[PATCH 2/3] tcp, udp, conf: Don't silently ignore listens on unsupported IP versions

older
[PATCH] treewide: Fix places where...

David Gibson

5 Jan 2026 5 Jan '26

9:28 a.m.

Currently, it's possible to explicitly ask for forwarding from an IPv4 address, while disabling IPv4: $ pasta -t 192.0.2.1/12345 -6 or vice versa: $ pasta -t 2001:db8::1/12345 -4 Currently, the impossible to implement forwarding option will be silently ignored. That's potentially confusing since in a complex setup, it might not be obvious why the requested forward isn't taking effect. Specifically, it's ignored at a fairly low level: tcp_listen() and udp_listen() ignore it and return 0. Those run kind of late to give a good error message. Change the low-level functions to return -EACCES (chosen because that's what the kernel will return if you request IPv6 when it's disabled by sysctl). Most callers of {tcp,udp}_listen() ignore the return code, so this is a no-op for them. In the remaining caller, conf_ports_range_except() check for the case explicitly, and provide a meaningful error message. Of itself, this bug is insignificant, but this is a roadblock to having {tcp,udp}_listen() return socket fds, which in turn is a roadblock to my flexible forwarding work. So, might as well fix it. Link: https://bugs.passt.top/show_bug.cgi?id=186 Signed-off-by: David Gibson --- conf.c | 10 ++++++++++ tcp.c | 6 ++---- udp.c | 6 ++---- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/conf.c b/conf.c index 70ea168c..cc3c20a9 100644 --- a/conf.c +++ b/conf.c @@ -162,6 +162,16 @@ static void conf_ports_range_except(const struct ctx *c, char optname, optname, optarg); } + if (addr) { + if (!c->ifi4 && inany_v4(addr)) { + die("IPv4 is disabled, can't use -%c %s", + optname, optarg); + } else if (!c->ifi6 && !inany_v4(addr)) { + die("IPv6 is disabled, can't use -%c %s", + optname, optarg); + } + } + for (i = first; i <= last; i++) { if (bitmap_isset(exclude, i)) continue; diff --git a/tcp.c b/tcp.c index e7fa85f3..67007c05 100644 --- a/tcp.c +++ b/tcp.c @@ -2700,16 +2700,14 @@ int tcp_listen(const struct ctx *c, uint8_t pif, /* Restrict to v6 only */ addr = &inany_any6; else if (inany_v4(addr)) - /* Nothing to do */ - return 0; + return -EACCES; } if (!c->ifi6) { if (!addr) /* Restrict to v4 only */ addr = &inany_any4; else if (!inany_v4(addr)) - /* Nothing to do */ - return 0; + return -EACCES; } if (pif == PIF_HOST) { diff --git a/udp.c b/udp.c index eda55c39..8cfa1e1f 100644 --- a/udp.c +++ b/udp.c @@ -1162,16 +1162,14 @@ int udp_listen(const struct ctx *c, uint8_t pif, /* Restrict to v6 only */ addr = &inany_any6; else if (inany_v4(addr)) - /* Nothing to do */ - return 0; + return -EACCES; } if (!c->ifi6) { if (!addr) /* Restrict to v4 only */ addr = &inany_any4; else if (!inany_v4(addr)) - /* Nothing to do */ - return 0; + return -EACCES; } s = pif_sock_l4(c, EPOLL_TYPE_UDP_LISTEN, pif, -- 2.52.0

Show replies by date

Stefano Brivio

11 Jan 11 Jan

12:33 a.m.

On Mon, 5 Jan 2026 19:28:49 +1100 David Gibson wrote:

...

Currently, it's possible to explicitly ask for forwarding from an IPv4 address, while disabling IPv4: $ pasta -t 192.0.2.1/12345 -6 or vice versa: $ pasta -t 2001:db8::1/12345 -4

Currently, the impossible to implement forwarding option will be silently ignored. That's potentially confusing since in a complex setup, it might not be obvious why the requested forward isn't taking effect.

Specifically, it's ignored at a fairly low level: tcp_listen() and udp_listen() ignore it and return 0. Those run kind of late to give a good error message. Change the low-level functions to return -EACCES (chosen because that's what the kernel will return if you request IPv6 when it's disabled by sysctl).

I couldn't quite find out in which case EACCES is returned by the kernel. If I set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and then bind() an IPv6 address, after setting IPV6_FREEBIND, I get 0. If I disable IPv6 via command line (ipv6.disable=1) I get EAFNOSUPPORT on bind(), and EOPNOTSUPP on setting addresses and routes. EACCES, I couldn't quite spot it yet.

...

Most callers of {tcp,udp}_listen() ignore the return code, so this is a no-op for them. In the remaining caller, conf_ports_range_except() check for the case explicitly, and provide a meaningful error message.

Of itself, this bug is insignificant, but this is a roadblock to having {tcp,udp}_listen() return socket fds, which in turn is a roadblock to my flexible forwarding work. So, might as well fix it.

Link: https://bugs.passt.top/show_bug.cgi?id=186

Signed-off-by: David Gibson --- conf.c | 10 ++++++++++ tcp.c | 6 ++---- udp.c | 6 ++---- 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/conf.c b/conf.c index 70ea168c..cc3c20a9 100644 --- a/conf.c +++ b/conf.c @@ -162,6 +162,16 @@ static void conf_ports_range_except(const struct ctx *c, char optname, optname, optarg); }

+ if (addr) { + if (!c->ifi4 && inany_v4(addr)) { + die("IPv4 is disabled, can't use -%c %s", + optname, optarg); + } else if (!c->ifi6 && !inany_v4(addr)) { + die("IPv6 is disabled, can't use -%c %s", + optname, optarg); + } + } + for (i = first; i <= last; i++) { if (bitmap_isset(exclude, i)) continue; diff --git a/tcp.c b/tcp.c index e7fa85f3..67007c05 100644 --- a/tcp.c +++ b/tcp.c @@ -2700,16 +2700,14 @@ int tcp_listen(const struct ctx *c, uint8_t pif, /* Restrict to v6 only */ addr = &inany_any6; else if (inany_v4(addr)) - /* Nothing to do */ - return 0; + return -EACCES; } if (!c->ifi6) { if (!addr) /* Restrict to v4 only */ addr = &inany_any4; else if (!inany_v4(addr)) - /* Nothing to do */ - return 0; + return -EACCES; }

if (pif == PIF_HOST) { diff --git a/udp.c b/udp.c index eda55c39..8cfa1e1f 100644 --- a/udp.c +++ b/udp.c @@ -1162,16 +1162,14 @@ int udp_listen(const struct ctx *c, uint8_t pif, /* Restrict to v6 only */ addr = &inany_any6; else if (inany_v4(addr)) - /* Nothing to do */ - return 0; + return -EACCES; } if (!c->ifi6) { if (!addr) /* Restrict to v4 only */ addr = &inany_any4; else if (!inany_v4(addr)) - /* Nothing to do */ - return 0; + return -EACCES; }

s = pif_sock_l4(c, EPOLL_TYPE_UDP_LISTEN, pif,

The rest looks good to me. -- Stefano

David Gibson

12 Jan 12 Jan

4:48 a.m.

On Sun, Jan 11, 2026 at 12:33:28AM +0100, Stefano Brivio wrote:

...

On Mon, 5 Jan 2026 19:28:49 +1100 David Gibson wrote:

...
Currently, it's possible to explicitly ask for forwarding from an IPv4 address, while disabling IPv4: $ pasta -t 192.0.2.1/12345 -6 or vice versa: $ pasta -t 2001:db8::1/12345 -4

Currently, the impossible to implement forwarding option will be silently ignored. That's potentially confusing since in a complex setup, it might not be obvious why the requested forward isn't taking effect.

Specifically, it's ignored at a fairly low level: tcp_listen() and udp_listen() ignore it and return 0. Those run kind of late to give a good error message. Change the low-level functions to return -EACCES (chosen because that's what the kernel will return if you request IPv6 when it's disabled by sysctl).

I couldn't quite find out in which case EACCES is returned by the kernel. If I set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and then bind() an IPv6 address, after setting IPV6_FREEBIND, I get 0.

Huh. EAFNOSUPPORT seems like it makes more sense, but oddly didn't spot it. I was looking at: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/... https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/... https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/... Happy enough to change it to EAFNOSUPPORT if you'd prefer.

...

If I disable IPv6 via command line (ipv6.disable=1) I get EAFNOSUPPORT on bind(), and EOPNOTSUPP on setting addresses and routes. EACCES, I couldn't quite spot it yet.

Huh. Kind of weird it only fails on bind(), not on socket().

...

...
Most callers of {tcp,udp}_listen() ignore the return code, so this is a no-op for them. In the remaining caller, conf_ports_range_except() check for the case explicitly, and provide a meaningful error message.

Of itself, this bug is insignificant, but this is a roadblock to having {tcp,udp}_listen() return socket fds, which in turn is a roadblock to my flexible forwarding work. So, might as well fix it.

Link: https://bugs.passt.top/show_bug.cgi?id=186

Signed-off-by: David Gibson --- conf.c | 10 ++++++++++ tcp.c | 6 ++---- udp.c | 6 ++---- 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/conf.c b/conf.c index 70ea168c..cc3c20a9 100644 --- a/conf.c +++ b/conf.c @@ -162,6 +162,16 @@ static void conf_ports_range_except(const struct ctx *c, char optname, optname, optarg); }

+ if (addr) { + if (!c->ifi4 && inany_v4(addr)) { + die("IPv4 is disabled, can't use -%c %s", + optname, optarg); + } else if (!c->ifi6 && !inany_v4(addr)) { + die("IPv6 is disabled, can't use -%c %s", + optname, optarg); + } + } + for (i = first; i <= last; i++) { if (bitmap_isset(exclude, i)) continue; diff --git a/tcp.c b/tcp.c index e7fa85f3..67007c05 100644 --- a/tcp.c +++ b/tcp.c @@ -2700,16 +2700,14 @@ int tcp_listen(const struct ctx *c, uint8_t pif, /* Restrict to v6 only */ addr = &inany_any6; else if (inany_v4(addr)) - /* Nothing to do */ - return 0; + return -EACCES; } if (!c->ifi6) { if (!addr) /* Restrict to v4 only */ addr = &inany_any4; else if (!inany_v4(addr)) - /* Nothing to do */ - return 0; + return -EACCES; }

if (pif == PIF_HOST) { diff --git a/udp.c b/udp.c index eda55c39..8cfa1e1f 100644 --- a/udp.c +++ b/udp.c @@ -1162,16 +1162,14 @@ int udp_listen(const struct ctx *c, uint8_t pif, /* Restrict to v6 only */ addr = &inany_any6; else if (inany_v4(addr)) - /* Nothing to do */ - return 0; + return -EACCES; } if (!c->ifi6) { if (!addr) /* Restrict to v4 only */ addr = &inany_any4; else if (!inany_v4(addr)) - /* Nothing to do */ - return 0; + return -EACCES; }

s = pif_sock_l4(c, EPOLL_TYPE_UDP_LISTEN, pif,

The rest looks good to me.

-- Stefano

-- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson

Stefano Brivio

13 Jan 13 Jan

1:12 a.m.

On Mon, 12 Jan 2026 14:48:54 +1100 David Gibson wrote:

...

On Sun, Jan 11, 2026 at 12:33:28AM +0100, Stefano Brivio wrote:

...
On Mon, 5 Jan 2026 19:28:49 +1100 David Gibson wrote:

...
Currently, it's possible to explicitly ask for forwarding from an IPv4 address, while disabling IPv4: $ pasta -t 192.0.2.1/12345 -6 or vice versa: $ pasta -t 2001:db8::1/12345 -4

Currently, the impossible to implement forwarding option will be silently ignored. That's potentially confusing since in a complex setup, it might not be obvious why the requested forward isn't taking effect.

Specifically, it's ignored at a fairly low level: tcp_listen() and udp_listen() ignore it and return 0. Those run kind of late to give a good error message. Change the low-level functions to return -EACCES (chosen because that's what the kernel will return if you request IPv6 when it's disabled by sysctl).

I couldn't quite find out in which case EACCES is returned by the kernel. If I set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and then bind() an IPv6 address, after setting IPV6_FREEBIND, I get 0.

Huh. EAFNOSUPPORT seems like it makes more sense, but oddly didn't spot it. I was looking at:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/... https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/... https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/...

Weird, I guess it eventually gets translated to EOPNOTSUPP later (perhaps in netlink code), because: # strace ip addr add db8::1 dev ens3 [...] recvmsg(3, {msg_name={sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base=[{nlmsg_len=84, nlmsg_type=NLMSG_ERROR, nlmsg_flags=0, nlmsg_seq=1768262003, nlmsg_pid=1598}, {error=-EOPNOTSUPP, msg=[{nlmsg_len=64, nlmsg_type=RTM_NEWADDR, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=1768262003, nlmsg_pid=0}, {ifa_family=AF_INET6, ifa_prefixlen=128, ifa_flags=0, ifa_scope=RT_SCOPE_UNIVERSE, ifa_index=if_nametoindex("ens3")}, [[{nla_len=20, nla_type=IFA_LOCAL}, inet_pton(AF_INET6, "db8::1")], [{nla_len=20, nla_type=IFA_ADDRESS}, inet_pton(AF_INET6, "db8::1")]]]}], iov_len=32768}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 84 write(2, "RTNETLINK answers: Operation not"..., 43RTNETLINK answers: Operation not supported it's EOPNOTSUPP in the NLMSG_ERROR message.

...

Happy enough to change it to EAFNOSUPPORT if you'd prefer.

I think it would make a lot more sense, EACCES would confuse pretty much anybody (and I can't get the kernel to return that over netlink anyway).

...

...
If I disable IPv6 via command line (ipv6.disable=1) I get EAFNOSUPPORT on bind(), and EOPNOTSUPP on setting addresses and routes. EACCES, I couldn't quite spot it yet.

Huh. Kind of weird it only fails on bind(), not on socket().

Oops, I was fooled by the error message we print in that case. It actually fails on socket(): socket(AF_INET6, SOCK_STREAM|SOCK_NONBLOCK, IPPROTO_TCP) = -1 EAFNOSUPPORT (Address family not supported by protocol) but we print: L4 socket: Address family not supported by protocol Failed to bind port 2548 (Address family not supported by protocol) for option '-t 2b8::1/2548' which makes sense because that's what we're doing with that port (just not with that socket). -- Stefano

David Gibson

4:05 a.m.

On Tue, Jan 13, 2026 at 01:12:06AM +0100, Stefano Brivio wrote:

...

On Mon, 12 Jan 2026 14:48:54 +1100 David Gibson wrote:

...
On Sun, Jan 11, 2026 at 12:33:28AM +0100, Stefano Brivio wrote:

...
On Mon, 5 Jan 2026 19:28:49 +1100 David Gibson wrote:

...
Currently, it's possible to explicitly ask for forwarding from an IPv4 address, while disabling IPv4: $ pasta -t 192.0.2.1/12345 -6 or vice versa: $ pasta -t 2001:db8::1/12345 -4

Currently, the impossible to implement forwarding option will be silently ignored. That's potentially confusing since in a complex setup, it might not be obvious why the requested forward isn't taking effect.

Specifically, it's ignored at a fairly low level: tcp_listen() and udp_listen() ignore it and return 0. Those run kind of late to give a good error message. Change the low-level functions to return -EACCES (chosen because that's what the kernel will return if you request IPv6 when it's disabled by sysctl).

I couldn't quite find out in which case EACCES is returned by the kernel. If I set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and then bind() an IPv6 address, after setting IPV6_FREEBIND, I get 0.

Huh. EAFNOSUPPORT seems like it makes more sense, but oddly didn't spot it. I was looking at:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/... https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/... https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/...

Weird, I guess it eventually gets translated to EOPNOTSUPP later (perhaps in netlink code), because:

Yeah, I guess it must.

...

# strace ip addr add db8::1 dev ens3

[...]

recvmsg(3, {msg_name={sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base=[{nlmsg_len=84, nlmsg_type=NLMSG_ERROR, nlmsg_flags=0, nlmsg_seq=1768262003, nlmsg_pid=1598}, {error=-EOPNOTSUPP, msg=[{nlmsg_len=64, nlmsg_type=RTM_NEWADDR, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=1768262003, nlmsg_pid=0}, {ifa_family=AF_INET6, ifa_prefixlen=128, ifa_flags=0, ifa_scope=RT_SCOPE_UNIVERSE, ifa_index=if_nametoindex("ens3")}, [[{nla_len=20, nla_type=IFA_LOCAL}, inet_pton(AF_INET6, "db8::1")], [{nla_len=20, nla_type=IFA_ADDRESS}, inet_pton(AF_INET6, "db8::1")]]]}], iov_len=32768}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 84 write(2, "RTNETLINK answers: Operation not"..., 43RTNETLINK answers: Operation not supported

it's EOPNOTSUPP in the NLMSG_ERROR message.

Heh, that's a third option.

...

...
Happy enough to change it to EAFNOSUPPORT if you'd prefer.

I think it would make a lot more sense, EACCES would confuse pretty much anybody (and I can't get the kernel to return that over netlink anyway).

Ok, done.

...

...
...
If I disable IPv6 via command line (ipv6.disable=1) I get EAFNOSUPPORT on bind(), and EOPNOTSUPP on setting addresses and routes. EACCES, I couldn't quite spot it yet.

Huh. Kind of weird it only fails on bind(), not on socket().

Oops, I was fooled by the error message we print in that case. It actually fails on socket():

socket(AF_INET6, SOCK_STREAM|SOCK_NONBLOCK, IPPROTO_TCP) = -1 EAFNOSUPPORT (Address family not supported by protocol)

but we print:

L4 socket: Address family not supported by protocol Failed to bind port 2548 (Address family not supported by protocol) for option '-t 2b8::1/2548'

which makes sense because that's what we're doing with that port (just not with that socket).

Ah, ok, that makes sense. -- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson

Age (days ago)

Last active (days ago)

List overview

Download

4 comments

2 participants

participants (2)

David Gibson
Stefano Brivio