From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202606 header.b=UhSwE7le;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id B4C4B5A0265
	for <passt-dev@passt.top>; Wed, 10 Jun 2026 03:32:55 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202606; t=1781055171;
	bh=c5HMI6mG7p08P5/Wwyq0r3eeWO7rMCosJ5qjq2G9yBg=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=UhSwE7leWUvCAIErESd1xkiOQSEdH1XN0+YOyT/gwz1Hz83o4+dhYC4s1Hg/Qzz93
	 sVOXCDIrcjU9tzGwFquTJgZaxG3+a9pixvBbFuyFURFYzS4Gd99+nH6h8zV0GYM+Bi
	 ZDkZUaoDZuFw+mUtxuAeRHb5x2AFCcLKYEdpwPU37txJkg4WP2ZX4Mn9Gy0LeSYpke
	 M/m7OBKhjxHAKVMCcUTiTvnLf5X9rn3xPaDJ1zfOw/qn5B6E8/m4Lm0GulT2X4ezSs
	 WTEJQQyh6qNgjJQHu41jBeKE3uOOsNwURLdiCOVl9l2+a0BhSOjJzMsz+vahLkWbAZ
	 mnq3jblIKjgrw==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4gZpDz2nKQz4x4g; Wed, 10 Jun 2026 11:32:51 +1000 (AEST)
Date: Wed, 10 Jun 2026 11:32:25 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH] conf, util: Disable IPv6 if explicit IPv6 socket probe
 fails
Message-ID: <aii-qXCr22Z-MXSM@zatzit>
References: <20260608202448.3523957-1-sbrivio@redhat.com>
 <aidmzlnoGLsiH6up@zatzit>
 <20260609114227.5e64c77e@elisabeth>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="6XJK7LFvM0UbkBLX"
Content-Disposition: inline
In-Reply-To: <20260609114227.5e64c77e@elisabeth>
Message-ID-Hash: DK4OV3Y7SBEXBJVXUA2GY5TCA3C2JMZS
X-Message-ID-Hash: DK4OV3Y7SBEXBJVXUA2GY5TCA3C2JMZS
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aii-qXCr22Z-MXSM@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/DK4OV3Y7SBEXBJVXUA2GY5TCA3C2JMZS/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--6XJK7LFvM0UbkBLX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jun 09, 2026 at 11:42:28AM +0200, Stefano Brivio wrote:
> On Tue, 9 Jun 2026 11:05:18 +1000
> David Gibson <david@gibson.dropbear.id.au> wrote:
>=20
> > On Mon, Jun 08, 2026 at 10:24:48PM +0200, Stefano Brivio wrote:
> > > In https://bugs.passt.top/show_bug.cgi?id=3D188, I originally reported
> > > that if IPv6 is disabled in the kernel (for example via command line
> > > parameter ipv6.disable=3D1, or disabled in build configuration), and =
we
> > > attempt to forward any port, we'll exit right away after failing to
> > > set up dual-stack listening sockets.
> > >=20
> > > The original instance of that issue is now fixed for pasta by commit
> > > 75dcbc300bf0 ("pasta: Warn, disable matching IP version if not
> > > supported, in local mode") together with the new implementation of
> > > the rule forwarding table, starting from commit b223bec48213 ("fwd,
> > > tcp, udp: Set up listening sockets based on forward table"), because
> > > we first parse forwarding options, then probe for IPv6 support in the
> > > target namespace (and disable IPv6 as a result), and finally bind
> > > sockets once we already know that IPv6 support is disabled.
> > >=20
> > > But we don't do that when invoked as passt, because we have no target
> > > namespace and hence no probing for IPv6 support whatsoever.
> > >=20
> > > Add IPv6 to the socket features we test in sock_probe_features(), and,
> > > if we fail to create an IPv6 socket for whatever reason (which might
> > > include security policies as well), disable IPv6 support altogether,
> > > so that we won't attempt to use dual-stack sockets for port forwarding
> > > either.
> > >=20
> > > Note that the probe comes without any sort of debug message, because
> > > at this point we haven't parsed the configuration yet, and we would
> > > therefore print that regardless of the selected logging level and
> > > other options, including --ipv4-only, which would be rather confusing.
> > > I doubt we'll miss this kind of message though, IPv6 support being
> > > disabled is anyway obvious from the initial configuration dump.
> > >=20
> > > Reported-by: Chi Cuong HA <ChiCuong.HA@amadeus.com>
> > > Reported-by: Romain Geissler <romain.geissler@amadeus.com>
> > > Link: https://bugs.passt.top/show_bug.cgi?id=3D188
> > > Fixes: 4ddd59bc6085 ("conf: Separate local mode for each IP version, =
don't enable disabled IP version")
> > > Signed-off-by: Stefano Brivio <sbrivio@redhat.com> =20
> >=20
> > Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
> >=20
> > Follow up question, though: are the tests from 75dcbc300bf0 still
> > useful, or could they now be dropped as redundant?
>=20
> I was wondering for a moment as well, and concluded that they're not
> quite equivalent, because there might be reasons (LSMs?) why we can't
> set up IPv6 connectivity in a detached namespace but we can still
> create AF_INET6 sockets outside of it, so I think those checks are
> still good to have for robustness.

Ok, makes sense to me.

> Now, whether that presumed additional robustness justifies the added
> complexity, I'm not entirely sure. I'd tend to say yes but it's by no
> means a strong opinion.

Right, I'm not sure either.  I guess let's leave it as is for now.

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--6XJK7LFvM0UbkBLX
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmoovqQACgkQzQJF27ox
2Ge3nQ//boGViBYON0ZZUPJyDBjRSCgby217K4TBE0mKY9hxs4M/jenwuffoHdRv
/LvuIEI6WTx2LBt7pZ8Oz2qrKyEnDdDSmWtPZW5zkMGl0AlRZd4vzBwfORDsJfPK
bKG5pP8uQOCONXhYt8XtAC7uJsMu57vd52x0jVWqSrgpqK82z1pu4GPO8XzpBPm3
z9OleNICul/zKuJS96PDZZVyxTlQZnpb1x3oBplFSlAIK3xaLFBlaoOabjainkes
rdE23wVPxrEu8wxaqhsJmowTMRlSsBej25Hrg5yTyRkPSDJ9Zfo6y5837sRJzWQq
U/nYCka2LcENTBE8y0nKHwnT91MZWLYly07kGrbm76JKSbcBBHvt3VbpN1/uiQ6s
na8FL3zl83sFIkcue834GY9SrjcJx6OWcKb9NHmYcsf4Lb1Rd9f2hWZwHJnV0Bll
TPImV3a/tQalHrFONUBrQSLveJ2jIIN7f9x9aFhifg/15AYeeA+gQX7KDjzBVE3z
y35Q4o0G9TJ4uwDZba8/z8M5wzsAhw94Zn3NruNOzehlsBnEPAn915iB4aNQzAG7
Z2GPfo4iemssC3o90xmqmMqLpMUfwyAWQnsIRVxHid0DxS1C744JeYQcNUnaKbBT
QyOzrVuP3Ter71jQOtZ3xzaR4sieVY2RgzTrZtBDSlCnpsSRwiQ=
=zCPE
-----END PGP SIGNATURE-----

--6XJK7LFvM0UbkBLX--