Bug 583985 - traceroute don't like -l flowlabel option
Summary: traceroute don't like -l flowlabel option
Alias: None
Product: Fedora
Classification: Fedora
Component: traceroute
Version: 12
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Dmitry Butskoy
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2010-04-20 12:58 UTC by Peter Bieringer
Modified: 2010-04-28 01:18 UTC (History)
2 users (show)

Fixed In Version: traceroute-2.0.14-1.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 586109 (view as bug list)
Last Closed: 2010-04-28 01:13:57 UTC

Attachments (Terms of Use)
traceroute-2.0.13-flowlabel.patch (618 bytes, patch)
2010-04-20 15:24 UTC, Dmitry Butskoy
no flags Details | Diff
patch to fix flowlabel and tclass support (1.22 KB, patch)
2010-04-22 14:08 UTC, Dmitry Butskoy
no flags Details | Diff

Description Peter Bieringer 2010-04-20 12:58:02 UTC
Description of problem:
traceroute don't like -l flowlabel option, looks like it can't set flowlabel during setsockopt

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
# LC_ALL=C traceroute -l 1 ::1
traceroute to ::1 (::1), 30 hops max, 80 byte packets
setsockopt IPV6_FLOWLABEL_MGR: Operation not permitted

Works without specifying flowlabel option:

# LC_ALL=C traceroute  ::1
traceroute to ::1 (::1), 30 hops max, 80 byte packets
 1  localhost (::1)  0.043 ms  0.020 ms  0.017 ms

Comment 1 Dmitry Butskoy 2010-04-20 13:47:03 UTC

It seesm you are the first person who try this.

The code for flowlabels support was derived from some BSD's implementation, without actual checking due to missing good environment for such a check.

Could you help with this?

First of all, the issue might be I set flow_label "twice" -- in sin6_flowinfo field of the sin6 address, and then by setsockopt. Maybe it is an extra thing?..

Comment 2 Peter Bieringer 2010-04-20 13:57:13 UTC
Yes, I'm currently playing around using tc for IPv6 for creating some examples for my howto.

As a short test setup, use tc to setup a flow label filter:

# tc qdisc add dev eth1 root handle 1: cbq avpkt 1000 bandwidth 1000Mbit
# tc class add dev eth1 parent 1: classid 1:1 cbq rate 1Mbit allot 1500 bounded
# tc filter add dev eth1 parent 1: protocol ipv6 u32 match ip6 flowlabel 1 0x3ffff flowid 1:1

and check with 
# tc -s filter show dev eth1

whether package matches filter (when option is proper working)

BTW: related problem is in ping6: https://bugzilla.redhat.com/show_bug.cgi?id=583976

Comment 3 Dmitry Butskoy 2010-04-20 15:07:35 UTC
I've found the issue.

The problem is after the closing of IPv6 socket, the correspond flowlabel does not disappear. When we try to set the same flowlabel value the next time, it returns EPERM due to IPV6_FL_S_EXCL flag is set.

For example, try to do ICMP traceroute with yet unused flowlabel:

traceroute -6 -n -l 1111 something

and then repeat the same command. The first call is successful, the second is failed. AFter the 60 second (default expire time) the flow is reset, and you can try again...

With the defaukt traceroute method (UDP), we use separate sockets for each probe, hence the first proble of the first invokation is successfull, all other will be failed. Try fe.:

traceroute -6 -n -q1 -m1 -l 1111 something

Either we should drop IPV6_FL_S_EXCL flag (is it correct idea?), or try to play with flr_linger and flr_expires fields of the flowlabel struct used.

Additionally, it seems that setting of sin6_flowinfo is unuseful thing anyway...

Comment 4 Dmitry Butskoy 2010-04-20 15:24:39 UTC
Created attachment 407845 [details]

The patch which fixes the issue.

IPV6_FL_S_EXCL changed to IPV6_FL_S_USER

Now the same user can use the same flowlabel any time. After the 6 second expiration (a kernel default) another users can "catch" this flow value etc...

Perhaps it would be more useful to change to IPV6_FL_S_ANY, but I'm not sure for now whether it is secure enough or not...

Comment 5 Dmitry Butskoy 2010-04-21 14:14:43 UTC
The final decision is use IPV6_FL_S_ANY. If does not spoil anything.

Besides the flow labels, could you test some addtional IPv6-specific things? I mean `-g' traceroute option for example...

Comment 6 Peter Bieringer 2010-04-22 05:29:25 UTC
Applied patch to traceroute 2.0.13 and rebuilt RPM on F12, option now works, but result is imho very buggy:

Flow label (decimal, using -l): tcpdump IPv6 header (first 64 bits)

0:    (0x0000): 0x0000:  6000 0000 0028 1110
1:    (0x0001): 0x0000:  6100 0000 0028 1110
2:    (0x0002): 0x0000:  6200 0000 0028 1110
15:   (0x000f): 0x0000:  6f00 0000 0028 1110
16:   (0x0010): 0x0000:  6000 0000 0028 1110
31:   (0x001f): 0x0000:  6f00 0000 0028 1110
32:   (0x0020): 0x0000:  6000 0000 0028 1110
127   (0x007f): 0x0000:  6f00 0000 0028 1110
4095  (0x0fff): connect: Invalid argument
16383 (0x3fff): connect: Invalid argument
16384 (0x4000): 0x0000:  6040 0000 0028 1110
65535 (0xffff): connect: Invalid argument
12345 (0x3039): 0x0000:  6930 0000 0028 1110

=> flow label is not stored in IPv6 header as expected, looks like is stored in completly wrong manner according to latest definition of IPv6 header.

From left:
Bit 0-3: Protocol (0x6) => ok
Bit 4-11: Traffic Class => buggy, part of flow level found, where only Traffic Class is expected (0x00)
Bit 12-31: Flow label => buggy, only part of flow level found

The "connect: Invalid argument" is also very strange

Is this a library, traceroute or a kernel bug??

Kernel is:

Comment 7 Peter Bieringer 2010-04-22 05:34:15 UTC
BTW: -g nexthop is also not working:

# LC_ALL=C traceroute -q 1 -g 2001:x:x:65::1 2001:x:x:66:5054:ff:fexx:x
traceroute to ipv6-client-b (2001:x:x:66:5054:ff:fexx:xxxx), 30 hops max, 104 byte packets
setsockopt IPV6_RTHDR: Invalid argument

Comment 8 Peter Bieringer 2010-04-22 06:07:42 UTC
BTW2: -t TRAFFICCLASS is also not working:

# LC_ALL=C traceroute  -t 4  -q 1 www.ipv6.bieringer.de
traceroute to www.ipv6.bieringer.de (2001:a60:9002:1::186:6), 30 hops max, 80 byte packets
connect: Invalid argument

For IPv4 it is working:

# traceroute  -t 4  -q 1 www.bieringer.de
traceroute to www.bieringer.de (, 30 hops max, 60 byte packets
 1  xxx
 2  xxx
 3  xxx
 4  xxx
 5  www.bieringer.de (  53.314 ms

Comment 9 Dmitry Butskoy 2010-04-22 12:48:45 UTC
For comment #6:

I never touch any low-level headers, all the work is done by the kernel. I just perform socket(2), setsockopt(2) etc. calls with the appropriate arguments.

BTW, I cannot quite understand what is wrong exactly in your example. Could you provide the cmdline for traceroute and tcpdump, to make me a possibility to reproduce your case?

For comment #7:

Yep, `-g' currently does not work fot IPv6, because it use "route header type 0", but recently IETF and Linux kernel deny it (see RFC 5095).

I've already sent an e-mail to the traceroute-devel list on SourceForge -- Did you receive it? I've proposed to switch from "type 0" header to "type 2" (designed for Mobile IPv6), this way `-g' might work.

Comment 10 Dmitry Butskoy 2010-04-22 14:08:46 UTC
Created attachment 408330 [details]
patch to fix flowlabel and tclass support

For comment #8:

Yep, it was a broken code. Thaks for the testings.

The final patch attached. It seems that now flow labels and tclass should work properly.

Comment 11 Peter Bieringer 2010-04-22 17:20:48 UTC
Ok, flowlabel is now working correct and related tc filter matches, the traffic class (priority) also proper, but now "tc" has a bug if using "priority" option.

Comment 12 Dmitry Butskoy 2010-04-22 17:26:09 UTC
> but now "tc" has a bug if using "priority" option.  

Hmmm... Can I help here?

Comment 13 Peter Bieringer 2010-04-22 17:34:10 UTC
Filed a bug now for "tc": https://bugzilla.redhat.com/show_bug.cgi?id=584913

Comment 14 Peter Bieringer 2010-04-24 10:29:12 UTC
Regarding https://bugzilla.redhat.com/show_bug.cgi?id=583985#c7, "-g nexthop" is now working well, tcpdump shows:

10:23:39.490351 IP6 2001:xxxx:xxxx:65:5054:ff:fexx:xxxx > 2001:xxxx:xxxx:65::1: srcrt (len=2, type=2, segleft=1, [0]2001:xxxx:xxxx:66:5054:ff:fexx:xxxx) ICMP6, echo request, seq 30, length 40

But regardless the settings on the router (routing eth1 <-> eth2) or using UDP instead of TCP and having source routing activated:

# sysctl -a |grep ipv6 | grep source
net.ipv6.conf.all.accept_source_route = 1
net.ipv6.conf.default.accept_source_route = 1
net.ipv6.conf.lo.accept_source_route = 1
net.ipv6.conf.eth0.accept_source_route = 1
net.ipv6.conf.eth1.accept_source_route = 1
net.ipv6.conf.eth2.accept_source_route = 1

the router neither respond to the packet back to client nor forward the packet et all. Can one confirm this issue, which is looking to me as a kernel problem.


clientA -> router -> clientB

-g xxx the router's address was used (traceroute works without using this option)

Comment 15 Fedora Update System 2010-04-27 12:46:47 UTC
traceroute-2.0.14-1.fc13 has been submitted as an update for Fedora 13.

Comment 16 Fedora Update System 2010-04-27 12:47:38 UTC
traceroute-2.0.14-1.fc12 has been submitted as an update for Fedora 12.

Comment 17 Fedora Update System 2010-04-28 01:13:53 UTC
traceroute-2.0.14-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2010-04-28 01:18:31 UTC
traceroute-2.0.14-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.