Bug 583985 - traceroute don't like -l flowlabel option
traceroute don't like -l flowlabel option
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: traceroute (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Dmitry Butskoy
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-20 08:58 EDT by Peter Bieringer
Modified: 2010-04-27 21:18 EDT (History)
2 users (show)

See Also:
Fixed In Version: traceroute-2.0.14-1.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 586109 (view as bug list)
Environment:
Last Closed: 2010-04-27 21:13:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
traceroute-2.0.13-flowlabel.patch (618 bytes, patch)
2010-04-20 11:24 EDT, Dmitry Butskoy
no flags Details | Diff
patch to fix flowlabel and tclass support (1.22 KB, patch)
2010-04-22 10:08 EDT, Dmitry Butskoy
no flags Details | Diff

  None (edit)
Description Peter Bieringer 2010-04-20 08:58:02 EDT
Description of problem:
traceroute don't like -l flowlabel option, looks like it can't set flowlabel during setsockopt

Version-Release number of selected component (if applicable):
traceroute-2.0.12-3.fc12.i686
kernel: 2.6.32.9-70.fc12.i686

How reproducible:
Always

Steps to Reproduce:
# LC_ALL=C traceroute -l 1 ::1
traceroute to ::1 (::1), 30 hops max, 80 byte packets
setsockopt IPV6_FLOWLABEL_MGR: Operation not permitted


Works without specifying flowlabel option:

# LC_ALL=C traceroute  ::1
traceroute to ::1 (::1), 30 hops max, 80 byte packets
 1  localhost (::1)  0.043 ms  0.020 ms  0.017 ms
Comment 1 Dmitry Butskoy 2010-04-20 09:47:03 EDT
Well,

It seesm you are the first person who try this.

The code for flowlabels support was derived from some BSD's implementation, without actual checking due to missing good environment for such a check.

Could you help with this?

First of all, the issue might be I set flow_label "twice" -- in sin6_flowinfo field of the sin6 address, and then by setsockopt. Maybe it is an extra thing?..
Comment 2 Peter Bieringer 2010-04-20 09:57:13 EDT
Yes, I'm currently playing around using tc for IPv6 for creating some examples for my howto.

As a short test setup, use tc to setup a flow label filter:

# tc qdisc add dev eth1 root handle 1: cbq avpkt 1000 bandwidth 1000Mbit
# tc class add dev eth1 parent 1: classid 1:1 cbq rate 1Mbit allot 1500 bounded
# tc filter add dev eth1 parent 1: protocol ipv6 u32 match ip6 flowlabel 1 0x3ffff flowid 1:1

and check with 
# tc -s filter show dev eth1

whether package matches filter (when option is proper working)

BTW: related problem is in ping6: https://bugzilla.redhat.com/show_bug.cgi?id=583976
Comment 3 Dmitry Butskoy 2010-04-20 11:07:35 EDT
I've found the issue.

The problem is after the closing of IPv6 socket, the correspond flowlabel does not disappear. When we try to set the same flowlabel value the next time, it returns EPERM due to IPV6_FL_S_EXCL flag is set.

For example, try to do ICMP traceroute with yet unused flowlabel:

traceroute -6 -n -l 1111 something

and then repeat the same command. The first call is successful, the second is failed. AFter the 60 second (default expire time) the flow is reset, and you can try again...

With the defaukt traceroute method (UDP), we use separate sockets for each probe, hence the first proble of the first invokation is successfull, all other will be failed. Try fe.:

traceroute -6 -n -q1 -m1 -l 1111 something


Either we should drop IPV6_FL_S_EXCL flag (is it correct idea?), or try to play with flr_linger and flr_expires fields of the flowlabel struct used.

Additionally, it seems that setting of sin6_flowinfo is unuseful thing anyway...
Comment 4 Dmitry Butskoy 2010-04-20 11:24:39 EDT
Created attachment 407845 [details]
traceroute-2.0.13-flowlabel.patch

The patch which fixes the issue.

IPV6_FL_S_EXCL changed to IPV6_FL_S_USER

Now the same user can use the same flowlabel any time. After the 6 second expiration (a kernel default) another users can "catch" this flow value etc...

Perhaps it would be more useful to change to IPV6_FL_S_ANY, but I'm not sure for now whether it is secure enough or not...
Comment 5 Dmitry Butskoy 2010-04-21 10:14:43 EDT
The final decision is use IPV6_FL_S_ANY. If does not spoil anything.

Besides the flow labels, could you test some addtional IPv6-specific things? I mean `-g' traceroute option for example...
Comment 6 Peter Bieringer 2010-04-22 01:29:25 EDT
Applied patch to traceroute 2.0.13 and rebuilt RPM on F12, option now works, but result is imho very buggy:

Flow label (decimal, using -l): tcpdump IPv6 header (first 64 bits)

0:    (0x0000): 0x0000:  6000 0000 0028 1110
1:    (0x0001): 0x0000:  6100 0000 0028 1110
2:    (0x0002): 0x0000:  6200 0000 0028 1110
15:   (0x000f): 0x0000:  6f00 0000 0028 1110
16:   (0x0010): 0x0000:  6000 0000 0028 1110
31:   (0x001f): 0x0000:  6f00 0000 0028 1110
32:   (0x0020): 0x0000:  6000 0000 0028 1110
127   (0x007f): 0x0000:  6f00 0000 0028 1110
4095  (0x0fff): connect: Invalid argument
16383 (0x3fff): connect: Invalid argument
16384 (0x4000): 0x0000:  6040 0000 0028 1110
65535 (0xffff): connect: Invalid argument
12345 (0x3039): 0x0000:  6930 0000 0028 1110


=> flow label is not stored in IPv6 header as expected, looks like is stored in completly wrong manner according to latest definition of IPv6 header.

From left:
Bit 0-3: Protocol (0x6) => ok
Bit 4-11: Traffic Class => buggy, part of flow level found, where only Traffic Class is expected (0x00)
Bit 12-31: Flow label => buggy, only part of flow level found

The "connect: Invalid argument" is also very strange

Is this a library, traceroute or a kernel bug??

Kernel is: 2.6.32.9-70.fc12.i686
Comment 7 Peter Bieringer 2010-04-22 01:34:15 EDT
BTW: -g nexthop is also not working:

# LC_ALL=C traceroute -q 1 -g 2001:x:x:65::1 2001:x:x:66:5054:ff:fexx:x
traceroute to ipv6-client-b (2001:x:x:66:5054:ff:fexx:xxxx), 30 hops max, 104 byte packets
setsockopt IPV6_RTHDR: Invalid argument
Comment 8 Peter Bieringer 2010-04-22 02:07:42 EDT
BTW2: -t TRAFFICCLASS is also not working:

# LC_ALL=C traceroute  -t 4  -q 1 www.ipv6.bieringer.de
traceroute to www.ipv6.bieringer.de (2001:a60:9002:1::186:6), 30 hops max, 80 byte packets
connect: Invalid argument

For IPv4 it is working:

# traceroute  -t 4  -q 1 www.bieringer.de
traceroute to www.bieringer.de (212.18.21.186), 30 hops max, 60 byte packets
 1  xxx
 2  xxx
 3  xxx
 4  xxx
 5  www.bieringer.de (212.18.21.186)  53.314 ms
Comment 9 Dmitry Butskoy 2010-04-22 08:48:45 EDT
For comment #6:

I never touch any low-level headers, all the work is done by the kernel. I just perform socket(2), setsockopt(2) etc. calls with the appropriate arguments.

BTW, I cannot quite understand what is wrong exactly in your example. Could you provide the cmdline for traceroute and tcpdump, to make me a possibility to reproduce your case?


For comment #7:

Yep, `-g' currently does not work fot IPv6, because it use "route header type 0", but recently IETF and Linux kernel deny it (see RFC 5095).

I've already sent an e-mail to the traceroute-devel list on SourceForge -- Did you receive it? I've proposed to switch from "type 0" header to "type 2" (designed for Mobile IPv6), this way `-g' might work.
Comment 10 Dmitry Butskoy 2010-04-22 10:08:46 EDT
Created attachment 408330 [details]
patch to fix flowlabel and tclass support

For comment #8:

Yep, it was a broken code. Thaks for the testings.

The final patch attached. It seems that now flow labels and tclass should work properly.
Comment 11 Peter Bieringer 2010-04-22 13:20:48 EDT
Ok, flowlabel is now working correct and related tc filter matches, the traffic class (priority) also proper, but now "tc" has a bug if using "priority" option.
Comment 12 Dmitry Butskoy 2010-04-22 13:26:09 EDT
> but now "tc" has a bug if using "priority" option.  

Hmmm... Can I help here?
Comment 13 Peter Bieringer 2010-04-22 13:34:10 EDT
Filed a bug now for "tc": https://bugzilla.redhat.com/show_bug.cgi?id=584913
Comment 14 Peter Bieringer 2010-04-24 06:29:12 EDT
Regarding https://bugzilla.redhat.com/show_bug.cgi?id=583985#c7, "-g nexthop" is now working well, tcpdump shows:

10:23:39.490351 IP6 2001:xxxx:xxxx:65:5054:ff:fexx:xxxx > 2001:xxxx:xxxx:65::1: srcrt (len=2, type=2, segleft=1, [0]2001:xxxx:xxxx:66:5054:ff:fexx:xxxx) ICMP6, echo request, seq 30, length 40

But regardless the settings on the router (routing eth1 <-> eth2) or using UDP instead of TCP and having source routing activated:

# sysctl -a |grep ipv6 | grep source
net.ipv6.conf.all.accept_source_route = 1
net.ipv6.conf.default.accept_source_route = 1
net.ipv6.conf.lo.accept_source_route = 1
net.ipv6.conf.eth0.accept_source_route = 1
net.ipv6.conf.eth1.accept_source_route = 1
net.ipv6.conf.eth2.accept_source_route = 1

the router neither respond to the packet back to client nor forward the packet et all. Can one confirm this issue, which is looking to me as a kernel problem.

Setup:

clientA -> router -> clientB

-g xxx the router's address was used (traceroute works without using this option)
Comment 15 Fedora Update System 2010-04-27 08:46:47 EDT
traceroute-2.0.14-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/traceroute-2.0.14-1.fc13
Comment 16 Fedora Update System 2010-04-27 08:47:38 EDT
traceroute-2.0.14-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/traceroute-2.0.14-1.fc12
Comment 17 Fedora Update System 2010-04-27 21:13:53 EDT
traceroute-2.0.14-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2010-04-27 21:18:31 EDT
traceroute-2.0.14-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.