From: Cong Wang <xiyou.wangcong@gmail.com>
To: David Ahern <dsahern@gmail.com>
Cc: Roopa Prabhu <roopa@cumulusnetworks.com>,
Hangbin Liu <liuhangbin@gmail.com>,
network dev <netdev@vger.kernel.org>
Subject: Re: [PATCH net] ipv6: no need to return rt->dst.error if it is not null entry.
Date: Mon, 31 Jul 2017 11:37:44 -0700 [thread overview]
Message-ID: <CAM_iQpVobEXqE-CWVpQU4b8jnOrzq9EEfszj+SnyqX-RZ+B6Bw@mail.gmail.com> (raw)
In-Reply-To: <ea0c0319-1b74-da8f-e307-2bf02e674119@gmail.com>
On Fri, Jul 28, 2017 at 10:39 AM, David Ahern <dsahern@gmail.com> wrote:
> On 7/28/17 11:13 AM, Roopa Prabhu wrote:
>> for fibmatch, my original intent was to return with an error code.
>> This is similar
>> to the ipv4 behavior. One option is to keep the check in there and put
>> the 'fibmatch'
>> condition around it. But, i do want to make sure that for the fibmatch case,
>> it does not return an error directly on an existing prohibit route
>> entry in the fib.
>> This is probably doable by checking for appropriate
>> net->ipv6.ip6_prohibit_entry entries.
>>
>
> IPv4 does not have the notion of null_entry or prohibit route entries
> which makes IPv4 and IPv6 inconsistent - something we really need to be
> avoiding from a user experience.
>
> We have the following cases:
>
> # ip -4 rule add to 172.16.60.0/24 prohibit
> # ip -4 route add prohibit 172.16.50.0/24
> # ip -6 rule add to 6000::/120 prohibit
> # ip -6 route add prohibit 5000::/120
>
>
> Behavior before Roopa's patch set:
> Rule match:
> # ip ro get 172.16.60.1
> RTNETLINK answers: Permission denied
>
> # ip -6 ro get 6000::1
> prohibit 6000::1 from :: dev lo proto kernel src 2001:db8::3 metric
> 4294967295 error -13 pref medium
>
> Route match:
> # ip ro get 172.16.50.1
> RTNETLINK answers: Permission denied
>
> # ip -6 ro get 5000::1
> prohibit 5000::1 from :: dev lo table red src 2001:db8::3 metric
> 1024 error -13 pref medium
>
>
> Behavior after Roopa's patch set:
> Rule match:
> # ip ro get 172.16.60.1
> RTNETLINK answers: Permission denied
>
> # ip -6 ro get 6000::1
> RTNETLINK answers: Permission denied
>
> Route match:
> # ip ro get 172.16.50.1
> RTNETLINK answers: Permission denied
>
> # ip -6 ro get 5000::1
> RTNETLINK answers: Permission denied
>
There must be a reason why we allocate prohibit entries
dynamically for IPv6 despite we already have a (relatively)
static one.
>From this point of view, we need to dump them, that is,
restore the behavior before Roopa's patch.
>
> So Roopa's fibmatch patches brings consistency between IPv4 and IPv6 at
> the cost of breaking backwards compatibility for IPv6 when the prohibit
> or blackhole routes are hit.
>
There are already many differences between IPv4 and
IPv6 behaviors, I don't see why this one is so special
that we have to make it consistent.
next prev parent reply other threads:[~2017-07-31 18:38 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-20 14:51 [PATCH net] ipv6: no need to return rt->dst.error if it is not null entry Hangbin Liu
2017-07-20 15:06 ` Hangbin Liu
2017-07-20 15:23 ` Hangbin Liu
2017-07-21 15:53 ` David Ahern
2017-07-21 18:42 ` Cong Wang
2017-07-21 21:53 ` Roopa Prabhu
2017-07-23 4:54 ` Roopa Prabhu
2017-07-24 3:09 ` Hangbin Liu
2017-07-24 19:57 ` Cong Wang
2017-07-25 0:08 ` Hangbin Liu
2017-07-25 3:28 ` David Ahern
2017-07-25 7:32 ` Hangbin Liu
2017-07-26 17:18 ` David Ahern
2017-07-26 18:27 ` Roopa Prabhu
2017-07-26 18:49 ` David Ahern
2017-07-26 18:55 ` Roopa Prabhu
2017-07-26 19:00 ` David Ahern
2017-07-26 19:38 ` Roopa Prabhu
2017-07-27 16:08 ` Hangbin Liu
2017-07-28 4:56 ` Cong Wang
2017-07-28 11:04 ` Hangbin Liu
2017-07-28 15:10 ` David Ahern
2017-07-28 17:13 ` Roopa Prabhu
2017-07-28 17:39 ` David Ahern
2017-07-28 19:52 ` Roopa Prabhu
2017-07-29 14:41 ` David Ahern
2017-07-31 18:37 ` Cong Wang [this message]
2017-07-31 18:40 ` David Ahern
2017-07-25 17:49 ` Cong Wang
2017-07-26 9:18 ` Hangbin Liu
2017-07-21 3:47 ` [PATCHv2 net] ipv6: should not return rt->dst.error if it is prohibit or blk hole entry Hangbin Liu
2017-07-21 15:29 ` kbuild test robot
2017-07-21 16:34 ` kbuild test robot
2017-07-23 4:55 ` [PATCH net] ipv6: no need to return rt->dst.error if it is not null entry Roopa Prabhu
2017-07-24 2:28 ` Hangbin Liu
2017-07-26 9:20 ` [PATCHv3 net] ipv6: no need to return rt->dst.error if it is prohibit entry Hangbin Liu
2017-07-26 17:09 ` David Ahern
2017-07-26 18:48 ` David Ahern
2017-07-27 13:48 ` Hangbin Liu
2017-07-27 16:25 ` [PATCHv4 net] ipv6: no need to check rt->dst.error when get route info Hangbin Liu
2017-07-27 18:03 ` David Ahern
2017-07-28 17:23 ` David Ahern
2017-07-27 19:52 ` Roopa Prabhu
2017-07-31 23:22 ` David Miller
2017-07-31 23:34 ` David Ahern
2017-07-31 23:39 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAM_iQpVobEXqE-CWVpQU4b8jnOrzq9EEfszj+SnyqX-RZ+B6Bw@mail.gmail.com \
--to=xiyou.wangcong@gmail.com \
--cc=dsahern@gmail.com \
--cc=liuhangbin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=roopa@cumulusnetworks.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.