1852038 – ip route get no longer accepts a network address

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1852038 - ip route get no longer accepts a network address

Summary: ip route get no longer accepts a network address

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	iproute
Sub Component:
Version:	8.2
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Andrea Claudi
QA Contact:	Mingyu Shi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1875967
TreeView+	depends on / blocked

Reported:	2020-06-29 15:54 UTC by noah davids
Modified:	2024-06-13 22:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:	iproute-5.9.0-3.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:00:18 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Description noah davids 2020-06-29 15:54:03 UTC

Description of problem:

On RHEL 8.1 with iproute-4.18.0-15.el8.x86_64 you can specify a address with a "/N" where N is less than 32
 
[root@VM-RHEL81 ~]# ip route get 10.0.0.1/8
10.0.0.1 via 192.168.1.1 dev ens3 src 192.168.1.181 uid 0 
    cache 
[root@VM-RHEL81 ~]# rpm -qa | grep iproute
iproute-4.18.0-15.el8.x86_64
iproute-tc-4.18.0-15.el8.x86_64
[root@VM-RHEL81 ~]# ip route get 10.0.0.1/8
10.0.0.1 via 192.168.1.1 dev ens3 src 192.168.1.181 uid 0 
    cache 
[root@VM-RHEL81 ~]# 


On RHEL 8.2 with iproute-5.3.0-1.el8.x86_64 you cannot with "/N?, N < 32 you get an error but /32 works fine.

[root@VM-RHEL82 ~]# rpm -qa | grep iproute
iproute-5.3.0-1.el8.x86_64
iproute-tc-5.3.0-1.el8.x86_64
[root@VM-RHEL82 ~]# ip route get 10.0.0.1/8
Error: ipv4: Invalid values in header for route get request.
[root@VM-RHEL82 ~]# ip route get 10.0.0.1/16
Error: ipv4: Invalid values in header for route get request.
[root@VM-RHEL82 ~]# ip route get 10.0.0.1/24
Error: ipv4: Invalid values in header for route get request.
[root@VM-RHEL82 ~]# ip route get 10.0.0.1/32
10.0.0.1 via 192.168.1.1 dev ens3 src 192.168.1.182 uid 0 
    cache 
[root@VM-RHEL82 ~]# 


Version-Release number of selected component (if applicable):

iproute-5.3.0-1.el8.x86_64

How reproducible:

100%


Steps to Reproduce:
1.
2.
3.

Actual results:

[root@VM-RHEL82 ~]# ip route get 10.0.0.1/8
Error: ipv4: Invalid values in header for route get request.

Expected results:

# ip route get 10.0.0.1/8
10.0.0.1 via 192.168.1.1 dev ens3 src 192.168.1.182 uid 0 
    cache 


Additional info:

It appears to the result of this commit, not that if "rtm->rtm_dst_len != 32" it will generate the error.

$ git tag --contains 510c50e | grep 4.18.0-147 | wc -l
0

Ref:  https://bugzilla.redhat.com/show_bug.cgi?id=1782172  <--- fix bugs introduced by netlink strict checking
      
commit 510c50e90d740a5dd50b8fedcbeb3d8405adaec2
Author: Petr Oros <poros>
Date:   Mon Oct 7 14:56:17 2019 -0400

    [net] ipv4: route: perform strict checks also for doit handlers
    
    O-Subject: [RHEL8.2 net PATCH 11/18] net: ipv4: route: perform strict checks also for doit hand
    Bugzilla: 1757750
    RH-Acked-by: Paolo Abeni <pabeni>
    RH-Acked-by: Jarod Wilson <jarod>
    RH-Acked-by: Neil Horman <nhorman>
    
    Bugzilla: http://bugzilla.redhat.com/show_bug.cgi?id=1757750
    

...
+       if ((rtm->rtm_src_len && rtm->rtm_src_len != 32) ||
+           (rtm->rtm_dst_len && rtm->rtm_dst_len != 32) ||
+           rtm->rtm_table || rtm->rtm_protocol ||
+           rtm->rtm_scope || rtm->rtm_type) {
+               NL_SET_ERR_MSG(extack, "ipv4: Invalid values in header for route get request");
+               return -EINVAL;
+       }
+

Comment 6 Andrea Claudi 2021-01-26 16:22:09 UTC

Hi, this is the expected result of strict netlink validation.
With strict kernel validation in place, the kernel will reject any "ip route get" query with masks different from "/32" for ipv4 and "/128" for ipv6. There is nothing we can do about that.

As these masks are now considered invalid, all we can do is to silently convert them to "/32" and "/128", respectively, printing a warning to users so they can hopefully fix their scripts.
Something along these lines was already proposed upstream, here: https://www.spinics.net/lists/netdev/msg716529.html

If this is ok for you, I can pick this patch into the next iproute release, provided it will be merged upstream.

Comment 11 Mingyu Shi 2021-02-18 03:54:14 UTC

Verified with:
iproute-5.9.0-3.el8.x86_64
4.18.0-284.el8.x86_64

[11:38:46@hp-dl388g8-04 ~]0# ip link add veth1 type veth
[11:39:01@hp-dl388g8-04 ~]0# ip link set veth0 up
[11:39:06@hp-dl388g8-04 ~]0# ip link set veth1 up
[11:39:08@hp-dl388g8-04 ~]0# ip addr add 192.168.199.254/24 dev veth0
[11:41:11@hp-dl388g8-04 ~]0# ip -6 addr add 192::254/64 dev veth0
[11:48:21@hp-dl388g8-04 ~]1# ip addr show veth0
320: veth0@veth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 1e:26:d6:bf:3d:e7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.199.254/24 scope global veth0
       valid_lft forever preferred_lft forever
    inet6 192::254/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::1c26:d6ff:febf:3de7/64 scope link 
       valid_lft forever preferred_lft forever
[11:49:39@hp-dl388g8-04 ~]0# ip route
default via 10.73.131.254 dev eno1 proto dhcp metric 100 
10.73.130.0/23 dev eno1 proto kernel scope link src 10.73.130.153 metric 100 
192.168.199.0/24 dev veth0 proto kernel scope link src 192.168.199.254 
[11:49:49@hp-dl388g8-04 ~]0# ip -6 route
::1 dev lo proto kernel metric 256 pref medium
192::/64 dev veth0 proto kernel metric 256 pref medium
2620:52:0:4982::/64 dev eno1 proto ra metric 100 pref medium
fe80::/64 dev eno1 proto kernel metric 100 pref medium
fe80::/64 dev veth1 proto kernel metric 256 pref medium
fe80::/64 dev veth0 proto kernel metric 256 pref medium
default via fe80::ee3e:f701:b990:8a61 dev eno1 proto ra metric 100 pref medium
[11:49:53@hp-dl388g8-04 ~]0# ip route get 192.168.199.8/24
Warning: /24 as prefix is invalid, only /32 (or none) is supported.
192.168.199.8 dev veth0 src 192.168.199.254 uid 0 
    cache 
[11:50:14@hp-dl388g8-04 ~]0# ip route get 192.168.199.8
192.168.199.8 dev veth0 src 192.168.199.254 uid 0 
    cache 
[11:50:18@hp-dl388g8-04 ~]0# ip route get 192.168.199.8/32
192.168.199.8 dev veth0 src 192.168.199.254 uid 0 
    cache 

# /16 is converted to /32 so that 192.168.199.8/16 and 192.168.197.8/16 get different results(after converting):
[11:50:22@hp-dl388g8-04 ~]0# ip route get 192.168.199.8/16
Warning: /16 as prefix is invalid, only /32 (or none) is supported.
192.168.199.8 dev veth0 src 192.168.199.254 uid 0 
    cache 
[11:50:30@hp-dl388g8-04 ~]0# ip route get 192.168.197.8/16
Warning: /16 as prefix is invalid, only /32 (or none) is supported.
192.168.197.8 via 10.73.131.254 dev eno1 src 10.73.130.153 uid 0 
    cache

# so does for ipv6 route getting:
[11:52:25@hp-dl388g8-04 ~]0# ip -6 route get 192::/8
Warning: /8 as prefix is invalid, only /128 (or none) is supported.
192:: dev veth0 proto kernel src 192::254 metric 256 pref medium
[11:52:51@hp-dl388g8-04 ~]0# ip -6 route get 191::/8
Warning: /8 as prefix is invalid, only /128 (or none) is supported.
191:: via fe80::ee3e:f701:b990:8a61 dev eno1 proto ra src 2620:52:0:4982:2e76:8aff:fe53:e230 metric 100 pref medium
192:: dev veth0 proto kernel src 192::254 metric 256 pref medium
[11:53:09@hp-dl388g8-04 ~]0# ip -6 route get 192::/128
192:: dev veth0 proto kernel src 192::254 metric 256 pref medium

Comment 13 errata-xmlrpc 2021-05-18 15:00:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (iproute bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1653

Note You need to log in before you can comment on or make changes to this bug.