From: Tiago Lam <tiagolam@cloudflare.com>
To: willemdebruijn.kernel@gmail.com
Cc: netdev@vger.kernel.org, kernel-team@cloudflare.com, jakub@cloudflare.com
Subject: Egressing non-local UDP traffic, IPv4 vs IPv6
Date: Mon, 14 Oct 2024 18:05:41 +0100 [thread overview]
Message-ID: <Zw1PZVgX/l0thRK0@GHGHG14> (raw)
Hi Willem et al,
While working/testing the reverse sk_lookup at [1], I came across an
apparent discrepancy between how IPv4 and IPv6 works which I'd like to
understand better.
The bottom line is: setting IP_FREEBIND is enough to allow IPv6 traffic
to egress from a non-local IP address (i.e. an IP not assigned to any
loopback nor any local route in the metal). For IPv4 traffic, one needs
to set IP_TRANSPARENT, which requires special permissions.
The following python snippets show this divergence in practice.
IPv4 (needs sudo for using IP_TRANSPARENT):
```
sudo python -c '
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# 15 stands for IP_FREEBIND, and fails if set on its own.
#s.setsockopt(socket.SOL_IP, 15, 1)
s.setsockopt(socket.SOL_IP, socket.IP_TRANSPARENT, 1)
s.bind(("2.2.2.2", 0))
s.sendto(b"x" * 300, ("8.8.8.8", 9))'
```
IPv6 (doesn't need sudo)
```
python -c '
import socket
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_IP, 15, 1)
s.bind(("2001:4860:4860::2222", 0))
s.sendto(b"x" * 300, ("2001:4860:4860::8888", 9))'
```
From what I can gather, this validation for IPv6 is only done during
bind at [2], when it checks if either IP_FREEBIND or IP_TRANSPARENT is
set when binding to a non-local IP. While IPv4 does the same check
during bind, later it checks if IP_TRANSPARENT is set as part of the
route lookup, at [3]. I don't see a similar validation done for IPv6 if
we egress from a non-local IP.
This is also consistent with what happens when one sets the source IP in
sendmsg using the IP_PKTINFO cmsg, given that in IPv4 the validation is
performed outside of the cmsg handler (again in [3]), but for IPv6 the
validation seems to be performed within the cmsg handler itself, at [4].
So what I'm wondering is if this apparent discrepancy is due to
historical reasons, or if I'm missing something else.
Given IPv6 allows one to egress non-local traffic without
IP_TRANSPARENT, thus without the need to set up special
permissions/capabilities, is there a reason for IPv4 to not behave the
same way?
Thanks,
Tiago.
[1]
https://lore.kernel.org/r/20240913-reverse-sk-lookup-v1-0-e721ea003d4c@cloudflare.com
[2]
https://elixir.bootlin.com/linux/v6.11.3/source/net/ipv6/af_inet6.c#L383
[3]
https://elixir.bootlin.com/linux/v6.11.3/source/net/ipv4/route.c#L2686
[4]
https://elixir.bootlin.com/linux/v6.11.3/source/net/ipv6/datagram.c#L829
reply other threads:[~2024-10-14 17:05 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zw1PZVgX/l0thRK0@GHGHG14 \
--to=tiagolam@cloudflare.com \
--cc=jakub@cloudflare.com \
--cc=kernel-team@cloudflare.com \
--cc=netdev@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox