From patchwork Thu Jan 12 00:41:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13097348 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE99AC46467 for ; Thu, 12 Jan 2023 00:43:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235088AbjALAnY (ORCPT ); Wed, 11 Jan 2023 19:43:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35676 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236142AbjALAm6 (ORCPT ); Wed, 11 Jan 2023 19:42:58 -0500 Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4BCDB32188 for ; Wed, 11 Jan 2023 16:42:01 -0800 (PST) Received: by mail-qt1-x834.google.com with SMTP id fd15so5371885qtb.9 for ; Wed, 11 Jan 2023 16:42:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pN/2+SU3KPT9EU3qMdA2HtIIkuYoz2P2Dee5WOS69ew=; b=MF9NNLL+M/NVyjnzdfHz3E993WPT8otyDm98L3nheROQ2X4vxZJsCuPjuOhIfLQIlB wqAiRuUnzgnMgPRCbmvHavAiPNZzeSWlbfGIgkT35nxMjxaaZ6/9YnfbBDoEXz47xlc1 nmpwNyDH2/fBLxYETBgOunlVZ/sw8C8FFGk7IPLBkVCwt+10Ikmog0QZU5mQS353bjl2 CoPDvwYHJwdDT15nWhS07WUlFeCmZTjLUbjtzyoiHJFBGB+ADlWZzuEYZlhcJ/aXy9Ip +k5KQoghXPG16IEkEfLyxlsm7FA09Ec1rEj3yf9Y6GSdI8SnQoIfGleN/hpOkm4j1fLS fC9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pN/2+SU3KPT9EU3qMdA2HtIIkuYoz2P2Dee5WOS69ew=; b=e4QFVCqyHlXClnOdvRtwfMsp2zY9e2hrkAa/dv5TrILGt+p+Ylnf5xLEoXcyY7i60w DNT6o7LuEnz/EcpOhEabikf8gpetHx0NYKeGa5z2/TS8ofk28t9XXHdvOJ7hsFhGvnW1 Ng+HFJFspl6C43Fe+7qAVDDO9b4M1MvkSK6oCU0G6YqPfInCJPxDHlkotZAqdDp5FlV7 3yRqgN01NJtagBg+ZOzlhXZ4dQbvUDsMRbZpg0DauDPlKURPmRXhQmL/fravdMV60Tr6 dsNkKwZ5vLeOPcNvXMXS9qE+sFVHryjxZ8NXT5tDc9ik2CwL6JZn3Ku5fj6aqQytXjHB +s3A== X-Gm-Message-State: AFqh2kqDj3D8coVQjPP89CKXNTVt672a7T9rXUJR+vszzWKo/c90o6s1 /vhE48wHk9quxy9RXZ1Ro9CiQK6PzEKzZw== X-Google-Smtp-Source: AMrXdXu+nckgEmw7vYYXqI9D96qivdJxYNPbG2OwAbI3tKekE+kQHQymfqfhghWWVr2FpzMIpGmwOA== X-Received: by 2002:ac8:7cb1:0:b0:3b1:8ad7:b9fb with SMTP id z17-20020ac87cb1000000b003b18ad7b9fbmr2485930qtv.49.1673484120264; Wed, 11 Jan 2023 16:42:00 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id c11-20020ac853cb000000b00397b1c60780sm8268152qtq.61.2023.01.11.16.41.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jan 2023 16:41:59 -0800 (PST) From: Xin Long To: network dev Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Jiri Pirko , Hideaki YOSHIFUJI , David Ahern Subject: [PATCHv2 net 1/2] ipv6: prevent only DAD and RS sending for IFF_NO_ADDRCONF Date: Wed, 11 Jan 2023 19:41:56 -0500 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Currently IFF_NO_ADDRCONF is used to prevent all ipv6 addrconf for the slave ports of team, bonding and failover devices and it means no ipv6 packets can be sent out through these slave ports. However, for team device, "nsna_ping" link_watch requires ipv6 addrconf. Otherwise, the link will be marked failure. The orginal issue fixed by IFF_NO_ADDRCONF was caused by DAD and RS packets sent by slave ports in commit c2edacf80e15 ("bonding / ipv6: no addrconf for slaves separately from master") where it's using IFF_SLAVE and later changed to IFF_NO_ADDRCONF in commit 8a321cf7becc ("net: add IFF_NO_ADDRCONF and use it in bonding to prevent ipv6 addrconf"). So instead of preventing all the ipv6 addrconf, it makes more sense to only prevent DAD and RS sending for the slave ports: Firstly, check IFF_NO_ADDRCONF in addrconf_dad_completed() to prevent RS as it did in commit b52e1cce31ca ("ipv6: Don't send rs packets to the interface of ARPHRD_TUNNEL"), and then also check IFF_NO_ADDRCONF where IFA_F_NODAD is checked to prevent DAD. Note that the check for flags & IFA_F_NODAD in addrconf_dad_begin() is not necessary, as with IFA_F_NODAF, flags & IFA_F_TENTATIVE is always false, so there's no need to add IFF_NO_ADDRCONF check there either. Fixes: 0aa64df30b38 ("net: team: use IFF_NO_ADDRCONF flag to prevent ipv6 addrconf") Reported-by: Liang Li Signed-off-by: Xin Long --- net/ipv6/addrconf.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index f7a84a4acffc..de4186e5349c 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -1124,7 +1124,8 @@ ipv6_add_addr(struct inet6_dev *idev, struct ifa6_config *cfg, ifa->flags = cfg->ifa_flags; ifa->ifa_proto = cfg->ifa_proto; /* No need to add the TENTATIVE flag for addresses with NODAD */ - if (!(cfg->ifa_flags & IFA_F_NODAD)) + if (!(cfg->ifa_flags & IFA_F_NODAD) && + !(idev->dev->priv_flags & IFF_NO_ADDRCONF)) ifa->flags |= IFA_F_TENTATIVE; ifa->valid_lft = cfg->valid_lft; ifa->prefered_lft = cfg->preferred_lft; @@ -3319,10 +3320,6 @@ static void addrconf_addr_gen(struct inet6_dev *idev, bool prefix_route) if (netif_is_l3_master(idev->dev)) return; - /* no link local addresses on devices flagged as slaves */ - if (idev->dev->priv_flags & IFF_NO_ADDRCONF) - return; - ipv6_addr_set(&addr, htonl(0xFE800000), 0, 0, 0); switch (idev->cnf.addr_gen_mode) { @@ -3564,7 +3561,6 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event, if (event == NETDEV_UP && !IS_ERR_OR_NULL(idev) && dev->flags & IFF_UP && dev->flags & IFF_MULTICAST) ipv6_mc_up(idev); - break; } if (event == NETDEV_UP) { @@ -3855,7 +3851,8 @@ static int addrconf_ifdown(struct net_device *dev, bool unregister) /* set state to skip the notifier below */ state = INET6_IFADDR_STATE_DEAD; ifa->state = INET6_IFADDR_STATE_PREDAD; - if (!(ifa->flags & IFA_F_NODAD)) + if (!(ifa->flags & IFA_F_NODAD) && + !(dev->priv_flags & IFF_NO_ADDRCONF)) ifa->flags |= IFA_F_TENTATIVE; rt = ifa->rt; @@ -4218,6 +4215,7 @@ static void addrconf_dad_completed(struct inet6_ifaddr *ifp, bool bump_id, ipv6_accept_ra(ifp->idev) && ifp->idev->cnf.rtr_solicits != 0 && (dev->flags & IFF_LOOPBACK) == 0 && + (dev->priv_flags & IFF_NO_ADDRCONF) == 0 && (dev->type != ARPHRD_TUNNEL); read_unlock_bh(&ifp->idev->lock); From patchwork Thu Jan 12 00:41:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13097349 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E2D7C54EBC for ; Thu, 12 Jan 2023 00:43:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235548AbjALAn0 (ORCPT ); Wed, 11 Jan 2023 19:43:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35120 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236414AbjALAm6 (ORCPT ); Wed, 11 Jan 2023 19:42:58 -0500 Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3796C321B2 for ; Wed, 11 Jan 2023 16:42:02 -0800 (PST) Received: by mail-qt1-x836.google.com with SMTP id fa5so9931962qtb.11 for ; Wed, 11 Jan 2023 16:42:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vUUoLtN86s3kU8vXBVNP59LvAYOKvdDnf2xClyZsG14=; b=Wksiz5/zo13YqMCeRrukSjy+opa5asQ+d79WatNVvBDpuOgE9hVYw6oG8E30V+J73C LmPke5fbU64JgHhibEMFLMm5gngFf2HEErpN9uKbJX4/bMpeswZD0Ggd2tX+AmW8sITk xv2GDQIdMpEa9ijjtRPrIZCHYu0ZGy86uhMl37SoKvF+98kp6GU8ViZlojdUYErTtH+D i/hJBQNwAnAKdcQatIons0BoSgG1m76BdOLlzuAsJbn+YqFO6QnJ7c7SAtA/+h/OIfLw Z4io4wZwoowwPo9YY4aR7n3DenxD91eDqgeeB467lcBs8FV+N4M357pmW+LyX5q47GZG TC7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vUUoLtN86s3kU8vXBVNP59LvAYOKvdDnf2xClyZsG14=; b=fF8AQi3NsrpbD3yOK8ucf0O3NZ8OANQEhapswcLsgtCB1yNXnyHClV/lwNTk5aYq+m kslH4kIMEWDxgtV21S05eg8B2Sacf+mv0Mcglq91QLK+qQROIg5ANpWVGsaE7cQwdR8U tJgO7pTgBLsYy8oyoO6BbR9Z3e5TA4jdcNDVmKlJ7rpSd6yakdpZVj2VXC8Ufoh/Ux1Q is4ClRn3T2EmSmXpcrND1sxR+QQBmoCeyJ+F4MmHnqrnsJ59TcbEUpxGsVs660OXkybE Yn9yUgidXgGNfjrXMOGfMnjcFF8+N/O52Bj8I8rwcLctp+LMRXV1NXBo/U5olHAET6m2 64+g== X-Gm-Message-State: AFqh2kqMR1c87sfjQJ+LBAOTLRk3EBBjVuW8y+BH17l6fCd34MTrWI3r GEKbCUUOsbiISf+mI7yjrqbAs5Hli4i9Lg== X-Google-Smtp-Source: AMrXdXt9rEVFEezmkAYJ7p1M6/0gotC1uSA0UmUeV9e8n/Mm7Y0wZXQZLwDnwhP9SKnYMFiCaGA7Jg== X-Received: by 2002:ac8:5045:0:b0:3ad:7ac:ce61 with SMTP id h5-20020ac85045000000b003ad07acce61mr12689093qtm.64.1673484121130; Wed, 11 Jan 2023 16:42:01 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id c11-20020ac853cb000000b00397b1c60780sm8268152qtq.61.2023.01.11.16.42.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jan 2023 16:42:00 -0800 (PST) From: Xin Long To: network dev Cc: davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Jiri Pirko , Hideaki YOSHIFUJI , David Ahern Subject: [PATCHv2 net 2/2] kselftest: add a selftest for ipv6 dad and rs sending Date: Wed, 11 Jan 2023 19:41:57 -0500 Message-Id: <83eec0770eee543174b90ba4e08d371a72565f0c.1673483994.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org This patch is to test all these factors and their combinations that may enable/disable ipv6 DAD or RS on a slave port or dev. For DAD, it includes: - sysctl "net.ipv6.conf.all.accept_dad" - sysctl "net.ipv6.conf.$dev_name.accept_dad" - inet6_ifaddr flag "IFA_F_NODAD" - netdev priv_flags "IFF_NO_ADDRCONF" and for rs, it includes: - sysctl "net.ipv6.conf.$dev_name.accept_ra" - sysctl "net.ipv6.conf.$dev_name.router_solicitations" - netdev priv_flags "IFF_NO_ADDRCONF" The test uses team/bond ports to have IFF_NO_ADDRCONF priv_flags set, and "ip addr add ... nodad" to have IFA_F_NODAD flag set. It uses "ip6tables" to count the DAD or RS packets during the port or dev goes up. Note that the bridge port is also tested as slave ports without IFF_NO_ADDRCONF flag. Signed-off-by: Xin Long --- tools/testing/selftests/net/Makefile | 1 + tools/testing/selftests/net/ipv6_dad_rs.sh | 111 +++++++++++++++++++++ 2 files changed, 112 insertions(+) create mode 100755 tools/testing/selftests/net/ipv6_dad_rs.sh diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile index 3007e98a6d64..4a9905d10212 100644 --- a/tools/testing/selftests/net/Makefile +++ b/tools/testing/selftests/net/Makefile @@ -75,6 +75,7 @@ TEST_GEN_PROGS += so_incoming_cpu TEST_PROGS += sctp_vrf.sh TEST_GEN_FILES += sctp_hello TEST_GEN_FILES += csum +TEST_PROGS += ipv6_dad_rs.sh TEST_FILES := settings diff --git a/tools/testing/selftests/net/ipv6_dad_rs.sh b/tools/testing/selftests/net/ipv6_dad_rs.sh new file mode 100755 index 000000000000..064afe806ce4 --- /dev/null +++ b/tools/testing/selftests/net/ipv6_dad_rs.sh @@ -0,0 +1,111 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +# +# Testing for DAD/RS on Ports/Devices. +# TOPO: ns0 (link0) <---> (link1) ns1 + +setup() { + local mac_addr + local ip6_addr + + ip net add ns0 + ip net add ns1 + ip net exec ns0 ip link add link0 type veth peer link1 netns ns1 + ip net exec ns0 ip link set link0 up + + # The test uses global addrs, so drop the pkts for link-local addrs. + mac_addr=`ip net exec ns1 cat /sys/class/net/link1/address` + ip6_addr="ff02::1:ff${mac_addr:9:2}:${mac_addr:12:2}${mac_addr:15:2}" + ip net exec ns1 ip6tables -A OUTPUT -d $ip6_addr -j DROP +} + +cleanup() { + ip net del ns1 + ip net del ns0 +} + +check_pkts() { + local CNT=0 + + while ip net exec ns0 ip6tables -t raw -L -v | \ + grep link0 | awk '$1 != "0" {exit 1}'; do + [ $((CNT++)) = "30" ] && return 1 + sleep 0.1 + done +} + +do_test() { + local master_type="$1" + local icmpv6_type="$2" + local pkt_exp="$3" + local pkt_rcv="0" + local dad="$4" + + ip net exec ns1 ip link set link1 down + [ $master_type != "veth" ] && { + ip net exec ns1 ip link add master_dev1 type $master_type + ip net exec ns1 ip link set link1 master master_dev1 + } + + ip net exec ns0 ip6tables -t raw -A PREROUTING -i link0 \ + -p ipv6-icmp --icmpv6-type $icmpv6_type -j ACCEPT + + ip net exec ns1 ip addr add 2000::1/64 dev link1 $dad + ip net exec ns1 ip link set link1 up + check_pkts && pkt_rcv="1" + + ip net exec ns1 ip addr del 2000::1/64 dev link1 $dad + ip net exec ns0 ip6tables -t raw -D PREROUTING -i link0 \ + -p ipv6-icmp --icmpv6-type $icmpv6_type -j ACCEPT + + [ $master_type != "veth" ] && + ip net exec ns1 ip link del master_dev1 + test "$pkt_exp" = "$pkt_rcv" +} + +test_rs() { + local rs=1 + + echo "- link_ra: $link_ra, link_rs: $link_rs" + ip net exec ns1 sysctl -qw net.ipv6.conf.link1.accept_ra=$link_ra + ip net exec ns1 sysctl -qw net.ipv6.conf.link1.router_solicitations=$link_rs + + [ "$link_ra" = "0" -o "$link_rs" = "0" ] && rs=0 + do_test veth router-solicitation $rs && echo " veth device (RS $rs): PASS" && + do_test bridge router-solicitation $rs && echo " bridge port (RS $rs): PASS" && + do_test bond router-solicitation 0 && echo " bond slave (RS 0): PASS" && + do_test team router-solicitation 0 && echo " team port (RS 0): PASS" +} + +test_dad() { + local nodad="" + local ns=1 + + echo "- all_dad: $all_dad, link_dad: $link_dad, addr_nodad: $addr_nodad" + ip net exec ns1 sysctl -qw net.ipv6.conf.all.accept_dad=$all_dad + ip net exec ns1 sysctl -qw net.ipv6.conf.link1.accept_dad=$link_dad + + [ "$all_dad" = "0" -a "$link_dad" = "0" ] && ns=0 + [ "$addr_nodad" = "1" ] && nodad="nodad" && ns=0 + do_test veth neighbor-solicitation $ns $nodad && echo " veth device (NS $ns): PASS" && + do_test bridge neighbor-solicitation $ns $nodad && echo " bridge port (NS $ns): PASS" && + do_test bond neighbor-solicitation 0 $dad && echo " bond slave (NS 0): PASS" && + do_test team neighbor-solicitation 0 $dad && echo " team port (NS 0): PASS" +} + +trap cleanup EXIT +setup && echo "Testing for DAD/RS on Ports/Devices:" && { + for all_dad in 0 1; do + for link_dad in 0 1; do + for addr_nodad in 0 1; do + test_dad || exit $? + done + done + done + for link_ra in 0 1; do + for link_rs in 0 1; do + test_rs || exit $? + done + done +} +exit $?