[PATCH 1/2 net-next v2] ipv6: use the right ifindex when replying to icmpv6 from localhost
When replying to a ICMPv6 echo request that comes from localhost address the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the skb device ifindex instead. This fixes pinging to a local address from localhost source address.
$ ping6 -I ::1 2001:1:1::2 -c 3 PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes 64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms 64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms 64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms
2001:1:1::2 ping statistics 3 packets transmitted, 3 received, 0% packet loss, time 2032ms rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms
Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address") Signed-off-by: Fernando Fernandez Mancera fmancera@suse.de --- v2: no changes --- net/ipv6/icmp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index 5d2f90babaa5..5de254043133 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -965,7 +965,9 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb) fl6.daddr = ipv6_hdr(skb)->saddr; if (saddr) fl6.saddr = *saddr; - fl6.flowi6_oif = icmp6_iif(skb); + fl6.flowi6_oif = ipv6_addr_type(&fl6.daddr) & IPV6_ADDR_LOOPBACK ? + skb->dev->ifindex : + icmp6_iif(skb); fl6.fl6_icmp_type = type; fl6.flowi6_mark = mark; fl6.flowi6_uid = sock_net_uid(net, NULL);
Test ICMPv6 to link local address and local address, also VRF based tests. In addition, this test set could be extended to cover more situations in the future.
ICMPv6 to local addresses TEST: Ping to link local address [OK] TEST: Ping to link local address from ::1 [OK] TEST: Ping to local address [OK] TEST: Ping to local address from ::1 [OK]
ICMPv6 to VRF based local address TEST: Ping to link local address on VRF context [OK] TEST: Ping to link local address from ::1 on VRF context [OK] TEST: Ping to local address on VRF context [OK] TEST: Ping to local address from ::1 on VRF context [OK]
Tests passed: 8 Tests failed: 0
Signed-off-by: Fernando Fernandez Mancera fmancera@suse.de --- v2: shellcheck fixes, added VRF based tests and simplified linklocal address parsing --- tools/testing/selftests/net/Makefile | 1 + tools/testing/selftests/net/ipv6_icmp.sh | 244 +++++++++++++++++++++++ 2 files changed, 245 insertions(+) create mode 100755 tools/testing/selftests/net/ipv6_icmp.sh
diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile index b66ba04f19d9..4d29b47bb084 100644 --- a/tools/testing/selftests/net/Makefile +++ b/tools/testing/selftests/net/Makefile @@ -47,6 +47,7 @@ TEST_PROGS := \ ip_local_port_range.sh \ ipv6_flowlabel.sh \ ipv6_force_forwarding.sh \ + ipv6_icmp.sh \ ipv6_route_update_soft_lockup.sh \ l2_tos_ttl_inherit.sh \ l2tp.sh \ diff --git a/tools/testing/selftests/net/ipv6_icmp.sh b/tools/testing/selftests/net/ipv6_icmp.sh new file mode 100755 index 000000000000..4ac0954e2963 --- /dev/null +++ b/tools/testing/selftests/net/ipv6_icmp.sh @@ -0,0 +1,244 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 + +# This test is for checking IPv6 ICMP behavior in different situations. +source lib.sh +ret=0 +nfail=0 + +# all tests in this script, can be overridden with -t option +TESTS="icmpv6_to_local_address icmpv6_to_vrf_based_local_address" + +VERBOSE=0 +PAUSE_ON_FAIL=no +PAUSE=no + +which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) + +log_test() +{ + local rc=$1 + local expected=$2 + local msg="$3" + + if [ "${rc}" -eq "${expected}" ]; then + printf " TEST: %-60s [OK]\n" "${msg}" + nsuccess=$((nsuccess+1)) + else + ret=1 + nfail=$((nfail+1)) + printf " TEST: %-60s [FAIL]\n" "${msg}" + if [ "${PAUSE_ON_FAIL}" = "yes" ]; then + echo + echo "hit enter to continue, 'q' to quit" + read -r a + [ "$a" = "q" ] && exit 1 + fi + fi + + if [ "${PAUSE}" = "yes" ]; then + echo + echo "hit enter to continue, 'q' to quit" + read -r a + [ "$a" = "q" ] && exit 1 + fi +} + +setup() +{ + set -e + setup_ns ns1 + IP="$(which ip) -netns $ns1" + NS_EXEC="$(which ip) netns exec $ns1" + + $IP link add dummy0 type dummy + $IP link set dev dummy0 up + $IP -6 address add 2001:db8:1::1/64 dev dummy0 nodad + set +e +} + +cleanup() +{ + $IP link del dev dummy0 &> /dev/null + cleanup_ns "$ns1" +} + +get_linklocal() +{ + local dev=$1 + local addr + + addr=$($IP -j -6 addr show dev "${dev}" scope link | jq -r '.[].addr_info[1].local') + + [ -z "$addr" ] && return 1 + + echo "$addr" + + return 0 +} + +run_cmd() +{ + local cmd="$1" + local out + local stderr="2>/dev/null" + + if [ "$VERBOSE" = "1" ]; then + printf " COMMAND: %s\n" "$cmd" + stderr= + fi + + out=$(eval "$cmd" $stderr) + rc=$? + if [ "$VERBOSE" = "1" ] && [ -n "$out" ]; then + echo " $out" + fi + + [ "$VERBOSE" = "1" ] && echo + + return $rc +} + +icmpv6_to_local_address() +{ + local rc + local lldummy + + echo + echo "ICMPv6 to local addresses" + + setup + + lldummy=$(get_linklocal dummy0) + + if [ -z "$lldummy" ]; then + echo "Failed to get link local address for dummy0" + return 1 + fi + + # ping6 to link local address + run_cmd "$NS_EXEC ${ping6} -c 3 $lldummy%dummy0" + log_test $? 0 "Ping to link local address" + + # ping6 to link local address from localhost (::1) + run_cmd "$NS_EXEC ${ping6} -c 3 -I ::1 $lldummy%dummy0" + log_test $? 0 "Ping to link local address from ::1" + + # ping6 to local address + run_cmd "$NS_EXEC ${ping6} -c 3 2001:db8:1::1" + log_test $? 0 "Ping to local address" + + # ping6 to local address from localhost (::1) + run_cmd "$NS_EXEC ${ping6} -c 3 -I ::1 2001:db8:1::1" + log_test $? 0 "Ping to local address from ::1" +} + +icmpv6_to_vrf_based_local_address() +{ + local rc + local lldummy + + echo + echo "ICMPv6 to VRF based local address" + + setup + + lldummy=$(get_linklocal dummy0) + + if [ -z "$lldummy" ]; then + echo "Failed to get link local address for dummy0" + return 1 + fi + + run_cmd "$NS_EXEC sysctl -w net.ipv6.conf.all.keep_addr_on_down=1" + + # create VRF and setup + run_cmd "$IP link add vrf0 type vrf table 10" + run_cmd "$IP link set vrf0 up" + run_cmd "$IP link set dummy0 master vrf0" + + # route to reach 2001:db8::1/128 on VRF device and back to ::1 + run_cmd "$IP -6 route add 2001:db8:1::1/64 dev vrf0" + run_cmd "$IP -6 route add ::1/128 dev vrf0 table 10" + + # ping6 to link local address + run_cmd "$NS_EXEC ${ping6} -c 3 $lldummy%dummy0" + log_test $? 0 "Ping to link local address on VRF context" + + # ping6 to link local address from localhost (::1) + run_cmd "$NS_EXEC ${ping6} -c 3 -I ::1 $lldummy%dummy0" + log_test $? 0 "Ping to link local address from ::1 on VRF context" + + # ping6 to local address + run_cmd "$NS_EXEC ${ping6} -c 3 2001:db8:1::1" + log_test $? 0 "Ping to local address on VRF context" + + # ping6 to local address from localhost (::1) + run_cmd "$NS_EXEC ${ping6} -c 3 -I ::1 2001:db8:1::1" + log_test $? 0 "Ping to local address from ::1 on VRF context" +} + +################################################################################ +# usage + +usage() +{ + cat <<EOF +usage: ${0##*/} OPTS + + -t <test> Test(s) to run (default: all) + (options: $TESTS) + -p Pause on fail + -P Pause after each test before cleanup + -v Verbose mode (show commands and output) +EOF +} + +################################################################################ +# main + +trap cleanup EXIT + +while getopts :t:pPhv o +do + case $o in + t) TESTS=$OPTARG;; + p) PAUSE_ON_FAIL=yes;; + P) PAUSE=yes;; + v) VERBOSE=$((VERBOSE + 1));; + h) usage; exit 0;; + *) usage; exit 1;; + esac +done + +[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no + +if [ "$(id -u)" -ne 0 ];then + echo "SKIP: Need root privileges" + exit "$ksft_skip" +fi + +if [ ! -x "$(command -v ip)" ]; then + echo "SKIP: Could not run test without ip tool" + exit "$ksft_skip" +fi + +# start clean +cleanup &> /dev/null + +for t in $TESTS +do + case $t in + icmpv6_to_local_address) icmpv6_to_local_address;; + icmpv6_to_vrf_based_local_address) icmpv6_to_vrf_based_local_address;; + + help) echo "Test names: $TESTS"; exit 0;; + esac +done + +if [ "$TESTS" != "none" ]; then + printf "\nTests passed: %3d\n" "${nsuccess}" + printf "Tests failed: %3d\n" "${nfail}" +fi + +exit $ret
On 1/7/26 8:38 AM, Fernando Fernandez Mancera wrote:
+icmpv6_to_vrf_based_local_address() +{
- local rc
- local lldummy
- echo
- echo "ICMPv6 to VRF based local address"
- setup
- lldummy=$(get_linklocal dummy0)
- if [ -z "$lldummy" ]; then
echo "Failed to get link local address for dummy0"return 1- fi
- run_cmd "$NS_EXEC sysctl -w net.ipv6.conf.all.keep_addr_on_down=1"
- # create VRF and setup
- run_cmd "$IP link add vrf0 type vrf table 10"
- run_cmd "$IP link set vrf0 up"
- run_cmd "$IP link set dummy0 master vrf0"
run_cmd "$IP -6 addr add ::1 dev vrf0 nodad"
makes the VRF device the loopback.
- # route to reach 2001:db8::1/128 on VRF device and back to ::1
- run_cmd "$IP -6 route add 2001:db8:1::1/64 dev vrf0"
- run_cmd "$IP -6 route add ::1/128 dev vrf0 table 10"
and then this route add should not be needed. This is how fcnal-test.sh works.
- # ping6 to link local address
- run_cmd "$NS_EXEC ${ping6} -c 3 $lldummy%dummy0"
- log_test $? 0 "Ping to link local address on VRF context"
- # ping6 to link local address from localhost (::1)
- run_cmd "$NS_EXEC ${ping6} -c 3 -I ::1 $lldummy%dummy0"
-I vrf0 should be needed for all VRF tests. I suspect your current passing tests are because you have a single setup step and then run non-VRF test followed by VRF test. Really you need to do the setup, run_test, cleanup for each test.
- log_test $? 0 "Ping to link local address from ::1 on VRF context"
- # ping6 to local address
- run_cmd "$NS_EXEC ${ping6} -c 3 2001:db8:1::1"
- log_test $? 0 "Ping to local address on VRF context"
- # ping6 to local address from localhost (::1)
- run_cmd "$NS_EXEC ${ping6} -c 3 -I ::1 2001:db8:1::1"
- log_test $? 0 "Ping to local address from ::1 on VRF context"
+}
On 1/7/26 5:41 PM, David Ahern wrote:
On 1/7/26 8:38 AM, Fernando Fernandez Mancera wrote:
+icmpv6_to_vrf_based_local_address() +{
- local rc
- local lldummy
- echo
- echo "ICMPv6 to VRF based local address"
- setup
- lldummy=$(get_linklocal dummy0)
- if [ -z "$lldummy" ]; then
echo "Failed to get link local address for dummy0"return 1- fi
- run_cmd "$NS_EXEC sysctl -w net.ipv6.conf.all.keep_addr_on_down=1"
- # create VRF and setup
- run_cmd "$IP link add vrf0 type vrf table 10"
- run_cmd "$IP link set vrf0 up"
- run_cmd "$IP link set dummy0 master vrf0"
run_cmd "$IP -6 addr add ::1 dev vrf0 nodad"
makes the VRF device the loopback.
- # route to reach 2001:db8::1/128 on VRF device and back to ::1
- run_cmd "$IP -6 route add 2001:db8:1::1/64 dev vrf0"
- run_cmd "$IP -6 route add ::1/128 dev vrf0 table 10"
and then this route add should not be needed. This is how fcnal-test.sh works.
Oh neat! Thanks.
- # ping6 to link local address
- run_cmd "$NS_EXEC ${ping6} -c 3 $lldummy%dummy0"
- log_test $? 0 "Ping to link local address on VRF context"
- # ping6 to link local address from localhost (::1)
- run_cmd "$NS_EXEC ${ping6} -c 3 -I ::1 $lldummy%dummy0"
-I vrf0 should be needed for all VRF tests. I suspect your current passing tests are because you have a single setup step and then run non-VRF test followed by VRF test. Really you need to do the setup, run_test, cleanup for each test.
You are right here about the cleanup, although the tests are passing even if the cleanup is properly done or if `-t icmpv6_to_vrf_based_local_address`. I don't see why they should not pass.
I am changing them to use `-I vrf0` because it makes more sense.
Thanks for the feedback! Fernando.
- log_test $? 0 "Ping to link local address from ::1 on VRF context"
- # ping6 to local address
- run_cmd "$NS_EXEC ${ping6} -c 3 2001:db8:1::1"
- log_test $? 0 "Ping to local address on VRF context"
- # ping6 to local address from localhost (::1)
- run_cmd "$NS_EXEC ${ping6} -c 3 -I ::1 2001:db8:1::1"
- log_test $? 0 "Ping to local address from ::1 on VRF context"
+}
On 1/8/26 4:24 AM, Fernando Fernandez Mancera wrote:
On 1/7/26 5:41 PM, David Ahern wrote:
On 1/7/26 8:38 AM, Fernando Fernandez Mancera wrote:
+icmpv6_to_vrf_based_local_address() +{ + local rc + local lldummy
+ echo + echo "ICMPv6 to VRF based local address"
+ setup
+ lldummy=$(get_linklocal dummy0)
+ if [ -z "$lldummy" ]; then + echo "Failed to get link local address for dummy0" + return 1 + fi
+ run_cmd "$NS_EXEC sysctl -w net.ipv6.conf.all.keep_addr_on_down=1"
+ # create VRF and setup + run_cmd "$IP link add vrf0 type vrf table 10" + run_cmd "$IP link set vrf0 up" + run_cmd "$IP link set dummy0 master vrf0"
run_cmd "$IP -6 addr add ::1 dev vrf0 nodad"
makes the VRF device the loopback.
+ # route to reach 2001:db8::1/128 on VRF device and back to ::1 + run_cmd "$IP -6 route add 2001:db8:1::1/64 dev vrf0" + run_cmd "$IP -6 route add ::1/128 dev vrf0 table 10"
and then this route add should not be needed. This is how fcnal-test.sh works.
Oh neat! Thanks.
+ # ping6 to link local address + run_cmd "$NS_EXEC ${ping6} -c 3 $lldummy%dummy0" + log_test $? 0 "Ping to link local address on VRF context"
+ # ping6 to link local address from localhost (::1) + run_cmd "$NS_EXEC ${ping6} -c 3 -I ::1 $lldummy%dummy0"
-I vrf0 should be needed for all VRF tests. I suspect your current passing tests are because you have a single setup step and then run non-VRF test followed by VRF test. Really you need to do the setup, run_test, cleanup for each test.
You are right here about the cleanup, although the tests are passing even if the cleanup is properly done or if `-t icmpv6_to_vrf_based_local_address`. I don't see why they should not pass.
Without ::1 on the vrf device there is no valid address. ie., ::1 is in the default vrf and dummy0 is in the VRF so it should not be allowed. Something is off.
I am changing them to use `-I vrf0` because it makes more sense.
I should have asked yesterday: how do these tests differ from what is done in fcnal-test.sh - ipv4_ping and ipv6_ping? Those tests cover loopback, linklocal address and global address combined with vrf and no vrf.
Hi Fernando,
On 1/7/26 10:38 AM, Fernando Fernandez Mancera wrote:
When replying to a ICMPv6 echo request that comes from localhost address the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the skb device ifindex instead. This fixes pinging to a local address from localhost source address.
$ ping6 -I ::1 2001:1:1::2 -c 3 PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes 64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms 64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms 64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms
2001:1:1::2 ping statistics 3 packets transmitted, 3 received, 0% packet loss, time 2032ms rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms
Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address") Signed-off-by: Fernando Fernandez Mancera fmancera@suse.de
v2: no changes
net/ipv6/icmp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index 5d2f90babaa5..5de254043133 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -965,7 +965,9 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb) fl6.daddr = ipv6_hdr(skb)->saddr; if (saddr) fl6.saddr = *saddr;
- fl6.flowi6_oif = icmp6_iif(skb);
- fl6.flowi6_oif = ipv6_addr_type(&fl6.daddr) & IPV6_ADDR_LOOPBACK ?
skb->dev->ifindex :icmp6_iif(skb);
Using ipv6_addr_loopback(&fl6.daddr) might be more efficient as it does a direct comparison of the address.
-Brian
On 1/7/26 6:05 PM, Brian Haley wrote:
Hi Fernando,
On 1/7/26 10:38 AM, Fernando Fernandez Mancera wrote:
When replying to a ICMPv6 echo request that comes from localhost address the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the skb device ifindex instead. This fixes pinging to a local address from localhost source address.
$ ping6 -I ::1 2001:1:1::2 -c 3 PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes 64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms 64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms 64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms
2001:1:1::2 ping statistics 3 packets transmitted, 3 received, 0% packet loss, time 2032ms rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms
Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address") Signed-off-by: Fernando Fernandez Mancera fmancera@suse.de
v2: no changes
net/ipv6/icmp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index 5d2f90babaa5..5de254043133 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -965,7 +965,9 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb) fl6.daddr = ipv6_hdr(skb)->saddr; if (saddr) fl6.saddr = *saddr; - fl6.flowi6_oif = icmp6_iif(skb); + fl6.flowi6_oif = ipv6_addr_type(&fl6.daddr) & IPV6_ADDR_LOOPBACK ? + skb->dev->ifindex : + icmp6_iif(skb); fl6.fl6_icmp_type = type; fl6.flowi6_mark = mark; fl6.flowi6_uid = sock_net_uid(net, NULL);
Using ipv6_addr_loopback(&fl6.daddr) might be more efficient as it does a direct comparison of the address.
Yes, I think you are right.
Thanks! Fernando.
-Brian
linux-kselftest-mirror@lists.linaro.org
-
Brian Haley -
David Ahern -
Fernando Fernandez Mancera