Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#1487 closed defect (wontfix)

IPv6 Transparent Proxy not supported in the official pre-build package

Reported by: Miao Wang Owned by:
Priority: minor Milestone:
Component: nginx-package Version: 1.13.x
Keywords: Cc:
uname -a: Linux debian 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.13.8
built by gcc 6.3.0 20170516 (Debian 6.3.0-18)
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.13.8/debian/debuild-base/nginx-1.13.8=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

Using the following configuration for ipv6 transparent proxy, nginx reports EADDRNOTAVAIL upon connection.

`

stream {

server {

listen [::]:853 ssl ipv6only=on;
proxy_pass [ip:v6::ad:dr]:port;
proxy_bind $remote_addr transparent;


ssl_certificate /path/to/crt;
ssl_certificate_key /path/to/key;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_tickets on;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;

}

}

`

I attached strace to the nginx worker process and the result shows that setsockopt(IPV6_TRANSPARENT) is never called.

`
socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 14
ioctl(14, FIONBIO, [1]) = 0
setsockopt(14, SOL_IP, IP_BIND_ADDRESS_NO_PORT, [1], 4) = 0
bind(14, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "2402:f000:1:1501:200:5efe:6506:a344", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = -1 EADDRNOTAVAIL (Cannot assign requested address)
`

The related code is https://github.com/nginx/nginx/blob/f8a9d528df92c7634088e575e5c3d63a1d4ab8ea/src/event/ngx_event_connect.c#L376 and analyzing the nginx binary in the package shows that the code is not compiled. I guess it may be related to the building environment creating the package.

Change History (6)

comment:1 by Ruslan Ermilov, 6 years ago

Resolution: wontfix
Status: newclosed

The IPV6_TRANSPARENT macro has only appeared in glibc 2.26.

in reply to:  1 comment:2 by Miao Wang, 6 years ago

Replying to ru:

The IPV6_TRANSPARENT macro has only appeared in glibc 2.26.

As seen from my newly installed debian stretch with default options, the macro IPV6_TRANSPARENT exists. The macro appears in /usr/include/linux/in6.h which is provided by the package linux-libc-dev. The related packages installed on my installation is:

libc-bin/stable,stable,now 2.24-11+deb9u1 amd64 [installed]
libc-dev-bin/stable,stable,now 2.24-11+deb9u1 amd64 [installed,automatic]
libc6/stable,stable,now 2.24-11+deb9u1 amd64 [installed]
libc6-dev/stable,stable,now 2.24-11+deb9u1 amd64 [installed,automatic]
libklibc/stable,now 2.0.4-9 amd64 [installed,automatic]
linux-libc-dev/now 4.9.30-2+deb9u3 amd64 [installed,upgradable to: 4.9.65-3+deb9u2]

At least, for nginx package built for stretch, checking for the macro IPV6_TRANSPARENT should succeed and the function should be enabled.

comment:3 by Ruslan Ermilov, 6 years ago

nginx uses standard header file <netinet/in.h>. This in turn includes /usr/include/x86_64-linux-gnu/bits/in.h (*) from the libc6-dev package (glibc). As already explained, glibc only gained support of the IPV6_TRANSPARENT macro in version 2.26, while you still have version 2.24. In other words, while your kernel seems to support it, the version of glibc used to build nginx does not know about it.

(*) See the output of cc -v to discover the standard include paths, it may look like this:

#include <...> search starts here:
 /usr/lib/gcc/x86_64-linux-gnu/6/include
 /usr/local/include
 /usr/lib/gcc/x86_64-linux-gnu/6/include-fixed
 /usr/include/x86_64-linux-gnu
 /usr/include

comment:4 by Miao Wang, 6 years ago

I understand that. However, it seems that ngx_event_connect_set_transparent should fail in lack of the macro IPV6_TRANSPARENT when called on an af_inet6 socket instead of succeeding silently.

comment:5 by Ruslan Ermilov, 6 years ago

We'll consider a patch that emits a warning in this case.

comment:6 by Roman Arutyunyan <arut@…>, 6 years ago

In 7217:8b70d4caa505/nginx:

Generate error for unsupported IPv6 transparent proxy.

On some platforms (for example, Linux with glibc 2.12-2.25) IPv4 transparent
proxying is available, but IPv6 transparent proxying is not. The entire feature
is enabled in this case and NGX_HAVE_TRANSPARENT_PROXY macro is set to 1.
Previously, an attempt to enable transparency for an IPv6 socket was silently
ignored in this case and was usually followed by a bind(2) EADDRNOTAVAIL error
(ticket #1487). Now the error is generated for unavailable IPv6 transparent
proxy.

Note: See TracTickets for help on using tickets.