Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8nTwTST1YP_tteuEFOk0aqEwsg-+ptjjQp9zS4DpPuxDw@mail.gmail.com>
Date: Fri, 30 Apr 2021 12:59:39 -0400
From: Jeffrey Walton <noloader@...il.com>
To: musl@...ts.openwall.com
Cc: Bob Richmond <robert.richmond@...enwavesystems.com>
Subject: Re: getaddrinfo/AI_ADDRCONFIG with ipv6 disabled

On Fri, Apr 30, 2021 at 8:38 AM Rich Felker <dalias@...c.org> wrote:
> ....
> It's been raised that this is NOT a result of
>
>     echo 1 >/proc/sys/net/ipv6/conf/lo/disable_ipv6
>
> but rather appears to be fib6 policy setup by OpenWRT for some reason,
> whereby the kernel (net/ipv6/fib6_rules.c: fib6_rule_action)
> synthesizes error codes for routing policy reasons. This is probably
> wrong for the kernel to do -- especially their re-appropriation of
> EINVAL for FR_ACT_BLACKHOLE when POSIX already specifies it for
>
>     "The address_len argument is not a valid length for the address
>     family; or invalid address family in the sockaddr structure."
>
> So in light of this mess, the patch may be correct, despite the
> problem being misattributed, but it should probably also handle the
> EINVAL case. Also it's not 100% clear whether we should interpret this
> as "no IPv6" or ignore it as an access control policy rather than
> reflection of IPv6 existing. If there are any other ways the kernel
> can return EACCES or EINVAL here, we would not want to misinterpret
> that in a way that breaks IPv6.
>
> Someone should probably also ping OpenWRT about why they're using this
> arcane mechanism to block IPv6 to localhost.

The kernel has been doing that stupid thing for ages. They have no
interest in fixing it. (I brought it up on one of the kernel mailing
lists).

It gets worse with components like SELinux. They hijack error codes
there, too. You can waste hours trying to track down an EACCESS on a
web server only to find out the kernel hijacked the return code in
SELinux.

God forbid they actually provide a selinux_errno to check for SELinux errors...

Jeff

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.