fe80::/64 route missing on GRE tunnels

fe80::/64 route missing on GRE tunnels

[Steinar H. Gunderson]

Hi,

It seems that recent kernels no longer automatically add the link-local route
to GRE tunnels. 3.10.27 does it right:

  root@morgental:~# ip tunnel add foo mode gre remote 1.2.3.4 ttl 64
  root@morgental:~# ip link set foo up mtu 1468
  root@morgental:~# ip -6 route show dev foo
  fe80::/64  proto kernel  metric 256 

but on 3.13.1, no such route shows up. I can add it manually, though.

This broke our in-house IPv6 tunnel broker (which essentially uses link-local
addresses over GRE tunnels to bring up BGP sessions). Do you think you could
have a look?

/* Steinar */
-- 
Homepage: http://www.sesse.net/

Re: fe80::/64 route missing on GRE tunnels

[Steinar H. Gunderson]

On Tue, Feb 11, 2014 at 10:55:11PM +0100, Steinar H. Gunderson wrote:
> but on 3.13.1, no such route shows up. I can add it manually, though.

Correction; I can add it manually, but only to one GRE device at a time:

  root@altersex:~$ ip -6 route add fe80::/64 dev k_molvenfinnoy
  root@altersex:~$ ip -6 route add fe80::/64 dev k_sessesveits
  RTNETLINK answers: File exists
  root@altersex:~$ ip -6 route del fe80::/64 dev k_molvenfinnoy
  root@altersex:~$ ip -6 route add fe80::/64 dev k_sessesveits
  root@altersex:~$

/* Steinar */
-- 
ITK-pang
http://www.sesse.net/

Re: fe80::/64 route missing on GRE tunnels

[Hannes Frederic Sowa]

On Tue, Feb 11, 2014 at 10:59:28PM +0100, Steinar H. Gunderson wrote:
> On Tue, Feb 11, 2014 at 10:55:11PM +0100, Steinar H. Gunderson wrote:
> > but on 3.13.1, no such route shows up. I can add it manually, though.
> 
> Correction; I can add it manually, but only to one GRE device at a time:
> 
>   root@altersex:~$ ip -6 route add fe80::/64 dev k_molvenfinnoy
>   root@altersex:~$ ip -6 route add fe80::/64 dev k_sessesveits
>   RTNETLINK answers: File exists
>   root@altersex:~$ ip -6 route del fe80::/64 dev k_molvenfinnoy
>   root@altersex:~$ ip -6 route add fe80::/64 dev k_sessesveits
>   root@altersex:~$

Sorry for the long delay, I was busy with other stuff...

So basically a workaround you can do for the time being is to add the tunnel
with a local address:

ip tunnel add foo mode gre local 4.3.2.1 remote 1.2.3.4 ttl 64

The reason is that link local address generation fails in ipv6/addrconf as
long as dev->dev_addr is zero.

I have not yet found the change which causes this change in behaviour, but
will do so soon.

Bye,

  Hannes

Re: fe80::/64 route missing on GRE tunnels

[Hannes Frederic Sowa]

Hi Nicolas!

On Sat, Feb 15, 2014 at 08:45:59AM +0100, Hannes Frederic Sowa wrote:
> On Tue, Feb 11, 2014 at 10:59:28PM +0100, Steinar H. Gunderson wrote:
> > On Tue, Feb 11, 2014 at 10:55:11PM +0100, Steinar H. Gunderson wrote:
> > > but on 3.13.1, no such route shows up. I can add it manually, though.
> > 
> > Correction; I can add it manually, but only to one GRE device at a time:
> > 
> >   root@altersex:~$ ip -6 route add fe80::/64 dev k_molvenfinnoy
> >   root@altersex:~$ ip -6 route add fe80::/64 dev k_sessesveits
> >   RTNETLINK answers: File exists
> >   root@altersex:~$ ip -6 route del fe80::/64 dev k_molvenfinnoy
> >   root@altersex:~$ ip -6 route add fe80::/64 dev k_sessesveits
> >   root@altersex:~$
> 
> Sorry for the long delay, I was busy with other stuff...
> 
> So basically a workaround you can do for the time being is to add the tunnel
> with a local address:
> 
> ip tunnel add foo mode gre local 4.3.2.1 remote 1.2.3.4 ttl 64
> 
> The reason is that link local address generation fails in ipv6/addrconf as
> long as dev->dev_addr is zero.
> 
> I have not yet found the change which causes this change in behaviour, but
> will do so soon.

f7cb8886335dea ("sit/gre6: don't try to add the same route two times") causes
this problem, because dev->dev_addr will never get initialized and thus
ipv6_generate_eui64 and addrconf_add_linklocal will never get called.

Ok for revert or do you have a better idea?

Greetings,

  Hannes

Re: fe80::/64 route missing on GRE tunnels

[Nicolas Dichtel]

Le 15/02/2014 13:10, Hannes Frederic Sowa a écrit :
> Hi Nicolas!
>
> On Sat, Feb 15, 2014 at 08:45:59AM +0100, Hannes Frederic Sowa wrote:
>> On Tue, Feb 11, 2014 at 10:59:28PM +0100, Steinar H. Gunderson wrote:
>>> On Tue, Feb 11, 2014 at 10:55:11PM +0100, Steinar H. Gunderson wrote:
>>>> but on 3.13.1, no such route shows up. I can add it manually, though.
>>>
>>> Correction; I can add it manually, but only to one GRE device at a time:
>>>
>>>    root@altersex:~$ ip -6 route add fe80::/64 dev k_molvenfinnoy
>>>    root@altersex:~$ ip -6 route add fe80::/64 dev k_sessesveits
>>>    RTNETLINK answers: File exists
>>>    root@altersex:~$ ip -6 route del fe80::/64 dev k_molvenfinnoy
>>>    root@altersex:~$ ip -6 route add fe80::/64 dev k_sessesveits
>>>    root@altersex:~$
>>
>> Sorry for the long delay, I was busy with other stuff...
>>
>> So basically a workaround you can do for the time being is to add the tunnel
>> with a local address:
>>
>> ip tunnel add foo mode gre local 4.3.2.1 remote 1.2.3.4 ttl 64
>>
>> The reason is that link local address generation fails in ipv6/addrconf as
>> long as dev->dev_addr is zero.
>>
>> I have not yet found the change which causes this change in behaviour, but
>> will do so soon.
>
> f7cb8886335dea ("sit/gre6: don't try to add the same route two times") causes
> this problem, because dev->dev_addr will never get initialized and thus
> ipv6_generate_eui64 and addrconf_add_linklocal will never get called.
>
> Ok for revert or do you have a better idea?
I'm not sure to understand the problem. In the case described above, there is no
fe80::/64 route because there is no link local address.
What source address will be used to communicate over this gre interface?

Re: fe80::/64 route missing on GRE tunnels

[Steinar H. Gunderson]

On Mon, Feb 17, 2014 at 10:37:07AM +0100, Nicolas Dichtel wrote:
> I'm not sure to understand the problem. In the case described above, there is no
> fe80::/64 route because there is no link local address.
> What source address will be used to communicate over this gre interface?

It is added (ip -6 addr add fe80::1 dev foo), but it doesn't help without the
/64 being present.

/* Steinar */
-- 
ITK-pang
http://www.sesse.net/

Re: fe80::/64 route missing on GRE tunnels

[Nicolas Dichtel]

Le 17/02/2014 10:45, Steinar H. Gunderson a écrit :
> On Mon, Feb 17, 2014 at 10:37:07AM +0100, Nicolas Dichtel wrote:
>> I'm not sure to understand the problem. In the case described above, there is no
>> fe80::/64 route because there is no link local address.
>> What source address will be used to communicate over this gre interface?
>
> It is added (ip -6 addr add fe80::1 dev foo), but it doesn't help without the
> /64 being present.

With 'ip -6 addr add fe80::1/64 dev foo', the link local route will be added.

Re: fe80::/64 route missing on GRE tunnels

[Steinar H. Gunderson]

On Mon, Feb 17, 2014 at 10:59:38AM +0100, Nicolas Dichtel wrote:
>> It is added (ip -6 addr add fe80::1 dev foo), but it doesn't help without the
>> /64 being present.
> With 'ip -6 addr add fe80::1/64 dev foo', the link local route will be added.

Possible, but you're still breaking userspace. You could argue the tunnel
setup system in question should have added a /64 in the first place, but it
is deployed at a number of locations and changing all of them is not trivial.

/* Steinar */
-- 
ITK-pang
http://www.sesse.net/

Re: fe80::/64 route missing on GRE tunnels

[Nicolas Dichtel]

Le 17/02/2014 11:17, Steinar H. Gunderson a écrit :
> On Mon, Feb 17, 2014 at 10:59:38AM +0100, Nicolas Dichtel wrote:
>>> It is added (ip -6 addr add fe80::1 dev foo), but it doesn't help without the
>>> /64 being present.
>> With 'ip -6 addr add fe80::1/64 dev foo', the link local route will be added.
>
> Possible, but you're still breaking userspace. You could argue the tunnel
> setup system in question should have added a /64 in the first place, but it
> is deployed at a number of locations and changing all of them is not trivial.
I will propose a patch (instead of reverting the original one).

Re: fe80::/64 route missing on GRE tunnels

[Hannes Frederic Sowa]

On Mon, Feb 17, 2014 at 11:34:07AM +0100, Nicolas Dichtel wrote:
> Le 17/02/2014 11:17, Steinar H. Gunderson a écrit :
> >On Mon, Feb 17, 2014 at 10:59:38AM +0100, Nicolas Dichtel wrote:
> >>>It is added (ip -6 addr add fe80::1 dev foo), but it doesn't help 
> >>>without the
> >>>/64 being present.
> >>With 'ip -6 addr add fe80::1/64 dev foo', the link local route will be 
> >>added.
> >
> >Possible, but you're still breaking userspace. You could argue the tunnel
> >setup system in question should have added a /64 in the first place, but it
> >is deployed at a number of locations and changing all of them is not 
> >trivial.
> I will propose a patch (instead of reverting the original one).

Thanks for looking into this, Nicolas. I agree it is not a very nice
situation.

[PATCH net] gre: add link local route when local addr is any

[Nicolas Dichtel]

This bug was reported by Steinar H. Gunderson and was introduced by commit
f7cb8886335d ("sit/gre6: don't try to add the same route two times").

root@morgental:~# ip tunnel add foo mode gre remote 1.2.3.4 ttl 64
root@morgental:~# ip link set foo up mtu 1468
root@morgental:~# ip -6 route show dev foo
fe80::/64  proto kernel  metric 256

but after the above commit, no such route shows up.

There is no link local route because dev->dev_addr is 0 (because local ipv4
address is 0), hence no link local address is configured.

In this scenario, the link local address is added manually: 'ip -6 addr add
fe80::1 dev foo' and because prefix is /128, no link local route is added by the
kernel.

Even if the right things to do is to add the link local address with a /64
prefix, we need to restore the previous behavior to avoid breaking userpace.

Reported-by: Steinar H. Gunderson <sesse@samfundet.no>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 net/ipv6/addrconf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index ad235690684c..fdbfeca36d63 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2783,6 +2783,8 @@ static void addrconf_gre_config(struct net_device *dev)
 	ipv6_addr_set(&addr,  htonl(0xFE800000), 0, 0, 0);
 	if (!ipv6_generate_eui64(addr.s6_addr + 8, dev))
 		addrconf_add_linklocal(idev, &addr);
+	else
+		addrconf_prefix_route(&addr, 64, dev, 0, 0);
 }
 #endif
 
-- 
1.8.5.4

Re: [PATCH net] gre: add link local route when local addr is any

[David Miller]

From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date: Mon, 17 Feb 2014 14:22:21 +0100

> This bug was reported by Steinar H. Gunderson and was introduced by commit
> f7cb8886335d ("sit/gre6: don't try to add the same route two times").
> 
> root@morgental:~# ip tunnel add foo mode gre remote 1.2.3.4 ttl 64
> root@morgental:~# ip link set foo up mtu 1468
> root@morgental:~# ip -6 route show dev foo
> fe80::/64  proto kernel  metric 256
> 
> but after the above commit, no such route shows up.
> 
> There is no link local route because dev->dev_addr is 0 (because local ipv4
> address is 0), hence no link local address is configured.
> 
> In this scenario, the link local address is added manually: 'ip -6 addr add
> fe80::1 dev foo' and because prefix is /128, no link local route is added by the
> kernel.
> 
> Even if the right things to do is to add the link local address with a /64
> prefix, we need to restore the previous behavior to avoid breaking userpace.
> 
> Reported-by: Steinar H. Gunderson <sesse@samfundet.no>
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>

Applied and queued up for -stable, thanks.