Bug#924349: linux-image-4.19.0-2-amd64: IPv6 reverse path filtering incorrectly removes IPv6 traffic from bridge

[Ralf Jung]

Hi,

>> No, I have not.
>> We are having a string of weird issues in our network (that we run in our 
>> free
>> time) so far this year so all the time I had went into debugging this and 
>> other
>> issues.
>>
>> Would it be helpful for you to know the fixing commit?
> 
> If the fixing commit can be identified and if it's not too intrusive to
> backport, it could be considered for the 4.19 stable backports and would
> thus be fixed in Buster (as buster is following the 4.19.x kernels both
> in the freeze and during the lifetime of the buster stable release.

I could try a bisect, but I think the full set of commits is rather big... do
you have a good guess for a subdirectory that I could meaningfully restrict the
bisect to?

No promises, not sure yet how much time I will really have.

; Ralf

Bug#924349: linux-image-4.19.0-2-amd64: IPv6 reverse path filtering incorrectly removes IPv6 traffic from bridge

[Moritz Mühlenhoff]

On Sun, Apr 14, 2019 at 09:53:12AM +0200, Ralf Jung wrote:
> Hi Salvatore,
> 
> >> A self-compiled upstream 4.20.14 kernel does not show this problem, but the
> >> latest kernel in testing still does.
> > 
> > have you tried to isolate the fixing commit for this issue?
> 
> No, I have not.
> We are having a string of weird issues in our network (that we run in our free
> time) so far this year so all the time I had went into debugging this and 
> other
> issues.
> 
> Would it be helpful for you to know the fixing commit?

If the fixing commit can be identified and if it's not too intrusive to
backport, it could be considered for the 4.19 stable backports and would
thus be fixed in Buster (as buster is following the 4.19.x kernels both
in the freeze and during the lifetime of the buster stable release.

Cheers,
Moritz

Bug#924349: linux-image-4.19.0-2-amd64: IPv6 reverse path filtering incorrectly removes IPv6 traffic from bridge

[Ralf Jung]

Hi Salvatore,

>> A self-compiled upstream 4.20.14 kernel does not show this problem, but the
>> latest kernel in testing still does.
> 
> have you tried to isolate the fixing commit for this issue?

No, I have not.
We are having a string of weird issues in our network (that we run in our free
time) so far this year so all the time I had went into debugging this and other
issues.

Would it be helpful for you to know the fixing commit?

; Ralf

Bug#924349: linux-image-4.19.0-2-amd64: IPv6 reverse path filtering incorrectly removes IPv6 traffic from bridge

[Salvatore Bonaccorso]

Hi Ralf,

On Mon, Mar 11, 2019 at 10:43:48PM +0100, Ralf Jung wrote:
> Package: src:linux
> Version: 4.19.16-1
> Severity: normal
> 
> Dear Maintainer,
> 
> since a recent update, IPv6 communication between two of my VMs stopped 
> working.
> You can see some of the debugging effort at
> .  It turned out that
> setting IPv6_rpfilter=no in /etc/firewalld/firewalld.conf fixes the 
> problem---so
> the ip6tables reverse path filtering is incorrectly dropping packets here.
> 
> A self-compiled upstream 4.20.14 kernel does not show this problem, but the
> latest kernel in testing still does.

have you tried to isolate the fixing commit for this issue?

Regards,
Salvatore

Bug#924349: linux-image-4.19.0-2-amd64: IPv6 reverse path filtering incorrectly removes IPv6 traffic from bridge

[Ralf Jung]

Package: src:linux
Version: 4.19.16-1
Severity: normal

Dear Maintainer,

since a recent update, IPv6 communication between two of my VMs stopped working.
You can see some of the debugging effort at
.  It turned out that
setting IPv6_rpfilter=no in /etc/firewalld/firewalld.conf fixes the problem---so
the ip6tables reverse path filtering is incorrectly dropping packets here.

A self-compiled upstream 4.20.14 kernel does not show this problem, but the
latest kernel in testing still does.

Kind regards,
Ralf

-- Package-specific info:
** Version:
Linux version 4.19.0-2-amd64 (debian-ker...@lists.debian.org) (gcc version 
8.2.0 (Debian 8.2.0-14)) #1 SMP Debian 4.19.16-1 (2019-01-17)

** Command line:
BOOT_IMAGE=/vmlinuz-4.19.0-2-amd64 root=/dev/mapper/vg-root ro quiet splash

** Tainted: UOE (12352)
 * Userspace-defined naughtiness.
 * Out-of-tree module has been loaded.
 * Unsigned module has been loaded.

** Kernel log:
Unable to read kernel log; any relevant messages should be attached

** Model information
sys_vendor: LENOVO
product_name: 20ENCTO1WW
product_version: ThinkPad P50
chassis_vendor: LENOVO
chassis_version: None
bios_vendor: LENOVO
bios_version: N1EET79W (1.52 )
board_vendor: LENOVO
board_name: 20ENCTO1WW
board_version: Not Defined

** Loaded modules:
nfnetlink_queue
nfnetlink_log
vhost_net
vhost
tap
xt_CHECKSUM
tun
ipt_MASQUERADE
nf_conntrack_netlink
xfrm_user
xfrm_algo
xt_addrtype
iptable_filter
br_netfilter
bridge
stp
llc
overlay
pci_stub
vboxpci(OE)
vboxnetadp(OE)
vboxnetflt(OE)
vboxdrv(OE)
ctr
ccm
xt_tcpudp
ip6t_rpfilter
ip6t_REJECT
nf_reject_ipv6
ipt_REJECT
nf_reject_ipv4
xt_conntrack
nft_counter
devlink
nft_chain_nat_ipv6
nf_nat_ipv6
nft_chain_route_ipv6
nft_chain_nat_ipv4
nf_nat_ipv4
nf_nat
nft_chain_route_ipv4
nf_conntrack
nf_defrag_ipv6
nf_defrag_ipv4
ip6_tables
nft_compat
ip_set
nf_tables
nfnetlink
bnep
binfmt_misc
nls_ascii
arc4
nls_cp437
vfat
fat
btusb
btrtl
btbcm
btintel
bluetooth
uvcvideo
videobuf2_vmalloc
iwlmvm
videobuf2_memops
intel_rapl
videobuf2_v4l2
videobuf2_common
x86_pkg_temp_thermal
intel_powerclamp
drbg
mac80211
videodev
ansi_cprng
snd_hda_codec_realtek
snd_hda_codec_generic
media
coretemp
ecdh_generic
kvm_intel
snd_hda_intel
kvm
snd_hda_codec
iwlwifi
snd_hda_core
irqbypass
tpm_tis
snd_hwdep
tpm_tis_core
efi_pstore
rtsx_pci_ms
joydev
tpm
snd_pcm
intel_cstate
thinkpad_acpi
snd_timer
cfg80211
intel_uncore
serio_raw
memstick
wmi_bmof
nvram
mei_me
intel_rapl_perf
iTCO_wdt
iTCO_vendor_support
sg
mei
efivars
pcspkr
intel_pch_thermal
ie31200_edac
rng_core
snd
soundcore
rfkill
ac
battery
evdev
pcc_cpufreq
nfsd
cuse
fuse
auth_rpcgss
nfs_acl
parport_pc
lockd
ppdev
grace
lp
sunrpc
parport
efivarfs
ip_tables
x_tables
autofs4
ext4
crc16
mbcache
jbd2
fscrypto
ecb
btrfs
zstd_decompress
zstd_compress
xxhash
algif_skcipher
af_alg
dm_crypt
dm_mod
raid10
raid456
async_raid6_recov
async_memcpy
async_pq
async_xor
async_tx
xor
raid6_pq
libcrc32c
crc32c_generic
raid1
raid0
multipath
linear
md_mod
hid_cherry
hid_generic
usbhid
hid
sd_mod
nouveau
crct10dif_pclmul
crc32_pclmul
crc32c_intel
ghash_clmulni_intel
pcbc
i915
rtsx_pci_sdmmc
mmc_core
mxm_wmi
ttm
ahci
i2c_algo_bit
libahci
xhci_pci
drm_kms_helper
rtsx_pci
psmouse
xhci_hcd
libata
aesni_intel
aes_x86_64
drm
usbcore
e1000e
crypto_simd
cryptd
scsi_mod
glue_helper
i2c_i801
usb_common
thermal
wmi
video
button

** Network interface configuration:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

** Network status:
*** IP interfaces and addresses:
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
2: enp0s31f6:  mtu 1500 qdisc pfifo_fast 
state DOWN group default qlen 1000
link/ether c8:5b:76:1b:c1:50 brd ff:ff:ff:ff:ff:ff
3: wlp2s0:  mtu 1500 qdisc mq state UP group 
default qlen 1000
link/ether e4:a4:71:65:d2:a4 brd ff:ff:ff:ff:ff:ff
inet 192.168.178.30/24 brd 192.168.178.255 scope global dynamic 
noprefixroute wlp2s0
   valid_lft 863824sec preferred_lft 863824sec
inet6 2a01:c23:7c45:b400:8f5e:4a73:f0b5:5280/64 scope global dynamic 
noprefixroute 
   valid_lft 7126sec preferred_lft 3526sec
inet6 fe80::bcf2:b485:9f96:e957/64 scope link noprefixroute 
   valid_lft forever preferred_lft forever
4: docker0:  mtu 1500 qdisc noqueue state 
DOWN group default 
link/ether 02:42:d6:da:98:4e brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
   valid_lft forever preferred_lft forever
5: virbr0:  mtu 1500 qdisc noqueue state UP 
group default qlen 1000
link/ether 52:54:00:f5:09:38 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
   valid_lft forever preferred_lft forever
6: virbr0-nic:  mtu 1500 qdisc pfifo_fast master virbr0 
state