`NETLINK_GET_STRICT_CHK` support was added in kernel 4.20 [1], so on CentOS 8.x or other old kernels the filter set in `nl_route_dup` has no effect. the following is a simple example to reproduce: ```sh $ uname -r 4.18.0-348.el8.aarch64 $ sudo ip link add dummy0 type dummy $ sudo ip link set dev dummy0 up $ echo 0 | sudo tee /sys/class/net/dummy0/carrier $ sudo ip addr add dev dummy0 172.16.13.13/16 $ sudo ip addr | grep dummy0 -A 3 4: dummy0: <NO-CARRIER,BROADCAST,NOARP,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether f6:b0:92:bd:83:71 brd ff:ff:ff:ff:ff:ff inet 172.16.13.13/16 scope global dummy0 valid_lft forever preferred_lft forever inet6 fe80::f4b0:92ff:febd:8371/64 scope link valid_lft forever preferred_lft forever $ ./pasta -4 --config-net Couldn't set IPv4 route(s) in guest: Invalid argument ``` if we link up the dummy interface, pasta would succeed with more route entries than needed though: ```sh $ echo 1 | sudo tee /sys/class/net/dummy0/carrier $ ip route default via 10.0.3.1 dev enp0s19 proto dhcp metric 100 10.0.0.0/8 dev enp0s18 proto kernel scope link src 10.0.0.91 10.0.3.0/24 dev enp0s19 proto kernel scope link src 10.0.3.91 metric 100 172.16.0.0/16 dev dummy0 proto kernel scope link src 172.16.13.13 $ ip route list table main type unicast oif enp0s19 default via 10.0.3.1 proto dhcp metric 100 10.0.3.0/24 proto kernel scope link src 10.0.3.91 metric 100 $ ./pasta -4 --config-net # ip route default via 10.0.3.1 dev enp0s19 proto dhcp metric 100 10.0.0.0/8 dev enp0s19 proto kernel scope link 10.0.3.0/24 dev enp0s19 proto kernel scope link metric 100 172.16.0.0/16 dev enp0s19 proto kernel scope link ``` [1] netlink: Add new socket option to enable strict checking on dumps https://github.com/torvalds/linux/commit/89d35528d17d25819a755a2b52931e911baebc66
This was originally taken care of, for addresses: commit e89da3cf03b2 ("netlink: Add functionality to copy addresses from outer namespace") explains how. It looks like commit dee75941801a ("netlink: Make nl_*_dup() use a separate datagram for each request") accidentally removed the AF_UNSPEC assignment for ifa_family. So we should also fix that. Similarly, for routes, setting AF_UNSPEC to rtm_family for interface-mismatching routes should do the trick.
Patches at https://archives.passt.top/passt-dev/20240423204125.3424982-1-sbrivio@redhat.com/, pending review (testing appreciated).