Bug 1852038
| Summary: | ip route get no longer accepts a network address | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | noah davids <ndavids> |
| Component: | iproute | Assignee: | Andrea Claudi <aclaudi> |
| Status: | CLOSED ERRATA | QA Contact: | Mingyu Shi <mshi> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.2 | CC: | aclaudi, atragler, fperalta, jiji, jmaxwell |
| Target Milestone: | rc | Keywords: | Reproducer, Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | iproute-5.9.0-3.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 15:00:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1875967 | ||
Hi, this is the expected result of strict netlink validation. With strict kernel validation in place, the kernel will reject any "ip route get" query with masks different from "/32" for ipv4 and "/128" for ipv6. There is nothing we can do about that. As these masks are now considered invalid, all we can do is to silently convert them to "/32" and "/128", respectively, printing a warning to users so they can hopefully fix their scripts. Something along these lines was already proposed upstream, here: https://www.spinics.net/lists/netdev/msg716529.html If this is ok for you, I can pick this patch into the next iproute release, provided it will be merged upstream. Verified with:
iproute-5.9.0-3.el8.x86_64
4.18.0-284.el8.x86_64
[11:38:46@hp-dl388g8-04 ~]0# ip link add veth1 type veth
[11:39:01@hp-dl388g8-04 ~]0# ip link set veth0 up
[11:39:06@hp-dl388g8-04 ~]0# ip link set veth1 up
[11:39:08@hp-dl388g8-04 ~]0# ip addr add 192.168.199.254/24 dev veth0
[11:41:11@hp-dl388g8-04 ~]0# ip -6 addr add 192::254/64 dev veth0
[11:48:21@hp-dl388g8-04 ~]1# ip addr show veth0
320: veth0@veth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 1e:26:d6:bf:3d:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.199.254/24 scope global veth0
valid_lft forever preferred_lft forever
inet6 192::254/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::1c26:d6ff:febf:3de7/64 scope link
valid_lft forever preferred_lft forever
[11:49:39@hp-dl388g8-04 ~]0# ip route
default via 10.73.131.254 dev eno1 proto dhcp metric 100
10.73.130.0/23 dev eno1 proto kernel scope link src 10.73.130.153 metric 100
192.168.199.0/24 dev veth0 proto kernel scope link src 192.168.199.254
[11:49:49@hp-dl388g8-04 ~]0# ip -6 route
::1 dev lo proto kernel metric 256 pref medium
192::/64 dev veth0 proto kernel metric 256 pref medium
2620:52:0:4982::/64 dev eno1 proto ra metric 100 pref medium
fe80::/64 dev eno1 proto kernel metric 100 pref medium
fe80::/64 dev veth1 proto kernel metric 256 pref medium
fe80::/64 dev veth0 proto kernel metric 256 pref medium
default via fe80::ee3e:f701:b990:8a61 dev eno1 proto ra metric 100 pref medium
[11:49:53@hp-dl388g8-04 ~]0# ip route get 192.168.199.8/24
Warning: /24 as prefix is invalid, only /32 (or none) is supported.
192.168.199.8 dev veth0 src 192.168.199.254 uid 0
cache
[11:50:14@hp-dl388g8-04 ~]0# ip route get 192.168.199.8
192.168.199.8 dev veth0 src 192.168.199.254 uid 0
cache
[11:50:18@hp-dl388g8-04 ~]0# ip route get 192.168.199.8/32
192.168.199.8 dev veth0 src 192.168.199.254 uid 0
cache
# /16 is converted to /32 so that 192.168.199.8/16 and 192.168.197.8/16 get different results(after converting):
[11:50:22@hp-dl388g8-04 ~]0# ip route get 192.168.199.8/16
Warning: /16 as prefix is invalid, only /32 (or none) is supported.
192.168.199.8 dev veth0 src 192.168.199.254 uid 0
cache
[11:50:30@hp-dl388g8-04 ~]0# ip route get 192.168.197.8/16
Warning: /16 as prefix is invalid, only /32 (or none) is supported.
192.168.197.8 via 10.73.131.254 dev eno1 src 10.73.130.153 uid 0
cache
# so does for ipv6 route getting:
[11:52:25@hp-dl388g8-04 ~]0# ip -6 route get 192::/8
Warning: /8 as prefix is invalid, only /128 (or none) is supported.
192:: dev veth0 proto kernel src 192::254 metric 256 pref medium
[11:52:51@hp-dl388g8-04 ~]0# ip -6 route get 191::/8
Warning: /8 as prefix is invalid, only /128 (or none) is supported.
191:: via fe80::ee3e:f701:b990:8a61 dev eno1 proto ra src 2620:52:0:4982:2e76:8aff:fe53:e230 metric 100 pref medium
192:: dev veth0 proto kernel src 192::254 metric 256 pref medium
[11:53:09@hp-dl388g8-04 ~]0# ip -6 route get 192::/128
192:: dev veth0 proto kernel src 192::254 metric 256 pref medium
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (iproute bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1653 |
Description of problem: On RHEL 8.1 with iproute-4.18.0-15.el8.x86_64 you can specify a address with a "/N" where N is less than 32 [root@VM-RHEL81 ~]# ip route get 10.0.0.1/8 10.0.0.1 via 192.168.1.1 dev ens3 src 192.168.1.181 uid 0 cache [root@VM-RHEL81 ~]# rpm -qa | grep iproute iproute-4.18.0-15.el8.x86_64 iproute-tc-4.18.0-15.el8.x86_64 [root@VM-RHEL81 ~]# ip route get 10.0.0.1/8 10.0.0.1 via 192.168.1.1 dev ens3 src 192.168.1.181 uid 0 cache [root@VM-RHEL81 ~]# On RHEL 8.2 with iproute-5.3.0-1.el8.x86_64 you cannot with "/N?, N < 32 you get an error but /32 works fine. [root@VM-RHEL82 ~]# rpm -qa | grep iproute iproute-5.3.0-1.el8.x86_64 iproute-tc-5.3.0-1.el8.x86_64 [root@VM-RHEL82 ~]# ip route get 10.0.0.1/8 Error: ipv4: Invalid values in header for route get request. [root@VM-RHEL82 ~]# ip route get 10.0.0.1/16 Error: ipv4: Invalid values in header for route get request. [root@VM-RHEL82 ~]# ip route get 10.0.0.1/24 Error: ipv4: Invalid values in header for route get request. [root@VM-RHEL82 ~]# ip route get 10.0.0.1/32 10.0.0.1 via 192.168.1.1 dev ens3 src 192.168.1.182 uid 0 cache [root@VM-RHEL82 ~]# Version-Release number of selected component (if applicable): iproute-5.3.0-1.el8.x86_64 How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: [root@VM-RHEL82 ~]# ip route get 10.0.0.1/8 Error: ipv4: Invalid values in header for route get request. Expected results: # ip route get 10.0.0.1/8 10.0.0.1 via 192.168.1.1 dev ens3 src 192.168.1.182 uid 0 cache Additional info: It appears to the result of this commit, not that if "rtm->rtm_dst_len != 32" it will generate the error. $ git tag --contains 510c50e | grep 4.18.0-147 | wc -l 0 Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1782172 <--- fix bugs introduced by netlink strict checking commit 510c50e90d740a5dd50b8fedcbeb3d8405adaec2 Author: Petr Oros <poros> Date: Mon Oct 7 14:56:17 2019 -0400 [net] ipv4: route: perform strict checks also for doit handlers O-Subject: [RHEL8.2 net PATCH 11/18] net: ipv4: route: perform strict checks also for doit hand Bugzilla: 1757750 RH-Acked-by: Paolo Abeni <pabeni> RH-Acked-by: Jarod Wilson <jarod> RH-Acked-by: Neil Horman <nhorman> Bugzilla: http://bugzilla.redhat.com/show_bug.cgi?id=1757750 ... + if ((rtm->rtm_src_len && rtm->rtm_src_len != 32) || + (rtm->rtm_dst_len && rtm->rtm_dst_len != 32) || + rtm->rtm_table || rtm->rtm_protocol || + rtm->rtm_scope || rtm->rtm_type) { + NL_SET_ERR_MSG(extack, "ipv4: Invalid values in header for route get request"); + return -EINVAL; + } +