#1487 closed defect (wontfix)
IPv6 Transparent Proxy not supported in the official pre-build package
| Reported by: | Miao Wang | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-package | Version: | 1.13.x |
| Keywords: | Cc: | ||
| uname -a: | Linux debian 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.13.8
built by gcc 6.3.0 20170516 (Debian 6.3.0-18) built with OpenSSL 1.1.0f 25 May 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.13.8/debian/debuild-base/nginx-1.13.8=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
||
Description
Using the following configuration for ipv6 transparent proxy, nginx reports EADDRNOTAVAIL upon connection.
`
stream {
server {
listen [::]:853 ssl ipv6only=on;
proxy_pass [ip:v6::ad:dr]:port;
proxy_bind $remote_addr transparent;
ssl_certificate /path/to/crt;
ssl_certificate_key /path/to/key;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_tickets on;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;
}
}
`
I attached strace to the nginx worker process and the result shows that setsockopt(IPV6_TRANSPARENT) is never called.
`
socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 14
ioctl(14, FIONBIO, [1]) = 0
setsockopt(14, SOL_IP, IP_BIND_ADDRESS_NO_PORT, [1], 4) = 0
bind(14, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "2402:f000:1:1501:200:5efe:6506:a344", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = -1 EADDRNOTAVAIL (Cannot assign requested address)
`
The related code is https://github.com/nginx/nginx/blob/f8a9d528df92c7634088e575e5c3d63a1d4ab8ea/src/event/ngx_event_connect.c#L376 and analyzing the nginx binary in the package shows that the code is not compiled. I guess it may be related to the building environment creating the package.
Change History (6)
follow-up: 2 comment:1 by , 7 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:2 by , 7 years ago
Replying to ru:
The IPV6_TRANSPARENT macro has only appeared in glibc 2.26.
As seen from my newly installed debian stretch with default options, the macro IPV6_TRANSPARENT exists. The macro appears in /usr/include/linux/in6.h which is provided by the package linux-libc-dev. The related packages installed on my installation is:
libc-bin/stable,stable,now 2.24-11+deb9u1 amd64 [installed] libc-dev-bin/stable,stable,now 2.24-11+deb9u1 amd64 [installed,automatic] libc6/stable,stable,now 2.24-11+deb9u1 amd64 [installed] libc6-dev/stable,stable,now 2.24-11+deb9u1 amd64 [installed,automatic] libklibc/stable,now 2.0.4-9 amd64 [installed,automatic] linux-libc-dev/now 4.9.30-2+deb9u3 amd64 [installed,upgradable to: 4.9.65-3+deb9u2]
At least, for nginx package built for stretch, checking for the macro IPV6_TRANSPARENT should succeed and the function should be enabled.
comment:3 by , 7 years ago
nginx uses standard header file <netinet/in.h>. This in turn includes /usr/include/x86_64-linux-gnu/bits/in.h (*) from the libc6-dev package (glibc). As already explained, glibc only gained support of the IPV6_TRANSPARENT macro in version 2.26, while you still have version 2.24. In other words, while your kernel seems to support it, the version of glibc used to build nginx does not know about it.
(*) See the output of cc -v to discover the standard include paths, it may look like this:
#include <...> search starts here: /usr/lib/gcc/x86_64-linux-gnu/6/include /usr/local/include /usr/lib/gcc/x86_64-linux-gnu/6/include-fixed /usr/include/x86_64-linux-gnu /usr/include
comment:4 by , 7 years ago
I understand that. However, it seems that ngx_event_connect_set_transparent should fail in lack of the macro IPV6_TRANSPARENT when called on an af_inet6 socket instead of succeeding silently.
The IPV6_TRANSPARENT macro has only appeared in glibc 2.26.