7 files changed, 143 insertions, 15 deletions
diff --git a/pkg/tcpip/header/ipv6.go b/pkg/tcpip/header/ipv6.go
index 09cb153b1..4e7e5f76a 100644
--- a/pkg/tcpip/header/ipv6.go
+++ b/pkg/tcpip/header/ipv6.go
@@ -375,6 +375,12 @@ func IsV6LinkLocalAddress(addr tcpip.Address) bool {
 	return addr[0] == 0xfe && (addr[1]&0xc0) == 0x80
 }
 
+// IsV6LoopbackAddress determines if the provided address is an IPv6 loopback
+// address.
+func IsV6LoopbackAddress(addr tcpip.Address) bool {
+	return addr == IPv6Loopback
+}
+
 // IsV6LinkLocalMulticastAddress determines if the provided address is an IPv6
 // link-local multicast address.
 func IsV6LinkLocalMulticastAddress(addr tcpip.Address) bool {
diff --git a/pkg/tcpip/stack/stack.go b/pkg/tcpip/stack/stack.go
index 25ea6b459..ba0e1a7ec 100644
--- a/pkg/tcpip/stack/stack.go
+++ b/pkg/tcpip/stack/stack.go
@@ -1210,7 +1210,9 @@ func (s *Stack) FindRoute(id tcpip.NICID, localAddr, remoteAddr tcpip.Address, n
 
 	isLocalBroadcast := remoteAddr == header.IPv4Broadcast
 	isMulticast := header.IsV4MulticastAddress(remoteAddr) || header.IsV6MulticastAddress(remoteAddr)
-	needRoute := !(isLocalBroadcast || isMulticast || header.IsV6LinkLocalAddress(remoteAddr))
+	isLinkLocal := header.IsV6LinkLocalAddress(remoteAddr) || header.IsV6LinkLocalMulticastAddress(remoteAddr)
+	IsLoopback := header.IsV4LoopbackAddress(remoteAddr) || header.IsV6LoopbackAddress(remoteAddr)
+	needRoute := !(isLocalBroadcast || isMulticast || isLinkLocal || IsLoopback)
 	if id != 0 && !needRoute {
 		if nic, ok := s.nics[id]; ok && nic.Enabled() {
 			if addressEndpoint := s.getAddressEP(nic, localAddr, remoteAddr, netProto); addressEndpoint != nil {
@@ -1246,6 +1248,9 @@ func (s *Stack) FindRoute(id tcpip.NICID, localAddr, remoteAddr tcpip.Address, n
 	}
 
 	if !needRoute {
+		if IsLoopback {
+			return Route{}, tcpip.ErrBadLocalAddress
+		}
 		return Route{}, tcpip.ErrNetworkUnreachable
 	}
 
diff --git a/test/runtimes/exclude/python3.7.3.csv b/test/runtimes/exclude/python3.7.3.csv
index 911f22855..e9fef03b7 100644
--- a/test/runtimes/exclude/python3.7.3.csv
+++ b/test/runtimes/exclude/python3.7.3.csv
@@ -4,7 +4,6 @@ test_asyncore,b/162973328,
 test_epoll,b/162983393,
 test_fcntl,b/162978767,fcntl invalid argument -- artificial test to make sure something works in 64 bit mode.
 test_httplib,b/163000009,OSError: [Errno 98] Address already in use
-test_imaplib,b/162979661,
 test_logging,b/162980079,
 test_multiprocessing_fork,,Flaky. Sometimes times out.
 test_multiprocessing_forkserver,,Flaky. Sometimes times out.
diff --git a/test/syscalls/BUILD b/test/syscalls/BUILD
index f66a9ceb4..b5a4ef4df 100644
--- a/test/syscalls/BUILD
+++ b/test/syscalls/BUILD
@@ -695,6 +695,10 @@ syscall_test(
 )
 
 syscall_test(
+    test = "//test/syscalls/linux:socket_ip_unbound_netlink_test",
+)
+
+syscall_test(
     test = "//test/syscalls/linux:socket_netdevice_test",
 )
 
diff --git a/test/syscalls/linux/BUILD b/test/syscalls/linux/BUILD
index 88899589d..99f286bfc 100644
--- a/test/syscalls/linux/BUILD
+++ b/test/syscalls/linux/BUILD
@@ -2884,6 +2884,24 @@ cc_binary(
 )
 
 cc_binary(
+    name = "socket_ip_unbound_netlink_test",
+    testonly = 1,
+    srcs = [
+        "socket_ip_unbound_netlink.cc",
+    ],
+    linkstatic = 1,
+    deps = [
+        ":ip_socket_test_util",
+        ":socket_netlink_route_util",
+        ":socket_test_util",
+        "//test/util:capability_util",
+        gtest,
+        "//test/util:test_main",
+        "//test/util:test_util",
+    ],
+)
+
+cc_binary(
     name = "socket_domain_test",
     testonly = 1,
     srcs = [
diff --git a/test/syscalls/linux/socket_ip_unbound.cc b/test/syscalls/linux/socket_ip_unbound.cc
index 8f7ccc868..029f1e872 100644
--- a/test/syscalls/linux/socket_ip_unbound.cc
+++ b/test/syscalls/linux/socket_ip_unbound.cc
@@ -454,23 +454,15 @@ TEST_P(IPUnboundSocketTest, SetReuseAddr) {
 
 INSTANTIATE_TEST_SUITE_P(
     IPUnboundSockets, IPUnboundSocketTest,
-    ::testing::ValuesIn(VecCat<SocketKind>(VecCat<SocketKind>(
+    ::testing::ValuesIn(VecCat<SocketKind>(
         ApplyVec<SocketKind>(IPv4UDPUnboundSocket,
-                             AllBitwiseCombinations(List<int>{SOCK_DGRAM},
-                                                    List<int>{0,
-                                                              SOCK_NONBLOCK})),
+                             std::vector<int>{0, SOCK_NONBLOCK}),
         ApplyVec<SocketKind>(IPv6UDPUnboundSocket,
-                             AllBitwiseCombinations(List<int>{SOCK_DGRAM},
-                                                    List<int>{0,
-                                                              SOCK_NONBLOCK})),
+                             std::vector<int>{0, SOCK_NONBLOCK}),
         ApplyVec<SocketKind>(IPv4TCPUnboundSocket,
-                             AllBitwiseCombinations(List<int>{SOCK_STREAM},
-                                                    List<int>{0,
-                                                              SOCK_NONBLOCK})),
+                             std::vector{0, SOCK_NONBLOCK}),
         ApplyVec<SocketKind>(IPv6TCPUnboundSocket,
-                             AllBitwiseCombinations(List<int>{SOCK_STREAM},
-                                                    List<int>{
-                                                        0, SOCK_NONBLOCK}))))));
+                             std::vector{0, SOCK_NONBLOCK}))));
 
 }  // namespace testing
 }  // namespace gvisor
diff --git a/test/syscalls/linux/socket_ip_unbound_netlink.cc b/test/syscalls/linux/socket_ip_unbound_netlink.cc
new file mode 100644
index 000000000..6036bfcaf
--- /dev/null
+++ b/test/syscalls/linux/socket_ip_unbound_netlink.cc
@@ -0,0 +1,104 @@
+// Copyright 2019 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/un.h>
+
+#include <cstdio>
+#include <cstring>
+
+#include "gmock/gmock.h"
+#include "gtest/gtest.h"
+#include "test/syscalls/linux/ip_socket_test_util.h"
+#include "test/syscalls/linux/socket_netlink_route_util.h"
+#include "test/syscalls/linux/socket_test_util.h"
+#include "test/util/capability_util.h"
+#include "test/util/test_util.h"
+
+namespace gvisor {
+namespace testing {
+
+// Test fixture for tests that apply to pairs of IP sockets.
+using IPv6UnboundSocketTest = SimpleSocketTest;
+
+TEST_P(IPv6UnboundSocketTest, ConnectToBadLocalAddress_NoRandomSave) {
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_ADMIN)));
+
+  // TODO(gvisor.dev/issue/4595): Addresses on net devices are not saved
+  // across save/restore.
+  DisableSave ds;
+
+  // Delete the loopback address from the loopback interface.
+  Link loopback_link = ASSERT_NO_ERRNO_AND_VALUE(LoopbackLink());
+  EXPECT_NO_ERRNO(LinkDelLocalAddr(loopback_link.index, AF_INET6,
+                                   /*prefixlen=*/128, &in6addr_loopback,
+                                   sizeof(in6addr_loopback)));
+  Cleanup defer_addr_removal =
+      Cleanup([loopback_link = std::move(loopback_link)] {
+        EXPECT_NO_ERRNO(LinkAddLocalAddr(loopback_link.index, AF_INET6,
+                                         /*prefixlen=*/128, &in6addr_loopback,
+                                         sizeof(in6addr_loopback)));
+      });
+
+  TestAddress addr = V6Loopback();
+  reinterpret_cast<sockaddr_in6*>(&addr.addr)->sin6_port = 65535;
+  auto sock = ASSERT_NO_ERRNO_AND_VALUE(NewSocket());
+  EXPECT_THAT(connect(sock->get(), reinterpret_cast<sockaddr*>(&addr.addr),
+                      addr.addr_len),
+              SyscallFailsWithErrno(EADDRNOTAVAIL));
+}
+
+INSTANTIATE_TEST_SUITE_P(IPUnboundSockets, IPv6UnboundSocketTest,
+                         ::testing::ValuesIn(std::vector<SocketKind>{
+                             IPv6UDPUnboundSocket(0),
+                             IPv6TCPUnboundSocket(0)}));
+
+using IPv4UnboundSocketTest = SimpleSocketTest;
+
+TEST_P(IPv4UnboundSocketTest, ConnectToBadLocalAddress_NoRandomSave) {
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_ADMIN)));
+
+  // TODO(gvisor.dev/issue/4595): Addresses on net devices are not saved
+  // across save/restore.
+  DisableSave ds;
+
+  // Delete the loopback address from the loopback interface.
+  Link loopback_link = ASSERT_NO_ERRNO_AND_VALUE(LoopbackLink());
+  struct in_addr laddr;
+  laddr.s_addr = htonl(INADDR_LOOPBACK);
+  EXPECT_NO_ERRNO(LinkDelLocalAddr(loopback_link.index, AF_INET,
+                                   /*prefixlen=*/8, &laddr, sizeof(laddr)));
+  Cleanup defer_addr_removal = Cleanup(
+      [loopback_link = std::move(loopback_link), addr = std::move(laddr)] {
+        EXPECT_NO_ERRNO(LinkAddLocalAddr(loopback_link.index, AF_INET,
+                                         /*prefixlen=*/8, &addr, sizeof(addr)));
+      });
+  TestAddress addr = V4Loopback();
+  reinterpret_cast<sockaddr_in*>(&addr.addr)->sin_port = 65535;
+  auto sock = ASSERT_NO_ERRNO_AND_VALUE(NewSocket());
+  EXPECT_THAT(connect(sock->get(), reinterpret_cast<sockaddr*>(&addr.addr),
+                      addr.addr_len),
+              SyscallFailsWithErrno(EADDRNOTAVAIL));
+}
+
+INSTANTIATE_TEST_SUITE_P(IPUnboundSockets, IPv4UnboundSocketTest,
+                         ::testing::ValuesIn(std::vector<SocketKind>{
+                             IPv4UDPUnboundSocket(0),
+                             IPv4TCPUnboundSocket(0)}));
+
+}  // namespace testing
+}  // namespace gvisor