lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 21 Apr 2022 12:24:29 +0300
From:   Vladimir Oltean <>
To:     David Ahern <>
Subject: Re: IPv6 multicast with VRF

On Wed, Apr 20, 2022 at 02:40:53PM -0600, David Ahern wrote:
> On 4/20/22 1:18 PM, Vladimir Oltean wrote:
> > On Wed, Apr 20, 2022 at 12:59:45PM -0600, David Ahern wrote:
> >> Did you adjust the FIB rules? See the documentation in the kernel repo.
> >
> > Sorry, I don't understand what you mean by "adjusting". I tried various
> > forms of adding an IPv6 multicast route on eth0, to multiple tables,
> > some routes more generic and some more specific, and none seem to match
> > when eth0 is under a VRF, for a reason I don't really know. This does
> > not occur with IPv4 multicast, by the way.
> >
> > By documentation I think you mean Documentation/networking/vrf.rst.
> > I went through it but I didn't notice something that would make me
> > realize what the issue is.
> try this:
> slide 79 and on

Yeah, that worked. Well, now I know what vrf_prepare() and vrf_cleanup()
from tools/testing/selfteste/net/forwarding/ are for, I guess..

Thanks for helping and for sharing the presentation.

> >> And add a device scope to the `get`. e.g.,
> >>
> >>     ip -6 route get ff02::1%eth0
> >
> > I'm probably not understanding this, because:
> >
> >  ip -6 route get ff02::1%eth0
> > Error: inet6 prefix is expected rather than "ff02::1%eth0".
> ip -6 ro get oif eth0 ff02::1
> (too many syntax differences between tools)

Could you explain why specifying the oif is needed here? If I don't do
it, I still can't find the route. Either that, or what would an
application need to do to find the route from the VRF FIB?

 ip -6 route get vrf vrf0 ff02::1
RTNETLINK answers: Network is unreachable
 ip -6 route get vrf vrf0 ff02::1 oif eth0
multicast ff02::1 dev eth0 table 3 proto kernel src 2001:db8:1::1 metric 256 pref medium

For some context, the multicast application I'm trying to get running in
a VRF is mcjoin ( It will send
packets as long as the interface only has a link-local IPv6 address.
As long as I add a global IPv6 address *and* the netdev is in the VRF
(basically the circumstances from the forwarding selftests), sendto()
fails with -ENETUNREACH.

 ip vrf exec vrf0 mcjoin -s -o -i eth0 ff0e::1 -c 1
Sending IPv6 multicast on eth0 addr, fe80::201:2ff:fe03:401 ifindex: 10, sd: 6
*,ff0e::1: invalid 0     delay 0     gaps 0     reorder 0     dupes 0     bytes 100           packets 1

Total: 1 packets


 ip addr add 2001:db8:1::1/64 dev eth0
 ip vrf exec vrf0 mcjoin -s -o -i eth0 ff0e::1 -c 1
Sending IPv6 multicast on eth0 addr, 2001:db8:1::1 ifindex: 10, sd: 6
Failed sending mcast to ff2e::1: Network is unreachable
*,ff2e::1: invalid 0     delay 0     gaps 1     reorder 0     dupes 0     bytes 0             packets 0

Total: 0 packets

Powered by blists - more mailing lists