From nobody Sun May 5 11:07:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1597191329; cv=none; d=zohomail.com; s=zohoarc; b=anpdQO+wakz728ekjt3rqL7nmm8qUHdW7AICW/bimejfVIf5XQ2OakjoUJdaHXkvpI0ouVdeAU/FlfeKYvkGz/PA82Ef51cZ5RZipiUHQDoq+gu8hVtBhUV6BojapBMhYNdrIK+HlcXpP/RLYEaAzRvbzYbKRkTnZavdEAjr+iQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1597191329; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=yHp3huLSwrdEQEvmN9b/8rls6VXxK2maZVFrpat+PiQ=; b=RA/kinPdqmddJP+8Qlf+bGpFxgggpvnyoJpSE9ur+8Q4Ugx2xtYsd9JbqqaIXtObdRVVYemjMHqRlNUJOplUtpjltpmAjWafALcoi/4vGCGnNyT3oFZG5FOqAQF1sejmpGSJZ77i7xNCrc6+Xiag29Uyox/fSX2JohO/oGXJPJY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1597191329915218.88620675202014; Tue, 11 Aug 2020 17:15:29 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-469-6mAsnwmtPMuirRyQioPAOg-1; Tue, 11 Aug 2020 20:15:26 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 99DB01005504; Wed, 12 Aug 2020 00:15:19 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 43D681A927; Wed, 12 Aug 2020 00:15:17 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A4E9E180954D; Wed, 12 Aug 2020 00:15:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 07C0FATh022310 for ; Tue, 11 Aug 2020 20:15:10 -0400 Received: by smtp.corp.redhat.com (Postfix) id AE82F215671F; Wed, 12 Aug 2020 00:15:10 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id AA845215670A for ; Wed, 12 Aug 2020 00:15:08 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 110F9805C21 for ; Wed, 12 Aug 2020 00:15:08 +0000 (UTC) Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com [209.85.215.199]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-303-O3qllmZBMhShV7yD4RZYQA-1; Tue, 11 Aug 2020 20:15:06 -0400 Received: by mail-pg1-f199.google.com with SMTP id d7so283139pgg.13 for ; Tue, 11 Aug 2020 17:15:05 -0700 (PDT) Received: from fedora19.redhat.com (2001-44b8-4132-5a00-6257-85de-119b-110b.static.ipv6.internode.on.net. [2001:44b8:4132:5a00:6257:85de:119b:110b]) by smtp.gmail.com with ESMTPSA id a6sm144376pje.8.2020.08.11.17.15.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Aug 2020 17:15:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1597191328; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=yHp3huLSwrdEQEvmN9b/8rls6VXxK2maZVFrpat+PiQ=; b=QCvGHkyYxEmwP9AIxYku7Khh84SvG5SHbHcrboverU1tmMjmpeF12FkBqFro3SYrpagdYu X/t/O4bGbrVxT6kwLrpg0WsfH36t6mH+oPAZdmaX5KTPktcf1qWP/VeN8hQwkS2+xZX9B5 GM52O8bFzm43EJ7/pAe/0qts6U4vp7Q= X-MC-Unique: 6mAsnwmtPMuirRyQioPAOg-1 X-MC-Unique: O3qllmZBMhShV7yD4RZYQA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=yHp3huLSwrdEQEvmN9b/8rls6VXxK2maZVFrpat+PiQ=; b=b0DMUWSFS07f9lf92GhNYhRq9ZVeE97v8Ybe+ZfFc3k72SGIWtNhK6DyMUiDEuw5VM CHh18CGF/UKWE/SrQLz1ATP4Q5eTp6AuaZNWmxBp0UnS7Hl++B+AWl/zHV39l/nLp9nH U2uhUPVyhylG3sC2C2pzHT2+Rbx8OuGJB26mA1Ma+Lg4HDAQ+dEIEC2R8WJhyJFdn+hM 4t5Msvny/lBgzSkMxnnwZ72h3xH21mbaam8ucqP1f2ZoDwt+sabPaZuMPNZ/kANfhGqu xrjbNv09mM0ccaMHSca6fdGyU70VL5V8BsLIRrE/LB8r2Xp4Et8yZxAQZ649+YfTz8x4 l/kg== X-Gm-Message-State: AOAM531RXROgYawofufaW0g3TlbtQNUPPm8MNczxfG+f+2MMSbRyiwSA MiDkLVoNQoEbKHl8iLNEcBAJ5WravPxjBiC0+RFSc6yNlPUOJOyUMdUL/zHgxMXwB9tPWPWLMEO ldaBQmaw6h8jVFzj+UJw= X-Received: by 2002:a63:451:: with SMTP id 78mr2783192pge.183.1597191304885; Tue, 11 Aug 2020 17:15:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxYeN0juCVGzNCA6AJ+SFN9VazIkQgm0ZzDMA8nVhOav/zKG45BX/9lhFwxmYNBOLVyQdOSoA== X-Received: by 2002:a63:451:: with SMTP id 78mr2783173pge.183.1597191304557; Tue, 11 Aug 2020 17:15:04 -0700 (PDT) From: Ian Wienand To: libvir-list@redhat.com Subject: [PATCH] network: allow accept_ra == 0 when enabling ipv6 forwarding Date: Wed, 12 Aug 2020 10:14:49 +1000 Message-Id: <20200812001449.28401-1-iwienand@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: libvir-list@redhat.com Cc: Ian Wienand X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" The checks modified here were added with 00d28a78b5d1f6eaf79f06ac59e31c568af9da37 to avoid losing routes on hosts. However, tools such as systemd-networking and NetworkManager manage RA's in userspace and thus IPv6 may be up and working on an interface even with accept_ra =3D=3D 0. This modifies the check to only error if an interface's accept_ra is already set to "1"; as noted inline this seems to when it is likely that enabling forwarding may change the RA acceptance behaviour of the interface. I have noticed this because I am using the IPv6 NAT features enabled with 927acaedec7effbe67a154d8bfa0e67f7d08e6c7. I am using this on my laptop which switches between wired and wireless connections; both of which are configured in an unremarkable way by Fedora's NetworkManager and get configured for IPv6 via SLAAC and whatever NetworkManager magic it does. With this I can define and start a libvirt network with and and it seems to "just work" for guests. Signed-off-by: Ian Wienand --- src/util/virnetdevip.c | 41 +++++++++++++++++++++++++++-------------- 1 file changed, 27 insertions(+), 14 deletions(-) diff --git a/src/util/virnetdevip.c b/src/util/virnetdevip.c index 409f062c5c..de27cacfc9 100644 --- a/src/util/virnetdevip.c +++ b/src/util/virnetdevip.c @@ -496,7 +496,7 @@ virNetDevIPGetAcceptRA(const char *ifname) } =20 struct virNetDevIPCheckIPv6ForwardingData { - bool hasRARoutes; + bool hasKernelRARoutes; =20 /* Devices with conflicting accept_ra */ char **devices; @@ -552,15 +552,26 @@ virNetDevIPCheckIPv6ForwardingCallback(struct nlmsghd= r *resp, if (!ifname) return -1; =20 - accept_ra =3D virNetDevIPGetAcceptRA(ifname); - VIR_DEBUG("Checking route for device %s (%d), accept_ra: %d", ifname, ifindex, accept_ra); =20 - if (accept_ra !=3D 2 && virNetDevIPCheckIPv6ForwardingAddIF(data, = &ifname) < 0) + accept_ra =3D virNetDevIPGetAcceptRA(ifname); + /* 0 =3D do no accept RA + * 1 =3D accept if forwarding disabled + * 2 =3D ovveride and accept RA when forwarding enabled + * + * When RA is managed by userspace (systemd-networkd or + * NetworkManager) accept_ra is unset and we don't need to + * worry about it. If it is 1, enabling forwarding might + * change the behaviour so the user needs to be warned. + */ + if (accept_ra =3D=3D 0) + return 0; + + if (accept_ra =3D=3D 1 && virNetDevIPCheckIPv6ForwardingAddIF(data= , &ifname) < 0) return -1; =20 - data->hasRARoutes =3D true; + data->hasKernelRARoutes =3D true; return 0; } =20 @@ -590,11 +601,13 @@ virNetDevIPCheckIPv6ForwardingCallback(struct nlmsghd= r *resp, VIR_DEBUG("Checking multipath route nexthop device %s (%d), ac= cept_ra: %d", ifname, nh->rtnh_ifindex, accept_ra); =20 - if (accept_ra !=3D 2 && virNetDevIPCheckIPv6ForwardingAddIF(da= ta, &ifname) < 0) - return -1; + if (accept_ra =3D=3D 1) { + if (virNetDevIPCheckIPv6ForwardingAddIF(data, &ifname) < 0) + return -1; + data->hasKernelRARoutes =3D true; + } =20 VIR_FREE(ifname); - data->hasRARoutes =3D true; =20 len -=3D NLMSG_ALIGN(nh->rtnh_len); VIR_WARNINGS_NO_CAST_ALIGN @@ -613,7 +626,7 @@ virNetDevIPCheckIPv6Forwarding(void) struct rtgenmsg genmsg; size_t i; struct virNetDevIPCheckIPv6ForwardingData data =3D { - .hasRARoutes =3D false, + .hasKernelRARoutes =3D false, .devices =3D NULL, .ndevices =3D 0 }; @@ -644,11 +657,11 @@ virNetDevIPCheckIPv6Forwarding(void) goto cleanup; } =20 - valid =3D !data.hasRARoutes || data.ndevices =3D=3D 0; + valid =3D !data.hasKernelRARoutes || data.ndevices =3D=3D 0; =20 /* Check the global accept_ra if at least one isn't set on a per-device basis */ - if (!valid && data.hasRARoutes) { + if (!valid && data.hasKernelRARoutes) { int accept_ra =3D virNetDevIPGetAcceptRA(NULL); valid =3D accept_ra =3D=3D 2; VIR_DEBUG("Checked global accept_ra: %d", accept_ra); @@ -663,9 +676,9 @@ virNetDevIPCheckIPv6Forwarding(void) } =20 virReportError(VIR_ERR_INTERNAL_ERROR, - _("Check the host setup: enabling IPv6 forwarding w= ith " - "RA routes without accept_ra set to 2 is likely t= o cause " - "routes loss. Interfaces to look at: %s"), + _("Check the host setup: interface has accept_ra se= t to 1 " + "and enabling forwarding without accept_ra set to= 2 is " + "likely to cause routes loss. Interfaces to look = at: %s"), virBufferCurrentContent(&buf)); } =20 --=20 2.26.2