[PATCH net] ipv6: prevent only DAD and RS sending for IFF_NO_ADDRCONF

[PATCH net] ipv6: prevent only DAD and RS sending for IFF_NO_ADDRCONF

[Xin Long]

Currently IFF_NO_ADDRCONF is used to prevent all ipv6 addrconf for the
slave ports of team, bonding and failover devices and it means no ipv6
packets can be sent out through these slave ports. However, for team
device, "nsna_ping" link_watch requires ipv6 addrconf. Otherwise, the
link will be marked failure.

The orginal issue fixed by IFF_NO_ADDRCONF was caused by DAD and RS
packets sent by slave ports in commit c2edacf80e15 ("bonding / ipv6: no
addrconf for slaves separately from master") where it's using IFF_SLAVE
and later changed to IFF_NO_ADDRCONF in commit 8a321cf7becc ("net: add
IFF_NO_ADDRCONF and use it in bonding to prevent ipv6 addrconf").

So instead of preventing all the ipv6 addrconf, it makes more sense to
only prevent DAD and RS sending for the slave ports: Firstly, check
IFF_NO_ADDRCONF in addrconf_dad_completed() to prevent RS as it did in
commit b52e1cce31ca ("ipv6: Don't send rs packets to the interface of
ARPHRD_TUNNEL"), and then also check IFF_NO_ADDRCONF where IFA_F_NODAD
is checked to prevent DAD.

Fixes: 0aa64df30b38 ("net: team: use IFF_NO_ADDRCONF flag to prevent ipv6 addrconf")
Reported-by: Liang Li <liali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/ipv6/addrconf.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index f7a84a4acffc..c774cf34bf2e 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1124,7 +1124,8 @@ ipv6_add_addr(struct inet6_dev *idev, struct ifa6_config *cfg,
 	ifa->flags = cfg->ifa_flags;
 	ifa->ifa_proto = cfg->ifa_proto;
 	/* No need to add the TENTATIVE flag for addresses with NODAD */
-	if (!(cfg->ifa_flags & IFA_F_NODAD))
+	if (!(cfg->ifa_flags & IFA_F_NODAD) &&
+	    !(idev->dev->priv_flags & IFF_NO_ADDRCONF))
 		ifa->flags |= IFA_F_TENTATIVE;
 	ifa->valid_lft = cfg->valid_lft;
 	ifa->prefered_lft = cfg->preferred_lft;
@@ -3319,10 +3320,6 @@ static void addrconf_addr_gen(struct inet6_dev *idev, bool prefix_route)
 	if (netif_is_l3_master(idev->dev))
 		return;
 
-	/* no link local addresses on devices flagged as slaves */
-	if (idev->dev->priv_flags & IFF_NO_ADDRCONF)
-		return;
-
 	ipv6_addr_set(&addr, htonl(0xFE800000), 0, 0, 0);
 
 	switch (idev->cnf.addr_gen_mode) {
@@ -3564,7 +3561,6 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event,
 			if (event == NETDEV_UP && !IS_ERR_OR_NULL(idev) &&
 			    dev->flags & IFF_UP && dev->flags & IFF_MULTICAST)
 				ipv6_mc_up(idev);
-			break;
 		}
 
 		if (event == NETDEV_UP) {
@@ -3855,7 +3851,8 @@ static int addrconf_ifdown(struct net_device *dev, bool unregister)
 			/* set state to skip the notifier below */
 			state = INET6_IFADDR_STATE_DEAD;
 			ifa->state = INET6_IFADDR_STATE_PREDAD;
-			if (!(ifa->flags & IFA_F_NODAD))
+			if (!(ifa->flags & IFA_F_NODAD) &&
+			    !(dev->priv_flags & IFF_NO_ADDRCONF))
 				ifa->flags |= IFA_F_TENTATIVE;
 
 			rt = ifa->rt;
@@ -3997,6 +3994,7 @@ static void addrconf_dad_begin(struct inet6_ifaddr *ifp)
 
 	net = dev_net(dev);
 	if (dev->flags&(IFF_NOARP|IFF_LOOPBACK) ||
+	    dev->priv_flags & IFF_NO_ADDRCONF ||
 	    (net->ipv6.devconf_all->accept_dad < 1 &&
 	     idev->cnf.accept_dad < 1) ||
 	    !(ifp->flags&IFA_F_TENTATIVE) ||
@@ -4218,6 +4216,7 @@ static void addrconf_dad_completed(struct inet6_ifaddr *ifp, bool bump_id,
 		  ipv6_accept_ra(ifp->idev) &&
 		  ifp->idev->cnf.rtr_solicits != 0 &&
 		  (dev->flags & IFF_LOOPBACK) == 0 &&
+		  (dev->priv_flags & IFF_NO_ADDRCONF) == 0 &&
 		  (dev->type != ARPHRD_TUNNEL);
 	read_unlock_bh(&ifp->idev->lock);
 
-- 
2.31.1

Re: [PATCH net] ipv6: prevent only DAD and RS sending for IFF_NO_ADDRCONF

[David Ahern]

On 1/6/23 9:51 AM, Xin Long wrote:
> Currently IFF_NO_ADDRCONF is used to prevent all ipv6 addrconf for the
> slave ports of team, bonding and failover devices and it means no ipv6
> packets can be sent out through these slave ports. However, for team
> device, "nsna_ping" link_watch requires ipv6 addrconf. Otherwise, the
> link will be marked failure.
> 
> The orginal issue fixed by IFF_NO_ADDRCONF was caused by DAD and RS
> packets sent by slave ports in commit c2edacf80e15 ("bonding / ipv6: no
> addrconf for slaves separately from master") where it's using IFF_SLAVE
> and later changed to IFF_NO_ADDRCONF in commit 8a321cf7becc ("net: add
> IFF_NO_ADDRCONF and use it in bonding to prevent ipv6 addrconf").

That patch is less than a month old, and you are making changes again.

I think you should add some test cases that cover the permutations you
want along with any possible alternative / negative use cases.

Re: [PATCH net] ipv6: prevent only DAD and RS sending for IFF_NO_ADDRCONF

[Xin Long]

On Sat, Jan 7, 2023 at 9:04 PM David Ahern <dsahern@kernel.org> wrote:
>
> On 1/6/23 9:51 AM, Xin Long wrote:
> > Currently IFF_NO_ADDRCONF is used to prevent all ipv6 addrconf for the
> > slave ports of team, bonding and failover devices and it means no ipv6
> > packets can be sent out through these slave ports. However, for team
> > device, "nsna_ping" link_watch requires ipv6 addrconf. Otherwise, the
> > link will be marked failure.
> >
> > The orginal issue fixed by IFF_NO_ADDRCONF was caused by DAD and RS
> > packets sent by slave ports in commit c2edacf80e15 ("bonding / ipv6: no
> > addrconf for slaves separately from master") where it's using IFF_SLAVE
> > and later changed to IFF_NO_ADDRCONF in commit 8a321cf7becc ("net: add
> > IFF_NO_ADDRCONF and use it in bonding to prevent ipv6 addrconf").
>
> That patch is less than a month old, and you are making changes again.
Hi, David,

That patch will not change anything, and it's an improvement. the
problem is the commit:

0aa64df30b38 ("net: team: use IFF_NO_ADDRCONF flag to prevent ipv6 addrconf")

So it affects the team driver only, and I should've done more team driver tests.
Sorry for having to touch the IPv6 code for this problem in the team driver.

>
> I think you should add some test cases that cover the permutations you
> want along with any possible alternative / negative use cases.
IFF_NO_ADDRCONF are used by team/bonding/failover, I will try to add
a kselftest for this with team/bonding.

Thanks for the suggestion.

Re: [PATCH net] ipv6: prevent only DAD and RS sending for IFF_NO_ADDRCONF

[Paolo Abeni]

On Sun, 2023-01-08 at 11:58 -0500, Xin Long wrote:
> On Sat, Jan 7, 2023 at 9:04 PM David Ahern <dsahern@kernel.org> wrote:
> > 
> > On 1/6/23 9:51 AM, Xin Long wrote:
> > > Currently IFF_NO_ADDRCONF is used to prevent all ipv6 addrconf for the
> > > slave ports of team, bonding and failover devices and it means no ipv6
> > > packets can be sent out through these slave ports. However, for team
> > > device, "nsna_ping" link_watch requires ipv6 addrconf. Otherwise, the
> > > link will be marked failure.
> > > 
> > > The orginal issue fixed by IFF_NO_ADDRCONF was caused by DAD and RS
> > > packets sent by slave ports in commit c2edacf80e15 ("bonding / ipv6: no
> > > addrconf for slaves separately from master") where it's using IFF_SLAVE
> > > and later changed to IFF_NO_ADDRCONF in commit 8a321cf7becc ("net: add
> > > IFF_NO_ADDRCONF and use it in bonding to prevent ipv6 addrconf").
> > 
> > That patch is less than a month old, and you are making changes again.
> Hi, David,
> 
> That patch will not change anything, and it's an improvement. the
> problem is the commit:
> 
> 0aa64df30b38 ("net: team: use IFF_NO_ADDRCONF flag to prevent ipv6 addrconf")
> 
> So it affects the team driver only, and I should've done more team driver tests.
> Sorry for having to touch the IPv6 code for this problem in the team driver.
> 
> > 
> > I think you should add some test cases that cover the permutations you
> > want along with any possible alternative / negative use cases.
> IFF_NO_ADDRCONF are used by team/bonding/failover, I will try to add
> a kselftest for this with team/bonding.

Please include such test in the next iteration, thanks!

Paolo