[PATCH net-next v2] ipv6: clean up routes when manually removing address with a lifetime

[PATCH net-next v2] ipv6: clean up routes when manually removing address with a lifetime

[Jakub Kicinski]

When an IPv6 address with a finite lifetime (configured with valid_lft
and preferred_lft) is manually deleted, the kernel does not clean up the
associated prefix route. This results in orphaned routes (marked "proto
kernel") remaining in the routing table even after their corresponding
address has been deleted.

This is particularly problematic on networks using combination of SLAAC
and bridges.

1. Machine comes up and performs RA on eth0.
2. User creates a bridge
   - does an ip -6 addr flush dev eth0;
   - adds the eth0 under the bridge.
3. SLAAC happens on br0.

Even tho the address has "moved" to br0 there will still be a route
pointing to eth0, but eth0 is not usable for IP any more.

Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
Bit of a risky change.. but there's no known reason to intentionally
keep these routes.

v2:
 - fix up the test case
v1: https://lore.kernel.org/20251111221033.3049292-1-kuba@kernel.org

CC: idosch@nvidia.com
CC: dsahern@kernel.org
---
 net/ipv6/addrconf.c                      |  2 +-
 tools/testing/selftests/net/rtnetlink.sh | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 40e9c336f6c5..b66217d1b2f8 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1324,7 +1324,7 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
 		__in6_ifa_put(ifp);
 	}
 
-	if (ifp->flags & IFA_F_PERMANENT && !(ifp->flags & IFA_F_NOPREFIXROUTE))
+	if (!(ifp->flags & IFA_F_NOPREFIXROUTE))
 		action = check_cleanup_prefix_route(ifp, &expires);
 
 	list_del_rcu(&ifp->if_list);
diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
index 163a084d525d..248c2b91fe42 100755
--- a/tools/testing/selftests/net/rtnetlink.sh
+++ b/tools/testing/selftests/net/rtnetlink.sh
@@ -8,6 +8,7 @@ ALL_TESTS="
 	kci_test_polrouting
 	kci_test_route_get
 	kci_test_addrlft
+	kci_test_addrlft_route_cleanup
 	kci_test_promote_secondaries
 	kci_test_tc
 	kci_test_gre
@@ -323,6 +324,25 @@ kci_test_addrlft()
 	end_test "PASS: preferred_lft addresses have expired"
 }
 
+kci_test_addrlft_route_cleanup()
+{
+	local ret=0
+	local test_addr="2001:db8:99::1/64"
+	local test_prefix="2001:db8:99::/64"
+
+	run_cmd ip -6 addr add $test_addr dev "$devdummy" valid_lft 300 preferred_lft 300
+	run_cmd_grep "$test_prefix proto kernel" ip -6 route show dev "$devdummy"
+	run_cmd ip -6 addr del $test_addr dev "$devdummy"
+	run_cmd_grep_fail "$test_prefix" ip -6 route show dev "$devdummy"
+
+	if [ $ret -ne 0 ]; then
+		end_test "FAIL: route not cleaned up when address with valid_lft deleted"
+		return 1
+	fi
+
+	end_test "PASS: route cleaned up when address with valid_lft deleted"
+}
+
 kci_test_promote_secondaries()
 {
 	run_cmd ifconfig "$devdummy"
-- 
2.51.1

Re: [PATCH net-next v2] ipv6: clean up routes when manually removing address with a lifetime

[David Ahern]

On 11/12/25 8:17 PM, Jakub Kicinski wrote:
> When an IPv6 address with a finite lifetime (configured with valid_lft
> and preferred_lft) is manually deleted, the kernel does not clean up the
> associated prefix route. This results in orphaned routes (marked "proto
> kernel") remaining in the routing table even after their corresponding
> address has been deleted.
> 
> This is particularly problematic on networks using combination of SLAAC
> and bridges.
> 
> 1. Machine comes up and performs RA on eth0.
> 2. User creates a bridge
>    - does an ip -6 addr flush dev eth0;
>    - adds the eth0 under the bridge.
> 3. SLAAC happens on br0.
> 
> Even tho the address has "moved" to br0 there will still be a route
> pointing to eth0, but eth0 is not usable for IP any more.
> 
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> ---
> Bit of a risky change.. but there's no known reason to intentionally
> keep these routes.
> 
> v2:
>  - fix up the test case
> v1: https://lore.kernel.org/20251111221033.3049292-1-kuba@kernel.org
> 
> CC: idosch@nvidia.com
> CC: dsahern@kernel.org
> ---
>  net/ipv6/addrconf.c                      |  2 +-
>  tools/testing/selftests/net/rtnetlink.sh | 20 ++++++++++++++++++++
>  2 files changed, 21 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index 40e9c336f6c5..b66217d1b2f8 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -1324,7 +1324,7 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
>  		__in6_ifa_put(ifp);
>  	}
>  
> -	if (ifp->flags & IFA_F_PERMANENT && !(ifp->flags & IFA_F_NOPREFIXROUTE))
> +	if (!(ifp->flags & IFA_F_NOPREFIXROUTE))
>  		action = check_cleanup_prefix_route(ifp, &expires);
>  

I was wandering the code earlier today. Could not find anything
obviously wrong with dropping that check, but putting into net-next for
a while will give some time for more testing by various groups.

Reviewed-by: David Ahern <dsahern@kernel.org>

Re: [PATCH net-next v2] ipv6: clean up routes when manually removing address with a lifetime

[Ido Schimmel]

On Wed, Nov 12, 2025 at 07:17:00PM -0800, Jakub Kicinski wrote:
> When an IPv6 address with a finite lifetime (configured with valid_lft
> and preferred_lft) is manually deleted, the kernel does not clean up the
> associated prefix route. This results in orphaned routes (marked "proto
> kernel") remaining in the routing table even after their corresponding
> address has been deleted.
> 
> This is particularly problematic on networks using combination of SLAAC
> and bridges.
> 
> 1. Machine comes up and performs RA on eth0.
> 2. User creates a bridge
>    - does an ip -6 addr flush dev eth0;
>    - adds the eth0 under the bridge.
> 3. SLAAC happens on br0.
> 
> Even tho the address has "moved" to br0 there will still be a route
> pointing to eth0, but eth0 is not usable for IP any more.
> 
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Reviewed-by: Ido Schimmel <idosch@nvidia.com>

Re: [PATCH net-next v2] ipv6: clean up routes when manually removing address with a lifetime

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 12 Nov 2025 19:17:00 -0800 you wrote:
> When an IPv6 address with a finite lifetime (configured with valid_lft
> and preferred_lft) is manually deleted, the kernel does not clean up the
> associated prefix route. This results in orphaned routes (marked "proto
> kernel") remaining in the routing table even after their corresponding
> address has been deleted.
> 
> This is particularly problematic on networks using combination of SLAAC
> and bridges.
> 
> [...]

Here is the summary with links:
  - [net-next,v2] ipv6: clean up routes when manually removing address with a lifetime
    https://git.kernel.org/netdev/net-next/c/c7dc5b522882

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html