[PATCHv2,net,1/2] ipv6: prevent only DAD and RS sending for IFF_NO_ADDRCONF

Commit Message

Xin Long Jan. 12, 2023, 12:41 a.m. UTC

Currently IFF_NO_ADDRCONF is used to prevent all ipv6 addrconf for the
slave ports of team, bonding and failover devices and it means no ipv6
packets can be sent out through these slave ports. However, for team
device, "nsna_ping" link_watch requires ipv6 addrconf. Otherwise, the
link will be marked failure.

The orginal issue fixed by IFF_NO_ADDRCONF was caused by DAD and RS
packets sent by slave ports in commit c2edacf80e15 ("bonding / ipv6: no
addrconf for slaves separately from master") where it's using IFF_SLAVE
and later changed to IFF_NO_ADDRCONF in commit 8a321cf7becc ("net: add
IFF_NO_ADDRCONF and use it in bonding to prevent ipv6 addrconf").

So instead of preventing all the ipv6 addrconf, it makes more sense to
only prevent DAD and RS sending for the slave ports: Firstly, check
IFF_NO_ADDRCONF in addrconf_dad_completed() to prevent RS as it did in
commit b52e1cce31ca ("ipv6: Don't send rs packets to the interface of
ARPHRD_TUNNEL"), and then also check IFF_NO_ADDRCONF where IFA_F_NODAD
is checked to prevent DAD.

Note that the check for flags & IFA_F_NODAD in addrconf_dad_begin() is
not necessary, as with IFA_F_NODAF, flags & IFA_F_TENTATIVE is always
false, so there's no need to add IFF_NO_ADDRCONF check there either.

Fixes: 0aa64df30b38 ("net: team: use IFF_NO_ADDRCONF flag to prevent ipv6 addrconf")
Reported-by: Liang Li <liali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/ipv6/addrconf.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

Comments

Jakub Kicinski Jan. 14, 2023, 5:33 a.m. UTC | #1

On Wed, 11 Jan 2023 19:41:56 -0500 Xin Long wrote:
> So instead of preventing all the ipv6 addrconf, it makes more sense to
> only prevent DAD and RS sending for the slave ports: Firstly, check
> IFF_NO_ADDRCONF in addrconf_dad_completed() to prevent RS as it did in
> commit b52e1cce31ca ("ipv6: Don't send rs packets to the interface of
> ARPHRD_TUNNEL"), and then also check IFF_NO_ADDRCONF where IFA_F_NODAD
> is checked to prevent DAD.

Maybe it's because I'm not an ipv6 expert but it feels to me like we're
getting into intricate / hacky territory. IIUC all addresses on legs of
bond/team will silently get nodad behavior? Isn't that risky for a fix?

Could we instead revert 0aa64df30b38 and take this via net-next?

Alternatively - could the team user space just tell the kernel what
behavior it wants? Instead of always putting the flag up, like we did 
in 0aa64df30b3, do it only when the user space opts in?

Xin Long Jan. 14, 2023, 5:23 p.m. UTC | #2

On Sat, Jan 14, 2023 at 12:33 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Wed, 11 Jan 2023 19:41:56 -0500 Xin Long wrote:
> > So instead of preventing all the ipv6 addrconf, it makes more sense to
> > only prevent DAD and RS sending for the slave ports: Firstly, check
> > IFF_NO_ADDRCONF in addrconf_dad_completed() to prevent RS as it did in
> > commit b52e1cce31ca ("ipv6: Don't send rs packets to the interface of
> > ARPHRD_TUNNEL"), and then also check IFF_NO_ADDRCONF where IFA_F_NODAD
> > is checked to prevent DAD.
>
> Maybe it's because I'm not an ipv6 expert but it feels to me like we're
> getting into intricate / hacky territory. IIUC all addresses on legs of
> bond/team will silently get nodad behavior? Isn't that risky for a fix?
Understand.
I was actually thinking this would be less risky than completely disabling
ipv6 addrconf for IFF_NO_ADDRCONF.

>
> Could we instead revert 0aa64df30b38 and take this via net-next?
Fair enough.
I will send a revert of 0aa64df30b38.
Let's take a step back and think about doing it via net-next.

>
> Alternatively - could the team user space just tell the kernel what
> behavior it wants? Instead of always putting the flag up, like we did
> in 0aa64df30b3, do it only when the user space opts in?
Like when knowing nsna_ping link watch is used, but it is loaded after
the port is added in libteam, and yet the kernel has no idea what link
watch is used in userspace.
Jiri?

Thanks.

Patch

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index f7a84a4acffc..de4186e5349c 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1124,7 +1124,8 @@  ipv6_add_addr(struct inet6_dev *idev, struct ifa6_config *cfg,
 	ifa->flags = cfg->ifa_flags;
 	ifa->ifa_proto = cfg->ifa_proto;
 	/* No need to add the TENTATIVE flag for addresses with NODAD */
-	if (!(cfg->ifa_flags & IFA_F_NODAD))
+	if (!(cfg->ifa_flags & IFA_F_NODAD) &&
+	    !(idev->dev->priv_flags & IFF_NO_ADDRCONF))
 		ifa->flags |= IFA_F_TENTATIVE;
 	ifa->valid_lft = cfg->valid_lft;
 	ifa->prefered_lft = cfg->preferred_lft;
@@ -3319,10 +3320,6 @@  static void addrconf_addr_gen(struct inet6_dev *idev, bool prefix_route)
 	if (netif_is_l3_master(idev->dev))
 		return;
 
-	/* no link local addresses on devices flagged as slaves */
-	if (idev->dev->priv_flags & IFF_NO_ADDRCONF)
-		return;
-
 	ipv6_addr_set(&addr, htonl(0xFE800000), 0, 0, 0);
 
 	switch (idev->cnf.addr_gen_mode) {
@@ -3564,7 +3561,6 @@  static int addrconf_notify(struct notifier_block *this, unsigned long event,
 			if (event == NETDEV_UP && !IS_ERR_OR_NULL(idev) &&
 			    dev->flags & IFF_UP && dev->flags & IFF_MULTICAST)
 				ipv6_mc_up(idev);
-			break;
 		}
 
 		if (event == NETDEV_UP) {
@@ -3855,7 +3851,8 @@  static int addrconf_ifdown(struct net_device *dev, bool unregister)
 			/* set state to skip the notifier below */
 			state = INET6_IFADDR_STATE_DEAD;
 			ifa->state = INET6_IFADDR_STATE_PREDAD;
-			if (!(ifa->flags & IFA_F_NODAD))
+			if (!(ifa->flags & IFA_F_NODAD) &&
+			    !(dev->priv_flags & IFF_NO_ADDRCONF))
 				ifa->flags |= IFA_F_TENTATIVE;
 
 			rt = ifa->rt;
@@ -4218,6 +4215,7 @@  static void addrconf_dad_completed(struct inet6_ifaddr *ifp, bool bump_id,
 		  ipv6_accept_ra(ifp->idev) &&
 		  ifp->idev->cnf.rtr_solicits != 0 &&
 		  (dev->flags & IFF_LOOPBACK) == 0 &&
+		  (dev->priv_flags & IFF_NO_ADDRCONF) == 0 &&
 		  (dev->type != ARPHRD_TUNNEL);
 	read_unlock_bh(&ifp->idev->lock);