIg8rx5fYb/V11umfKPOd2X/98PkdpUwmfgdigEM9JNPC5CeuRrIaQ1uJ8W uA2bDDd8e4B2qdss19SKbiatVYl+lXkrapKCq4tGWHufi2O9jcJ4yQji4XzykrMZEh WAgEh7bUU3pjg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4gZ9gp4b0Mz4wLl; Tue, 09 Jun 2026 11:05:26 +1000 (AEST) Date: Tue, 9 Jun 2026 11:05:18 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH] conf, util: Disable IPv6 if explicit IPv6 socket probe fails Message-ID: References: <20260608202448.3523957-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="X0F9ez7WFxIq6+oY" Content-Disposition: inline In-Reply-To: <20260608202448.3523957-1-sbrivio@redhat.com> Message-ID-Hash: QWYJW3WFPNN3XLIB2WAS37OEILW4R3DT X-Message-ID-Hash: QWYJW3WFPNN3XLIB2WAS37OEILW4R3DT X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --X0F9ez7WFxIq6+oY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 08, 2026 at 10:24:48PM +0200, Stefano Brivio wrote: > In https://bugs.passt.top/show_bug.cgi?id=3D188, I originally reported > that if IPv6 is disabled in the kernel (for example via command line > parameter ipv6.disable=3D1, or disabled in build configuration), and we > attempt to forward any port, we'll exit right away after failing to > set up dual-stack listening sockets. >=20 > The original instance of that issue is now fixed for pasta by commit > 75dcbc300bf0 ("pasta: Warn, disable matching IP version if not > supported, in local mode") together with the new implementation of > the rule forwarding table, starting from commit b223bec48213 ("fwd, > tcp, udp: Set up listening sockets based on forward table"), because > we first parse forwarding options, then probe for IPv6 support in the > target namespace (and disable IPv6 as a result), and finally bind > sockets once we already know that IPv6 support is disabled. >=20 > But we don't do that when invoked as passt, because we have no target > namespace and hence no probing for IPv6 support whatsoever. >=20 > Add IPv6 to the socket features we test in sock_probe_features(), and, > if we fail to create an IPv6 socket for whatever reason (which might > include security policies as well), disable IPv6 support altogether, > so that we won't attempt to use dual-stack sockets for port forwarding > either. >=20 > Note that the probe comes without any sort of debug message, because > at this point we haven't parsed the configuration yet, and we would > therefore print that regardless of the selected logging level and > other options, including --ipv4-only, which would be rather confusing. > I doubt we'll miss this kind of message though, IPv6 support being > disabled is anyway obvious from the initial configuration dump. >=20 > Reported-by: Chi Cuong HA > Reported-by: Romain Geissler > Link: https://bugs.passt.top/show_bug.cgi?id=3D188 > Fixes: 4ddd59bc6085 ("conf: Separate local mode for each IP version, don'= t enable disabled IP version") > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson Follow up question, though: are the tests from 75dcbc300bf0 still useful, or could they now be dropped as redundant? > --- > conf.c | 7 ++++++- > passt.h | 2 ++ > util.c | 8 ++++++++ > 3 files changed, 16 insertions(+), 1 deletion(-) >=20 > diff --git a/conf.c b/conf.c > index 6f86940..cd05adf 100644 > --- a/conf.c > +++ b/conf.c > @@ -1254,7 +1254,9 @@ void conf(struct ctx *c, int argc, char **argv) > int name, ret; > uid_t uid; > gid_t gid; > -=09 > + > + if (c->no_ipv6) > + v4_only =3D true; > =20 > if (c->mode =3D=3D MODE_PASTA) > c->no_dhcp_dns =3D c->no_dhcp_dns_search =3D 1; > @@ -1682,6 +1684,9 @@ void conf(struct ctx *c, int argc, char **argv) > v6_only =3D false; > break; > case '6': > + if (c->no_ipv6) > + die("IPv6 not available but --ipv6-only given"); > + > v6_only =3D true; > v4_only =3D false; > break; > diff --git a/passt.h b/passt.h > index 1726965..c5f51d1 100644 > --- a/passt.h > +++ b/passt.h > @@ -211,6 +211,7 @@ struct ip6_ctx { > * @low_wmem: Low probed net.core.wmem_max > * @low_rmem: Low probed net.core.rmem_max > * @no_bindtodevice: Unprivileged SO_BINDTODEVICE not available > + * @no_ipv6: IPv6 sockets not available > * @vdev: vhost-user device > * @device_state_fd: Device state migration channel > * @device_state_result: Device state migration result > @@ -296,6 +297,7 @@ struct ctx { > int low_wmem; > int low_rmem; > int no_bindtodevice; > + bool no_ipv6; > =20 > struct vu_dev *vdev; > =20 > diff --git a/util.c b/util.c > index b64c29e..fe0aab9 100644 > --- a/util.c > +++ b/util.c > @@ -334,6 +334,14 @@ void sock_probe_features(struct ctx *c) > c->no_bindtodevice =3D 1; > } > =20 > + /* Check if IPv6 sockets are usable */ > + close(s); > + s =3D socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP); > + if (s < 0) { > + c->no_ipv6 =3D true; > + return; > + } > + > close(s); > } > =20 > --=20 > 2.43.0 >=20 --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --X0F9ez7WFxIq6+oY Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmonZs0ACgkQzQJF27ox 2GeWaQ/+PuII1ivUEmLtkZ7dHjKwBNzqqZMgdhHM0bAquwVJoURj9KMwVgfPfi42 P+HSYDDG3nQuAhzRbnYsv8YksouwqNhe2HbGI2pyxnUbzCtIXbqaGNqyhDYqiFy7 LMddar+HVecyDDskp+aNsOTHjJRuOZEWsGn64u1EipUNCRlGkizR8qsaZUzb4zWB 1A7OA+cPtWGVU0Fn1Bk5tGKMZMv68gVtE33BRqb+jW/Uflhgp6cNj/Y5uxBXf7Z2 oAKk/rHBqf8iCiIMozIbKuvTLmaeOLJbjldPXIP/IkAQ/XMfXJ8yUwUhQsQgmsZR 41pKveZaXy0BMfZUQAh+Z6DJpiIuPIUNgAwBs0yQRJkNIDqrnNkc7lcR6Lwb395W kW893ZjXGinW8w0LgBExJM4Lv/jaUX+AWzwRqP3c65suVKPTWFI04WIapxZ0Ty8X yJc8aRX3E1bKOiQf+mbHgOFchmjE2D8ukOuYvH0k1zE5T3Jy1NlrONSxDtYn+wEA h9+LCxm6/19mJQtCqhzxdCJFIbj8TStQU/1bNYseiCpj+PLkpsqD8gJh5EszipWh Ls0BEuylGxKqdDZKSlV5L2xAIKJGAMBnClsiuFJBVRpTKsPfM1YIxxAQE8k5V8nv w8cH4jd2RKsfVO/M8P2nuHDNGgZ1woiS0yC0hRZ8e/LTzdmkXeg= =4kqL -----END PGP SIGNATURE----- --X0F9ez7WFxIq6+oY--