Thread (4 messages) 4 messages, 2 authors, 2026-05-05

Re: [PATCH wireguard] wireguard: prevent ipv6 addrconf via IFF_NO_ADDRCONF flag

From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: 2026-05-05 15:05:24
Also in: lkml 

On Sun, May 03, 2026 at 09:18:18PM +0200, Jason A. Donenfeld wrote:
On Sat, Mar 21, 2026 at 08:20:53PM +0100, Valentin Spreckels wrote:
quoted
Hi Jason,

On 11/03/2026 23:59, Jason A. Donenfeld wrote:
quoted
Hi Valentin,

On Sun, Feb 08, 2026 at 06:05:45PM +0100, Valentin Spreckels wrote:
quoted
Use the flag introduced in commit 8a321cf7becc6 ("net: add
IFF_NO_ADDRCONF and use it in bonding to prevent ipv6 addrconf")
instead of mangling the addr_gen_mode to prevent ipv6 addrconf.
Can you give some more context here? Why was IFF_NO_ADDRCONF added when
the IN6_ADDR_GEN_MODE_NONE method has been working fine? What's the
difference between these approaches? I don't doubt that your patch is
correct, but I would like to better understand this.
Only wireguard configures addr_gen_mode inside the kernel, otherwise it 
is only set by userspace; userspace is also able to overwrite the 
IFF_NO_ADDRCONF set by wireguard.

Commit 8a321cf7becc ("net: add IFF_NO_ADDRCONF and use it in bonding to 
prevent ipv6 addrconf") introduces the private interface flag 
IFF_NO_ADDRCONF, which isn't accessible by userspace.

Thus use the IFF_NO_ADDRCONF flag in wireguard.


Does that answer your questions? If yes, I will submit a v2 with this as 
commit message.
I applied this here:
https://git.zx2c4.com/wireguard-linux/commit/?id=88427bcbe5bd3711de387b1c1f6540ef6fc05a78

Sorry for the delay! Patch looks good as-is, once I looked into the
internal mechanism.
I'm backing this patch out for now. It seems to break the selftests:

    [+] NS2: ping6 -c 10 -f -W 1 fd00::1
    ping6: connect: Network unreachable

Try it yourself with:

    $ make -C tools/testing/selftests/wireguard/qemu -j$(nproc) 

I assume it's because of:

        case NETDEV_UP:
        case NETDEV_CHANGE:
                if (idev && idev->cnf.disable_ipv6)
                        break;

                if (dev->priv_flags & IFF_NO_ADDRCONF) {
			[...]
                        break;
                }

Feel free to submit a v2 if you think this is fixable or if the tests
themselves are wrong.

Jason
Related discussions
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help