From patchwork Fri Apr 30 14:30:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julian Squires X-Patchwork-Id: 1472346 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=Gvtka68N; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=mg.cipht.net header.i=@mg.cipht.net header.a=rsa-sha256 header.s=mailo header.b=oEnHUj4W; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FWvx03FHcz9sW4 for ; Sat, 1 May 2021 00:33:07 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=19ZjV3KVVL20wa1WDQTfwu8CxCX8OfAiC6T73D+VCnQ=; b=Gvtka68NutsYZv+YTSadvcJ8P+ 77mlRSnK1takhDsXfsUquULNR1tFTRET6fi1VH3xHjpkRfAS7+RwA2wrzPzUucgftzRsNrCAE7cKi Yozr1uLvUP2AnY+PDz41QurtzWLa/+SSPUGhJ/U0kyU5GFFawjImjGMhpJZYz1qlDq2lzTjwAMkM9 ODx+qDOPebde4/yODY6aJhlTh+uhRqtPtx6jwy3JfVp6C3+x7ItKUcNcZAs1t57gqet7yhY6qQqFW pF/36tvdmikihsf0EkLc6Cjps/bimD63794vcsW59NnT+CVHjD4jZE1h8gIdS0bMZF+YDrvtPnSRk DNObgQHQ==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lcUAc-007yys-8A; Fri, 30 Apr 2021 14:31:06 +0000 Received: from m42-7.mailgun.net ([69.72.42.7]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lcUAW-007yyA-VR for openwrt-devel@lists.openwrt.org; Fri, 30 Apr 2021 14:31:03 +0000 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.cipht.net; q=dns/txt; s=mailo; t=1619793056; h=Content-Transfer-Encoding: MIME-Version: Message-Id: Date: Subject: Cc: To: From: Sender; bh=/nSzyZVO1Bnd+2eYqxw0OFNhI3l61Am9yPtFzsPpKc0=; b=oEnHUj4WVvKDh8I57prjciqd39X+9lPi2VBkfTeiNyeGWPb+bNUF61R7YBCpnv/V8RE8ke0z XmtWqvYj650P8vDPyhVtcHSaOkD7+YRcC+9c8aNA40z8DKl77ZvKaGj9RrCeonx8tiQxO16G w1k6yFEnJHTj4OP5KIRSROJDY+g= X-Mailgun-Sending-Ip: 69.72.42.7 X-Mailgun-Sid: WyIxNjExYSIsICJvcGVud3J0LWRldmVsQGxpc3RzLm9wZW53cnQub3JnIiwgImQxYzEzYyJd Received: from localhost.localdomain (mtprnf0117w-156-57-89-38.dhcp-dynamic.fibreop.nl.bellaliant.net [156.57.89.38]) by smtp-out-n01.prod.us-west-2.postgun.com with SMTP id 608c149b2cc44d3aea589541 (version=TLS1.3, cipher=TLS_AES_128_GCM_SHA256); Fri, 30 Apr 2021 14:30:51 GMT From: Julian Squires To: openwrt-devel@lists.openwrt.org Cc: Julian Squires Subject: [PATCH] netifd: interface-ip: don't set fib6 policies if ipv6 disabled Date: Fri, 30 Apr 2021 12:00:37 -0230 Message-Id: <20210430143037.6763-1-julian@cipht.net> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210430_153101_279548_57A9CB88 X-CRM114-Status: GOOD ( 10.36 ) X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: If IPv6 is disabled on a device, netifd still creates rules for it: 0: from all lookup local 32766: from all lookup main 4200000001: from all iif lo lookup unspec 12 4200000002: from all iif eth0 lookup unspec 12 4200000003: from all iif eth1 lookup unspec 12 Content analysis details: (-0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [69.72.42.7 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [69.72.42.7 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org If IPv6 is disabled on a device, netifd still creates rules for it: 0: from all lookup local 32766: from all lookup main 4200000001: from all iif lo lookup unspec 12 4200000002: from all iif eth0 lookup unspec 12 4200000003: from all iif eth1 lookup unspec 12 When logread is asked to log to a remote system, it invokes usock such that getaddrinfo is called with AI_ADDRCONFIG in the flags; if ipv6 is disabled on lo, musl attempts to connect to ::1 but gets EACCES from the kernel, because of the reject policy added; this causes logread to fail to connect: socket(AF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_UDP) = 8 connect(8, {sa_family=AF_INET6, sin6_port=htons(65535), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = -1 EACCES (Permission denied) See for a discussion of musl's handling of this. This change only sets up the v6 rules if ipv6 is enabled on the device. Signed-off-by: Julian Squires --- interface-ip.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/interface-ip.c b/interface-ip.c index 648f521..e6573df 100644 --- a/interface-ip.c +++ b/interface-ip.c @@ -1708,11 +1708,13 @@ void interface_ip_set_enabled(struct interface_ip_settings *ip, bool enabled) if (ip->iface->policy_rules_set != enabled && ip->iface->l3_dev.dev) { - set_ip_lo_policy(enabled, true, ip->iface); + if (ip->iface->l3_dev.dev->settings.ipv6) { + set_ip_lo_policy(enabled, true, ip->iface); + set_ip_source_policy(enabled, true, IPRULE_PRIORITY_REJECT + ip->iface->l3_dev.dev->ifindex, + NULL, 0, 0, ip->iface, "failed_policy", true); + } set_ip_lo_policy(enabled, false, ip->iface); - set_ip_source_policy(enabled, true, IPRULE_PRIORITY_REJECT + ip->iface->l3_dev.dev->ifindex, - NULL, 0, 0, ip->iface, "failed_policy", true); ip->iface->policy_rules_set = enabled; } }