diff options
author | Ghanan Gowripalan <ghanan@google.com> | 2020-08-28 14:37:53 -0700 |
---|---|---|
committer | Andrei Vagin <avagin@gmail.com> | 2020-09-09 17:53:10 -0700 |
commit | aaae7109d23cc9a97aea27efcf6f541a594eddf4 (patch) | |
tree | 0a04433f59884403d499346360220cfbaed8f67a /pkg | |
parent | 8d75fc4883ca8c10fb615203993d56d33a9e36b6 (diff) |
Don't bind loopback to all IPs in an IPv6 subnet
An earlier change considered the loopback bound to all addresses in an
assigned subnet. This should have only be done for IPv4 to maintain
compatability with Linux:
```
$ ip addr show dev lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group ...
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
$ ping 2001:db8::1
PING 2001:db8::1(2001:db8::1) 56 data bytes
^C
--- 2001:db8::1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3062ms
$ ping 2001:db8::2
PING 2001:db8::2(2001:db8::2) 56 data bytes
^C
--- 2001:db8::2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2030ms
$ sudo ip addr add 2001:db8::1/64 dev lo
$ ping 2001:db8::1
PING 2001:db8::1(2001:db8::1) 56 data bytes
64 bytes from 2001:db8::1: icmp_seq=1 ttl=64 time=0.055 ms
64 bytes from 2001:db8::1: icmp_seq=2 ttl=64 time=0.074 ms
64 bytes from 2001:db8::1: icmp_seq=3 ttl=64 time=0.073 ms
64 bytes from 2001:db8::1: icmp_seq=4 ttl=64 time=0.071 ms
^C
--- 2001:db8::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3075ms
rtt min/avg/max/mdev = 0.055/0.068/0.074/0.007 ms
$ ping 2001:db8::2
PING 2001:db8::2(2001:db8::2) 56 data bytes
From 2001:db8::1 icmp_seq=1 Destination unreachable: No route
From 2001:db8::1 icmp_seq=2 Destination unreachable: No route
From 2001:db8::1 icmp_seq=3 Destination unreachable: No route
From 2001:db8::1 icmp_seq=4 Destination unreachable: No route
^C
--- 2001:db8::2 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3070ms
```
Test: integration_test.TestLoopbackAcceptAllInSubnet
PiperOrigin-RevId: 329011566
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/tcpip/stack/nic.go | 6 | ||||
-rw-r--r-- | pkg/tcpip/tests/integration/loopback_test.go | 40 |
2 files changed, 3 insertions, 43 deletions
diff --git a/pkg/tcpip/stack/nic.go b/pkg/tcpip/stack/nic.go index 8e700990d..863ef6bee 100644 --- a/pkg/tcpip/stack/nic.go +++ b/pkg/tcpip/stack/nic.go @@ -676,10 +676,10 @@ func (n *NIC) getRefOrCreateTemp(protocol tcpip.NetworkProtocolNumber, address t } // A usable reference was not found, create a temporary one if requested by - // the caller or if the address is found in the NIC's subnets and the NIC is - // a loopback interface. + // the caller or if the IPv4 address is found in the NIC's subnets and the NIC + // is a loopback interface. createTempEP := spoofingOrPromiscuous - if !createTempEP && n.isLoopback() { + if !createTempEP && n.isLoopback() && protocol == header.IPv4ProtocolNumber { for _, r := range n.mu.endpoints { addr := r.addrWithPrefix() subnet := addr.Subnet() diff --git a/pkg/tcpip/tests/integration/loopback_test.go b/pkg/tcpip/tests/integration/loopback_test.go index 3a2f75837..1b18023c5 100644 --- a/pkg/tcpip/tests/integration/loopback_test.go +++ b/pkg/tcpip/tests/integration/loopback_test.go @@ -110,51 +110,11 @@ func TestLoopbackAcceptAllInSubnet(t *testing.T) { expectRx: true, }, { - name: "IPv6 bind to wildcard and send to assigned address", - addAddress: ipv6ProtocolAddress, - dstAddr: ipv6Addr.Address, - expectRx: true, - }, - { name: "IPv6 bind to wildcard and send to other subnet-local address", addAddress: ipv6ProtocolAddress, dstAddr: otherIPv6Address, - expectRx: true, - }, - { - name: "IPv6 bind to wildcard send to other address", - addAddress: ipv6ProtocolAddress, - dstAddr: remoteIPv6Addr, - expectRx: false, - }, - { - name: "IPv6 bind to other subnet-local address and send to assigned address", - addAddress: ipv6ProtocolAddress, - bindAddr: otherIPv6Address, - dstAddr: ipv6Addr.Address, - expectRx: false, - }, - { - name: "IPv6 bind and send to other subnet-local address", - addAddress: ipv6ProtocolAddress, - bindAddr: otherIPv6Address, - dstAddr: otherIPv6Address, - expectRx: true, - }, - { - name: "IPv6 bind to assigned address and send to other subnet-local address", - addAddress: ipv6ProtocolAddress, - bindAddr: ipv6Addr.Address, - dstAddr: otherIPv6Address, expectRx: false, }, - { - name: "IPv6 bind and send to assigned address", - addAddress: ipv6ProtocolAddress, - bindAddr: ipv6Addr.Address, - dstAddr: ipv6Addr.Address, - expectRx: true, - }, } for _, test := range tests { |