`NETLINK_GET_STRICT_CHK` support was added in kernel 4.20 [1], so on CentOS 8.x or other old kernels the filter set in `nl_route_dup` has no effect. the following is a simple example to reproduce: ```sh $ uname -r 4.18.0-348.el8.aarch64 $ sudo ip link add dummy0 type dummy $ sudo ip link set dev dummy0 up $ echo 0 | sudo tee /sys/class/net/dummy0/carrier $ sudo ip addr add dev dummy0 172.16.13.13/16 $ sudo ip addr | grep dummy0 -A 3 4: dummy0: <NO-CARRIER,BROADCAST,NOARP,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether f6:b0:92:bd:83:71 brd ff:ff:ff:ff:ff:ff inet 172.16.13.13/16 scope global dummy0 valid_lft forever preferred_lft forever inet6 fe80::f4b0:92ff:febd:8371/64 scope link valid_lft forever preferred_lft forever $ ./pasta -4 --config-net Couldn't set IPv4 route(s) in guest: Invalid argument ``` if we link up the dummy interface, pasta would succeed with more route entries than needed though: ```sh $ echo 1 | sudo tee /sys/class/net/dummy0/carrier $ ip route default via 10.0.3.1 dev enp0s19 proto dhcp metric 100 10.0.0.0/8 dev enp0s18 proto kernel scope link src 10.0.0.91 10.0.3.0/24 dev enp0s19 proto kernel scope link src 10.0.3.91 metric 100 172.16.0.0/16 dev dummy0 proto kernel scope link src 172.16.13.13 $ ip route list table main type unicast oif enp0s19 default via 10.0.3.1 proto dhcp metric 100 10.0.3.0/24 proto kernel scope link src 10.0.3.91 metric 100 $ ./pasta -4 --config-net # ip route default via 10.0.3.1 dev enp0s19 proto dhcp metric 100 10.0.0.0/8 dev enp0s19 proto kernel scope link 10.0.3.0/24 dev enp0s19 proto kernel scope link metric 100 172.16.0.0/16 dev enp0s19 proto kernel scope link ``` [1] netlink: Add new socket option to enable strict checking on dumps https://github.com/torvalds/linux/commit/89d35528d17d25819a755a2b52931e911baebc66
This was originally taken care of, for addresses: commit e89da3cf03b2 ("netlink: Add functionality to copy addresses from outer namespace") explains how. It looks like commit dee75941801a ("netlink: Make nl_*_dup() use a separate datagram for each request") accidentally removed the AF_UNSPEC assignment for ifa_family. So we should also fix that. Similarly, for routes, setting AF_UNSPEC to rtm_family for interface-mismatching routes should do the trick.
Patches at https://archives.passt.top/passt-dev/20240423204125.3424982-1-sbrivio@redhat.com/, pending review (testing appreciated).
applied the second patch (since the first is already on master), and tested on aarch64 with kernel 4.19.90 and amd64 with kernel 6.8.7, it works fine.
tested v2 on aarch64 with kernel 4.19.90 and amd64 with kernel 6.8.7, works fine. thanks!
Thanks for testing and re-testing! Patch merged now (not released yet).
Now it'ss merged, closing.