86 – pasta does not filter out unneeded routes on kernel < 4.20

Bug 86 - pasta does not filter out unneeded routes on kernel < 4.20

Summary: pasta does not filter out unneeded routes on kernel < 4.20

Status:	IN_PROGRESS

Alias:	None

Product:	passt
Classification:	Unclassified
Component:	pasta (show other bugs)
Version:	unspecified
Hardware:	All Linux

Importance:	Normal normal
Assignee:	nobody

URL:

Depends on:
Blocks:

Reported:	2024-04-15 00:41 UTC by runsisi
Modified:	2024-04-26 10:58 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description runsisi 2024-04-15 00:41:39 UTC

`NETLINK_GET_STRICT_CHK` support was added in kernel 4.20 [1], so on CentOS 8.x or other old kernels the filter set in `nl_route_dup` has no effect.

the following is a simple example to reproduce:

```sh
$ uname -r
4.18.0-348.el8.aarch64

$ sudo ip link add dummy0 type dummy
$ sudo ip link set dev dummy0 up
$ echo 0 | sudo tee /sys/class/net/dummy0/carrier
$ sudo ip addr add dev dummy0 172.16.13.13/16
$ sudo ip addr | grep dummy0 -A 3
4: dummy0: <NO-CARRIER,BROADCAST,NOARP,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether f6:b0:92:bd:83:71 brd ff:ff:ff:ff:ff:ff
    inet 172.16.13.13/16 scope global dummy0
       valid_lft forever preferred_lft forever
    inet6 fe80::f4b0:92ff:febd:8371/64 scope link 
       valid_lft forever preferred_lft forever

$ ./pasta -4 --config-net
Couldn't set IPv4 route(s) in guest: Invalid argument
```

if we link up the dummy interface, pasta would succeed with more route entries than needed though:

```sh
$ echo 1 | sudo tee /sys/class/net/dummy0/carrier
$ ip route
default via 10.0.3.1 dev enp0s19 proto dhcp metric 100 
10.0.0.0/8 dev enp0s18 proto kernel scope link src 10.0.0.91 
10.0.3.0/24 dev enp0s19 proto kernel scope link src 10.0.3.91 metric 100 
172.16.0.0/16 dev dummy0 proto kernel scope link src 172.16.13.13
$ ip route list table main type unicast oif enp0s19
default via 10.0.3.1 proto dhcp metric 100 
10.0.3.0/24 proto kernel scope link src 10.0.3.91 metric 100

$ ./pasta -4 --config-net
# ip route
default via 10.0.3.1 dev enp0s19 proto dhcp metric 100 
10.0.0.0/8 dev enp0s19 proto kernel scope link 
10.0.3.0/24 dev enp0s19 proto kernel scope link metric 100 
172.16.0.0/16 dev enp0s19 proto kernel scope link
```

[1] netlink: Add new socket option to enable strict checking on dumps
https://github.com/torvalds/linux/commit/89d35528d17d25819a755a2b52931e911baebc66

Comment 1 Stefano Brivio 2024-04-15 21:29:02 UTC

This was originally taken care of, for addresses: commit e89da3cf03b2 ("netlink: Add functionality to copy addresses from outer namespace") explains how.

It looks like commit dee75941801a ("netlink: Make nl_*_dup() use a separate datagram for each request") accidentally removed the AF_UNSPEC assignment for ifa_family. So we should also fix that.

Similarly, for routes, setting AF_UNSPEC to rtm_family for interface-mismatching routes should do the trick.

Comment 2 Stefano Brivio 2024-04-26 10:58:59 UTC

Patches at https://archives.passt.top/passt-dev/20240423204125.3424982-1-sbrivio@redhat.com/, pending review (testing appreciated).

Note You need to log in before you can comment on or make changes to this bug.