Bug 86 - pasta does not filter out unneeded routes on kernel < 4.20
Summary: pasta does not filter out unneeded routes on kernel < 4.20
Status: IN_PROGRESS
Alias: None
Product: passt
Classification: Unclassified
Component: pasta (show other bugs)
Version: unspecified
Hardware: All Linux
: Normal normal
Assignee: nobody
URL:
Depends on:
Blocks:
 
Reported: 2024-04-15 00:41 UTC by runsisi
Modified: 2024-05-10 23:40 UTC (History)
1 user (show)

See Also:


Attachments

Description runsisi 2024-04-15 00:41:39 UTC
`NETLINK_GET_STRICT_CHK` support was added in kernel 4.20 [1], so on CentOS 8.x or other old kernels the filter set in `nl_route_dup` has no effect.

the following is a simple example to reproduce:

```sh
$ uname -r
4.18.0-348.el8.aarch64

$ sudo ip link add dummy0 type dummy
$ sudo ip link set dev dummy0 up
$ echo 0 | sudo tee /sys/class/net/dummy0/carrier
$ sudo ip addr add dev dummy0 172.16.13.13/16
$ sudo ip addr | grep dummy0 -A 3
4: dummy0: <NO-CARRIER,BROADCAST,NOARP,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether f6:b0:92:bd:83:71 brd ff:ff:ff:ff:ff:ff
    inet 172.16.13.13/16 scope global dummy0
       valid_lft forever preferred_lft forever
    inet6 fe80::f4b0:92ff:febd:8371/64 scope link 
       valid_lft forever preferred_lft forever

$ ./pasta -4 --config-net
Couldn't set IPv4 route(s) in guest: Invalid argument
```

if we link up the dummy interface, pasta would succeed with more route entries than needed though:

```sh
$ echo 1 | sudo tee /sys/class/net/dummy0/carrier
$ ip route
default via 10.0.3.1 dev enp0s19 proto dhcp metric 100 
10.0.0.0/8 dev enp0s18 proto kernel scope link src 10.0.0.91 
10.0.3.0/24 dev enp0s19 proto kernel scope link src 10.0.3.91 metric 100 
172.16.0.0/16 dev dummy0 proto kernel scope link src 172.16.13.13
$ ip route list table main type unicast oif enp0s19
default via 10.0.3.1 proto dhcp metric 100 
10.0.3.0/24 proto kernel scope link src 10.0.3.91 metric 100

$ ./pasta -4 --config-net
# ip route
default via 10.0.3.1 dev enp0s19 proto dhcp metric 100 
10.0.0.0/8 dev enp0s19 proto kernel scope link 
10.0.3.0/24 dev enp0s19 proto kernel scope link metric 100 
172.16.0.0/16 dev enp0s19 proto kernel scope link
```

[1] netlink: Add new socket option to enable strict checking on dumps
https://github.com/torvalds/linux/commit/89d35528d17d25819a755a2b52931e911baebc66
Comment 1 Stefano Brivio 2024-04-15 21:29:02 UTC
This was originally taken care of, for addresses: commit e89da3cf03b2 ("netlink: Add functionality to copy addresses from outer namespace") explains how.

It looks like commit dee75941801a ("netlink: Make nl_*_dup() use a separate datagram for each request") accidentally removed the AF_UNSPEC assignment for ifa_family. So we should also fix that.

Similarly, for routes, setting AF_UNSPEC to rtm_family for interface-mismatching routes should do the trick.
Comment 2 Stefano Brivio 2024-04-26 10:58:59 UTC
Patches at https://archives.passt.top/passt-dev/20240423204125.3424982-1-sbrivio@redhat.com/, pending review (testing appreciated).
Comment 3 runsisi 2024-05-04 02:33:42 UTC
applied the second patch (since the first is already on master), and tested on aarch64 with kernel 4.19.90 and amd64 with kernel 6.8.7, it works fine.
Comment 4 runsisi 2024-05-07 00:17:40 UTC
tested v2 on aarch64 with kernel 4.19.90 and amd64 with kernel 6.8.7, works fine.

thanks!
Comment 5 Stefano Brivio 2024-05-10 23:40:24 UTC
Thanks for testing and re-testing! Patch merged now (not released yet).

Note You need to log in before you can comment on or make changes to this bug.