Re: IPv6 route to gateway on fe80::1%eth0 when I have fe80::1%br0 locally

2016-02-23 Thread Marc Haber 
On Tue, Feb 23, 2016 at 10:03:28AM +0100, Hannes Frederic Sowa wrote:
> Thanks for letting me know. Hopefully this also fixes
> https://bugzilla.kernel.org/show_bug.cgi?id=110721.

As far as I have understood the systemd release logs, the code
handling IPv6 RAs was added in systemd 229, which was released on
February 11. So, #110721, filed in January, seems to be "safe" from
this issue unless a development snapshot of systemd was used here.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Re: IPv6 route to gateway on fe80::1%eth0 when I have fe80::1%br0 locally

2016-02-23 Thread Hannes Frederic Sowa 

On 22.02.2016 20:20, Marc Haber wrote:

On Mon, Feb 22, 2016 at 05:15:41PM +0100, Hannes Frederic Sowa wrote:

On 22.02.2016 16:47, Marc Haber wrote:

Can you reproduce the behavior with accept_ra_from_local =0 as well?
Unfortunately, the debugging VM I build works fine, it's just the
physical host showing this behavior. This is really strange.


Same here. Debugging VM didn't show this error at all and other systems
didn't show this symptom either (4.4.2 as well as net-next).

With which kernel did you see this behavior for the first time and what was
the last working version?


Thanks for motivating me to investigate this further.

I have to apologize. It is not a kernel issue.

It has turned out that systemd, starting with version 229, has placed
a "Not invented here" stamp on route advertisement processing in the
kernel and has implemented its own userspace code to handle router
advertisements.

And, of course, they did it wrong.

Setting IPv6AcceptRouterAdvertisements=0 in eth0.network seems to
disable enough code that this issue does not show any more.

Sorry for the rumble, I debugged the wrong piece of software. Bugs in
Debian are filed, #815582, #815586. I don't file bugs with systemd
upstream any more since I got silenced on systemd-devel for losing my
temper.


Thanks for letting me know. Hopefully this also fixes 
https://bugzilla.kernel.org/show_bug.cgi?id=110721.


Thanks,
Hannes

Re: IPv6 route to gateway on fe80::1%eth0 when I have fe80::1%br0 locally

2016-02-22 Thread Marc Haber 
On Mon, Feb 22, 2016 at 05:15:41PM +0100, Hannes Frederic Sowa wrote:
> On 22.02.2016 16:47, Marc Haber wrote:
> >Can you reproduce the behavior with accept_ra_from_local =0 as well?
> >Unfortunately, the debugging VM I build works fine, it's just the
> >physical host showing this behavior. This is really strange.
> 
> Same here. Debugging VM didn't show this error at all and other systems
> didn't show this symptom either (4.4.2 as well as net-next).
> 
> With which kernel did you see this behavior for the first time and what was
> the last working version?

Thanks for motivating me to investigate this further.

I have to apologize. It is not a kernel issue.

It has turned out that systemd, starting with version 229, has placed
a "Not invented here" stamp on route advertisement processing in the
kernel and has implemented its own userspace code to handle router
advertisements.

And, of course, they did it wrong.

Setting IPv6AcceptRouterAdvertisements=0 in eth0.network seems to
disable enough code that this issue does not show any more.

Sorry for the rumble, I debugged the wrong piece of software. Bugs in
Debian are filed, #815582, #815586. I don't file bugs with systemd
upstream any more since I got silenced on systemd-devel for losing my
temper.

Greetings
Marc


-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Re: IPv6 route to gateway on fe80::1%eth0 when I have fe80::1%br0 locally

2016-02-22 Thread Hannes Frederic Sowa 

On 22.02.2016 16:47, Marc Haber wrote:

Can you reproduce the behavior with accept_ra_from_local =0 as well?
Unfortunately, the debugging VM I build works fine, it's just the
physical host showing this behavior. This is really strange.


Same here. Debugging VM didn't show this error at all and other systems 
didn't show this symptom either (4.4.2 as well as net-next).


With which kernel did you see this behavior for the first time and what 
was the last working version?


Bye,
Hannes

Re: IPv6 route to gateway on fe80::1%eth0 when I have fe80::1%br0 locally

2016-02-22 Thread Marc Haber 
On Mon, Feb 22, 2016 at 04:12:36PM +0100, Hannes Frederic Sowa wrote:
> On 22.02.2016 16:04, Marc Haber wrote:
> >In prose:
> >
> >The host is a host for KVM VMs. It receives IPv6 connectivity via RA
> >on eth0, where the default gateway announces its address as fe80::1.
> >It also provides IPv6 connectivity to the VMs via the br0 interface.
> >It is running radvd on br0, and for statically configured VMs it has
> >also fe80::1 on br0.
> >
> >If accept_ra_from_local on eth0 were 0, the system would not accept
> >the RA from the default gateway and and up with no IPv6 since fe80::1
> >is locally configured with br0.
> 
> Isn't this behavior fixed with
> 
> commit c1a9a291cee0890eb0f435243f3fb84fefb04348
> Author: Hannes Frederic Sowa 
> Date:   Wed Dec 23 22:44:37 2015 +0100
> 
> ipv6: honor ifindex in case we receive ll addresses in router
> advertisements
> 
> $ git describe --contains c1a9a291cee0890eb0f435243f3fb84fefb04348
> v4.4-rc8~5^2~10
> 
> ?
> 
> If you don't have fe80::1%br0 bound on exactly that interface, it should
> work, no? So, no need for accept_ra_from_local, which has dubious semantics
> anyway.

I have accept_ra_from_local set to 0 on all interfaces now, and I
still get the dubious default route on eth0.

> >If accept_ra_from_local on eth0 is 1, the system accepts both the RA
> >from the default gateway on eth0 _AND_ its own RA sent out and
> >received on br0, and, making things worse, is setting the IP address
> >and default route not on br0, but on eth0.
> 
> Understood. Thanks, I was just able to easily reproduce it. Was already
> wondering why someone would enable accept_ra_from_local besides only
> testing. I check it out, thanks!

Can you reproduce the behavior with accept_ra_from_local =0 as well?
Unfortunately, the debugging VM I build works fine, it's just the
physical host showing this behavior. This is really strange.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Re: IPv6 route to gateway on fe80::1%eth0 when I have fe80::1%br0 locally

2016-02-22 Thread Marc Haber 
Hi Hannes,

On Tue, Dec 22, 2015 at 10:50:04PM +0100, Hannes Frederic Sowa wrote:
> Thanks but no need to do that, I already cooked a patch and will submit
> tomorrow after some testing. We don't need to enhance the sysctl,
> default should be to simply check the interface too if a route with
> link-local address is received.

Kernel bugzilla #112751 is related to this.

The following is snipped to the relevant parts and was obtained on a
Debian system running kernel 4.4.2

[1/501]mh@fan:~$ for f in 
/proc/sys/net/ipv6/conf/*/{accept_ra,accept_ra_from_local,forwarding}; do echo 
$f; cat $f; done
/proc/sys/net/ipv6/conf/all/accept_ra
1
/proc/sys/net/ipv6/conf/br0/accept_ra
0
/proc/sys/net/ipv6/conf/default/accept_ra
1
/proc/sys/net/ipv6/conf/eth0/accept_ra
2
/proc/sys/net/ipv6/conf/all/accept_ra_from_local
0
/proc/sys/net/ipv6/conf/br0/accept_ra_from_local
0
/proc/sys/net/ipv6/conf/default/accept_ra_from_local
0
/proc/sys/net/ipv6/conf/eth0/accept_ra_from_local
1
[2/502]mh@fan:~$ ip a
2: eth0:  mtu 1500 qdisc pfifo_fast state UP 
group default qlen 1000
inet6 2a01:238:4071:328d:5604:a6ff:fe82:2100/64 scope global mngtmpaddr 
noprefixroute dynamic
   valid_lft 86038sec preferred_lft 14038sec
inet6 2a01:238:4071:3282:5604:a6ff:fe82:2100/64 scope global mngtmpaddr 
noprefixroute dynamic
   valid_lft 86372sec preferred_lft 14372sec
3: br0:  mtu 1500 qdisc noqueue state UP group 
default qlen 1000
inet6 2a01:238:4071:328d::1d:153/64 scope global
   valid_lft forever preferred_lft forever
inet6 2a01:238:4071:328d::1d:100/64 scope global
   valid_lft forever preferred_lft forever
[3/503]mh@fan:~$ ip -6 r
default via fe80::1 dev eth0  proto ra  metric 1024  pref medium
default via fe80::c4f4:98ff:fedc:5e21 dev eth0  proto ra  metric 1024  pref 
medium
[4/504]mh@fan:~$

In prose:

The host is a host for KVM VMs. It receives IPv6 connectivity via RA
on eth0, where the default gateway announces its address as fe80::1.
It also provides IPv6 connectivity to the VMs via the br0 interface.
It is running radvd on br0, and for statically configured VMs it has
also fe80::1 on br0.

If accept_ra_from_local on eth0 were 0, the system would not accept
the RA from the default gateway and and up with no IPv6 since fe80::1
is locally configured with br0.

If accept_ra_from_local on eth0 is 1, the system accepts both the RA
from the default gateway on eth0 _AND_ its own RA sent out and
received on br0, and, making things worse, is setting the IP address
and default route not on br0, but on eth0.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Re: IPv6 route to gateway on fe80::1%eth0 when I have fe80::1%br0 locally

2016-02-22 Thread Hannes Frederic Sowa 

Hi Marc,

On 22.02.2016 16:04, Marc Haber wrote:

In prose:

The host is a host for KVM VMs. It receives IPv6 connectivity via RA
on eth0, where the default gateway announces its address as fe80::1.
It also provides IPv6 connectivity to the VMs via the br0 interface.
It is running radvd on br0, and for statically configured VMs it has
also fe80::1 on br0.

If accept_ra_from_local on eth0 were 0, the system would not accept
the RA from the default gateway and and up with no IPv6 since fe80::1
is locally configured with br0.


Isn't this behavior fixed with

commit c1a9a291cee0890eb0f435243f3fb84fefb04348
Author: Hannes Frederic Sowa 
Date:   Wed Dec 23 22:44:37 2015 +0100

ipv6: honor ifindex in case we receive ll addresses in router 
advertisements


$ git describe --contains c1a9a291cee0890eb0f435243f3fb84fefb04348
v4.4-rc8~5^2~10

?

If you don't have fe80::1%br0 bound on exactly that interface, it should 
work, no? So, no need for accept_ra_from_local, which has dubious 
semantics anyway.



If accept_ra_from_local on eth0 is 1, the system accepts both the RA
from the default gateway on eth0 _AND_ its own RA sent out and
received on br0, and, making things worse, is setting the IP address
and default route not on br0, but on eth0.


Understood. Thanks, I was just able to easily reproduce it. Was already 
wondering why someone would enable accept_ra_from_local besides only 
testing. I check it out, thanks!


Thanks,
Hannes

Re: IPv6 route to gateway on fe80::1%eth0 when I have fe80::1%br0 locally

2015-12-22 Thread Hannes Frederic Sowa 
On 12.12.2015 20:58, Marc Haber wrote:
> Any hints would be appreciated.

This sysctl should help:

accept_ra_from_local - BOOLEAN
Accept RA with source-address that is found on local machine
if the RA is otherwise proper and able to be accepted.
Default is to NOT accept these as it may be an un-intended
network loop.

Functional default:
   enabled if accept_ra_from_local is enabled
   on a specific interface.
   disabled if accept_ra_from_local is disabled
   on a specific interface.

Anyway, this has to be fixed up in a clean way and should work by default.

Thanks for the report,
Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: IPv6 route to gateway on fe80::1%eth0 when I have fe80::1%br0 locally

2015-12-22 Thread Marc Haber 
Hi Hannes,

thanks for your mail.

On Tue, Dec 22, 2015 at 04:15:14PM +0100, Hannes Frederic Sowa wrote:
> On 12.12.2015 20:58, Marc Haber wrote:
> > Any hints would be appreciated.
> 
> This sysctl should help:
> 
> accept_ra_from_local - BOOLEAN
> Accept RA with source-address that is found on local machine
> if the RA is otherwise proper and able to be accepted.
> Default is to NOT accept these as it may be an un-intended
> network loop.
> 
> Functional default:
>enabled if accept_ra_from_local is enabled
>on a specific interface.
>disabled if accept_ra_from_local is disabled
>on a specific interface.
> 
> Anyway, this has to be fixed up in a clean way and should work by default.

The clean way would be:

accept_ra_from_local=0: never accept RA with source-address that is
  found on local machine
accept_ra_from_local=1: always accept RA with source-address that is
  found on local machine. Dangerous.
accept_ra_from_local=2: only accept RA with link local source-address
  that is found on local machine, and not if received RA points to an
  address that is locally configured on the same interface. Default.

Shall I file a bug for this in bugzilla?

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: IPv6 route to gateway on fe80::1%eth0 when I have fe80::1%br0 locally

2015-12-22 Thread Hannes Frederic Sowa 
Hi Marc,

On 22.12.2015 22:28, Marc Haber wrote:
> Hi Hannes,
> 
> thanks for your mail.
> 
> On Tue, Dec 22, 2015 at 04:15:14PM +0100, Hannes Frederic Sowa wrote:
>> On 12.12.2015 20:58, Marc Haber wrote:
>>> Any hints would be appreciated.
>>
>> This sysctl should help:
>>
>> accept_ra_from_local - BOOLEAN
>> Accept RA with source-address that is found on local machine
>> if the RA is otherwise proper and able to be accepted.
>> Default is to NOT accept these as it may be an un-intended
>> network loop.
>>
>> Functional default:
>>enabled if accept_ra_from_local is enabled
>>on a specific interface.
>>disabled if accept_ra_from_local is disabled
>>on a specific interface.
>>
>> Anyway, this has to be fixed up in a clean way and should work by default.
> 
> The clean way would be:
> 
> accept_ra_from_local=0: never accept RA with source-address that is
>   found on local machine
> accept_ra_from_local=1: always accept RA with source-address that is
>   found on local machine. Dangerous.
> accept_ra_from_local=2: only accept RA with link local source-address
>   that is found on local machine, and not if received RA points to an
>   address that is locally configured on the same interface. Default.
> 
> Shall I file a bug for this in bugzilla?

Thanks but no need to do that, I already cooked a patch and will submit
tomorrow after some testing. We don't need to enhance the sysctl,
default should be to simply check the interface too if a route with
link-local address is received.

Bye,
Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html