Description of problem:
traceroute don't like -l flowlabel option, looks like it can't set flowlabel during setsockopt
Version-Release number of selected component (if applicable):
Steps to Reproduce:
# LC_ALL=C traceroute -l 1 ::1
traceroute to ::1 (::1), 30 hops max, 80 byte packets
setsockopt IPV6_FLOWLABEL_MGR: Operation not permitted
Works without specifying flowlabel option:
# LC_ALL=C traceroute ::1
traceroute to ::1 (::1), 30 hops max, 80 byte packets
1 localhost (::1) 0.043 ms 0.020 ms 0.017 ms
It seesm you are the first person who try this.
The code for flowlabels support was derived from some BSD's implementation, without actual checking due to missing good environment for such a check.
Could you help with this?
First of all, the issue might be I set flow_label "twice" -- in sin6_flowinfo field of the sin6 address, and then by setsockopt. Maybe it is an extra thing?..
Yes, I'm currently playing around using tc for IPv6 for creating some examples for my howto.
As a short test setup, use tc to setup a flow label filter:
# tc qdisc add dev eth1 root handle 1: cbq avpkt 1000 bandwidth 1000Mbit
# tc class add dev eth1 parent 1: classid 1:1 cbq rate 1Mbit allot 1500 bounded
# tc filter add dev eth1 parent 1: protocol ipv6 u32 match ip6 flowlabel 1 0x3ffff flowid 1:1
and check with
# tc -s filter show dev eth1
whether package matches filter (when option is proper working)
BTW: related problem is in ping6: https://bugzilla.redhat.com/show_bug.cgi?id=583976
I've found the issue.
The problem is after the closing of IPv6 socket, the correspond flowlabel does not disappear. When we try to set the same flowlabel value the next time, it returns EPERM due to IPV6_FL_S_EXCL flag is set.
For example, try to do ICMP traceroute with yet unused flowlabel:
traceroute -6 -n -l 1111 something
and then repeat the same command. The first call is successful, the second is failed. AFter the 60 second (default expire time) the flow is reset, and you can try again...
With the defaukt traceroute method (UDP), we use separate sockets for each probe, hence the first proble of the first invokation is successfull, all other will be failed. Try fe.:
traceroute -6 -n -q1 -m1 -l 1111 something
Either we should drop IPV6_FL_S_EXCL flag (is it correct idea?), or try to play with flr_linger and flr_expires fields of the flowlabel struct used.
Additionally, it seems that setting of sin6_flowinfo is unuseful thing anyway...
Created attachment 407845 [details]
The patch which fixes the issue.
IPV6_FL_S_EXCL changed to IPV6_FL_S_USER
Now the same user can use the same flowlabel any time. After the 6 second expiration (a kernel default) another users can "catch" this flow value etc...
Perhaps it would be more useful to change to IPV6_FL_S_ANY, but I'm not sure for now whether it is secure enough or not...
The final decision is use IPV6_FL_S_ANY. If does not spoil anything.
Besides the flow labels, could you test some addtional IPv6-specific things? I mean `-g' traceroute option for example...
Applied patch to traceroute 2.0.13 and rebuilt RPM on F12, option now works, but result is imho very buggy:
Flow label (decimal, using -l): tcpdump IPv6 header (first 64 bits)
0: (0x0000): 0x0000: 6000 0000 0028 1110
1: (0x0001): 0x0000: 6100 0000 0028 1110
2: (0x0002): 0x0000: 6200 0000 0028 1110
15: (0x000f): 0x0000: 6f00 0000 0028 1110
16: (0x0010): 0x0000: 6000 0000 0028 1110
31: (0x001f): 0x0000: 6f00 0000 0028 1110
32: (0x0020): 0x0000: 6000 0000 0028 1110
127 (0x007f): 0x0000: 6f00 0000 0028 1110
4095 (0x0fff): connect: Invalid argument
16383 (0x3fff): connect: Invalid argument
16384 (0x4000): 0x0000: 6040 0000 0028 1110
65535 (0xffff): connect: Invalid argument
12345 (0x3039): 0x0000: 6930 0000 0028 1110
=> flow label is not stored in IPv6 header as expected, looks like is stored in completly wrong manner according to latest definition of IPv6 header.
Bit 0-3: Protocol (0x6) => ok
Bit 4-11: Traffic Class => buggy, part of flow level found, where only Traffic Class is expected (0x00)
Bit 12-31: Flow label => buggy, only part of flow level found
The "connect: Invalid argument" is also very strange
Is this a library, traceroute or a kernel bug??
Kernel is: 126.96.36.199-70.fc12.i686
BTW: -g nexthop is also not working:
# LC_ALL=C traceroute -q 1 -g 2001:x:x:65::1 2001:x:x:66:5054:ff:fexx:x
traceroute to ipv6-client-b (2001:x:x:66:5054:ff:fexx:xxxx), 30 hops max, 104 byte packets
setsockopt IPV6_RTHDR: Invalid argument
BTW2: -t TRAFFICCLASS is also not working:
# LC_ALL=C traceroute -t 4 -q 1 www.ipv6.bieringer.de
traceroute to www.ipv6.bieringer.de (2001:a60:9002:1::186:6), 30 hops max, 80 byte packets
connect: Invalid argument
For IPv4 it is working:
# traceroute -t 4 -q 1 www.bieringer.de
traceroute to www.bieringer.de (188.8.131.52), 30 hops max, 60 byte packets
5 www.bieringer.de (184.108.40.206) 53.314 ms
For comment #6:
I never touch any low-level headers, all the work is done by the kernel. I just perform socket(2), setsockopt(2) etc. calls with the appropriate arguments.
BTW, I cannot quite understand what is wrong exactly in your example. Could you provide the cmdline for traceroute and tcpdump, to make me a possibility to reproduce your case?
For comment #7:
Yep, `-g' currently does not work fot IPv6, because it use "route header type 0", but recently IETF and Linux kernel deny it (see RFC 5095).
I've already sent an e-mail to the traceroute-devel list on SourceForge -- Did you receive it? I've proposed to switch from "type 0" header to "type 2" (designed for Mobile IPv6), this way `-g' might work.
Created attachment 408330 [details]
patch to fix flowlabel and tclass support
For comment #8:
Yep, it was a broken code. Thaks for the testings.
The final patch attached. It seems that now flow labels and tclass should work properly.
Ok, flowlabel is now working correct and related tc filter matches, the traffic class (priority) also proper, but now "tc" has a bug if using "priority" option.
> but now "tc" has a bug if using "priority" option.
Hmmm... Can I help here?
Filed a bug now for "tc": https://bugzilla.redhat.com/show_bug.cgi?id=584913
Regarding https://bugzilla.redhat.com/show_bug.cgi?id=583985#c7, "-g nexthop" is now working well, tcpdump shows:
10:23:39.490351 IP6 2001:xxxx:xxxx:65:5054:ff:fexx:xxxx > 2001:xxxx:xxxx:65::1: srcrt (len=2, type=2, segleft=1, 2001:xxxx:xxxx:66:5054:ff:fexx:xxxx) ICMP6, echo request, seq 30, length 40
But regardless the settings on the router (routing eth1 <-> eth2) or using UDP instead of TCP and having source routing activated:
# sysctl -a |grep ipv6 | grep source
net.ipv6.conf.all.accept_source_route = 1
net.ipv6.conf.default.accept_source_route = 1
net.ipv6.conf.lo.accept_source_route = 1
net.ipv6.conf.eth0.accept_source_route = 1
net.ipv6.conf.eth1.accept_source_route = 1
net.ipv6.conf.eth2.accept_source_route = 1
the router neither respond to the packet back to client nor forward the packet et all. Can one confirm this issue, which is looking to me as a kernel problem.
clientA -> router -> clientB
-g xxx the router's address was used (traceroute works without using this option)
traceroute-2.0.14-1.fc13 has been submitted as an update for Fedora 13.
traceroute-2.0.14-1.fc12 has been submitted as an update for Fedora 12.
traceroute-2.0.14-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
traceroute-2.0.14-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.