summaryrefslogtreecommitdiffhomepage
path: root/pkg
diff options
context:
space:
mode:
authorGhanan Gowripalan <ghanan@google.com>2020-08-28 14:37:53 -0700
committerAndrei Vagin <avagin@gmail.com>2020-09-09 17:53:10 -0700
commitaaae7109d23cc9a97aea27efcf6f541a594eddf4 (patch)
tree0a04433f59884403d499346360220cfbaed8f67a /pkg
parent8d75fc4883ca8c10fb615203993d56d33a9e36b6 (diff)
Don't bind loopback to all IPs in an IPv6 subnet
An earlier change considered the loopback bound to all addresses in an assigned subnet. This should have only be done for IPv4 to maintain compatability with Linux: ``` $ ip addr show dev lo 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group ... link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever $ ping 2001:db8::1 PING 2001:db8::1(2001:db8::1) 56 data bytes ^C --- 2001:db8::1 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3062ms $ ping 2001:db8::2 PING 2001:db8::2(2001:db8::2) 56 data bytes ^C --- 2001:db8::2 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2030ms $ sudo ip addr add 2001:db8::1/64 dev lo $ ping 2001:db8::1 PING 2001:db8::1(2001:db8::1) 56 data bytes 64 bytes from 2001:db8::1: icmp_seq=1 ttl=64 time=0.055 ms 64 bytes from 2001:db8::1: icmp_seq=2 ttl=64 time=0.074 ms 64 bytes from 2001:db8::1: icmp_seq=3 ttl=64 time=0.073 ms 64 bytes from 2001:db8::1: icmp_seq=4 ttl=64 time=0.071 ms ^C --- 2001:db8::1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3075ms rtt min/avg/max/mdev = 0.055/0.068/0.074/0.007 ms $ ping 2001:db8::2 PING 2001:db8::2(2001:db8::2) 56 data bytes From 2001:db8::1 icmp_seq=1 Destination unreachable: No route From 2001:db8::1 icmp_seq=2 Destination unreachable: No route From 2001:db8::1 icmp_seq=3 Destination unreachable: No route From 2001:db8::1 icmp_seq=4 Destination unreachable: No route ^C --- 2001:db8::2 ping statistics --- 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3070ms ``` Test: integration_test.TestLoopbackAcceptAllInSubnet PiperOrigin-RevId: 329011566
Diffstat (limited to 'pkg')
-rw-r--r--pkg/tcpip/stack/nic.go6
-rw-r--r--pkg/tcpip/tests/integration/loopback_test.go40
2 files changed, 3 insertions, 43 deletions
diff --git a/pkg/tcpip/stack/nic.go b/pkg/tcpip/stack/nic.go
index 8e700990d..863ef6bee 100644
--- a/pkg/tcpip/stack/nic.go
+++ b/pkg/tcpip/stack/nic.go
@@ -676,10 +676,10 @@ func (n *NIC) getRefOrCreateTemp(protocol tcpip.NetworkProtocolNumber, address t
}
// A usable reference was not found, create a temporary one if requested by
- // the caller or if the address is found in the NIC's subnets and the NIC is
- // a loopback interface.
+ // the caller or if the IPv4 address is found in the NIC's subnets and the NIC
+ // is a loopback interface.
createTempEP := spoofingOrPromiscuous
- if !createTempEP && n.isLoopback() {
+ if !createTempEP && n.isLoopback() && protocol == header.IPv4ProtocolNumber {
for _, r := range n.mu.endpoints {
addr := r.addrWithPrefix()
subnet := addr.Subnet()
diff --git a/pkg/tcpip/tests/integration/loopback_test.go b/pkg/tcpip/tests/integration/loopback_test.go
index 3a2f75837..1b18023c5 100644
--- a/pkg/tcpip/tests/integration/loopback_test.go
+++ b/pkg/tcpip/tests/integration/loopback_test.go
@@ -110,51 +110,11 @@ func TestLoopbackAcceptAllInSubnet(t *testing.T) {
expectRx: true,
},
{
- name: "IPv6 bind to wildcard and send to assigned address",
- addAddress: ipv6ProtocolAddress,
- dstAddr: ipv6Addr.Address,
- expectRx: true,
- },
- {
name: "IPv6 bind to wildcard and send to other subnet-local address",
addAddress: ipv6ProtocolAddress,
dstAddr: otherIPv6Address,
- expectRx: true,
- },
- {
- name: "IPv6 bind to wildcard send to other address",
- addAddress: ipv6ProtocolAddress,
- dstAddr: remoteIPv6Addr,
- expectRx: false,
- },
- {
- name: "IPv6 bind to other subnet-local address and send to assigned address",
- addAddress: ipv6ProtocolAddress,
- bindAddr: otherIPv6Address,
- dstAddr: ipv6Addr.Address,
- expectRx: false,
- },
- {
- name: "IPv6 bind and send to other subnet-local address",
- addAddress: ipv6ProtocolAddress,
- bindAddr: otherIPv6Address,
- dstAddr: otherIPv6Address,
- expectRx: true,
- },
- {
- name: "IPv6 bind to assigned address and send to other subnet-local address",
- addAddress: ipv6ProtocolAddress,
- bindAddr: ipv6Addr.Address,
- dstAddr: otherIPv6Address,
expectRx: false,
},
- {
- name: "IPv6 bind and send to assigned address",
- addAddress: ipv6ProtocolAddress,
- bindAddr: ipv6Addr.Address,
- dstAddr: ipv6Addr.Address,
- expectRx: true,
- },
}
for _, test := range tests {