Nixpkgs: `ip rule` not working on ARM64, `sslh.transparent` broken
Issue description
services.sslh.transparent is broken. When I enable it, sslh.service fails to start.
The failure is caused by pre-start and post-stop scripts. The former runs ip rule add fwmark 0x2 table 100, the latter runs similar del command. And turns out that the whole ip rule does not work with IPv4. ip -6 rule ... works fine, but even ip rule list fails with the same error as other ip rule commands:
$ ip rule list
RTNETLINK answers: Address family not supported by protocol
Dump terminated
Steps to reproduce
- Install NixOS on Aarch64 machine, using mainline kernel.
- Add the following to
/etc/nixos/configuration.nix:
...
services.sslh = {
enable = true;
transparent = true;
};
- Run
nixos-rebuild test. - Observe an error in journalctl logs:
May 16 19:30:54 espresso systemd[1]: Starting Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)...
May 16 19:30:54 espresso dzyi60mw46kjmmpb81ymv6ds58bbgczi-unit-script-sslh-pre-start[21481]: RTNETLINK answers: Address family not supported by protocol
May 16 19:30:54 espresso systemd[1]: sslh.service: Control process exited, code=exited status=2
May 16 19:30:54 espresso 5ybdy9hramw8gk9qhy160j73nj1dycyk-unit-script-sslh-post-stop[21491]: RTNETLINK answers: Address family not supported by protocol
May 16 19:30:54 espresso systemd[1]: sslh.service: Control process exited, code=exited status=2
May 16 19:30:54 espresso systemd[1]: sslh.service: Failed with result 'exit-code'.
May 16 19:30:54 espresso systemd[1]: Failed to start Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port).
- Try to run the
pre-startscript manually:sudo bash -xe /nix/store/dzyi60mw46kjmmpb81ymv6ds58bbgczi-unit-script-sslh-pre-start - Observe an error happening after the
ip rule add fwmark 0x2 lookup 100command. - Try the plain
ip rule listcommand. It also fails.
Possibly related links:
- https://superuser.com/questions/1252914/configure-sslh-with-transparent-proxy-support - the same problem under custom Debian OS, no replies
- https://superuser.com/questions/232807/iproute2-not-functioning-rtnetlink-answers-operation-not-supported - same problem with another
ip rulecommand under Gentoo. Solved by changing some kernel options.
I tried to modprobe corresponding modules (ones which are available in NixOS, because some of the mentioned options were not compiled at all. Nothing helped.
Technical details
Hardware: ESPRESSObin v7
- system: `"aarch64-linux"`
- host os: `Linux 5.1.1, NixOS, 19.03.172604.7cd2e4ebe8c (Koi)`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.2.2`
- channels(root): `"nixos-19.03.172604.7cd2e4ebe8c"`
- nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
MarSoft
All 4 comments
@MarSoft thanks for the report :)
Could you paste the output of the following command (unfortunately I don't have an aarch64 device/VM yet)?:
zcat /proc/config.gz| grep -E 'CONFIG_IP(V6)?_MULTIPLE_TABLES'
On x86_64 this should output:
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IPV6_MULTIPLE_TABLES=y
But on aarch64 CONFIG_IP_MULTIPLE_TABLES is probably not enabled.
primeos
on 14 Jun 2019
On my Raspberry Pi 3B:
# zgrep -E 'CONFIG_IP(V6)?_MULTIPLE_TABLES' /proc/config.gz
CONFIG_IPV6_MULTIPLE_TABLES=y
matthias-t
on 14 Jun 2019
@matthias-t thanks, that should explain it :)
From net/ipv4/Kconfig (forgot to paste that here):
config IP_MULTIPLE_TABLES
bool "IP: policy routing"
depends on IP_ADVANCED_ROUTER
select FIB_RULES
---help---
Normally, a router decides what to do with a received packet based
solely on the packet's final destination address. If you say Y here,
the Linux router will also be able to take the packet's source
address into account. Furthermore, the TOS (Type-Of-Service) field
of the packet can be used for routing decisions as well.
If you need more information, see the Linux Advanced
Routing and Traffic Control documentation at
<http://lartc.org/howto/lartc.rpdb.html>
If unsure, say N.
It should work if we add IP_MULTIPLE_TABLES y here (AFAIK). But I'm not sure what other distributions do and why this isn't in the defconfig (from v5.1):
arch/arm/configs/ebsa110_defconfig:CONFIG_IP_MULTIPLE_TABLES=y
arch/arm/configs/ezx_defconfig:CONFIG_IPV6_MULTIPLE_TABLES=y
arch/arm/configs/imote2_defconfig:CONFIG_IPV6_MULTIPLE_TABLES=y
arch/arm/configs/ixp4xx_defconfig:CONFIG_IP_MULTIPLE_TABLES=y
arch/arm/configs/keystone_defconfig:CONFIG_IP_MULTIPLE_TABLES=y
arch/arm/configs/keystone_defconfig:CONFIG_IPV6_MULTIPLE_TABLES=y
arch/arm/configs/mini2440_defconfig:CONFIG_IP_MULTIPLE_TABLES=y
arch/arm/configs/multi_v7_defconfig:CONFIG_IPV6_MULTIPLE_TABLES=y
arch/arm/configs/oxnas_v6_defconfig:CONFIG_IPV6_MULTIPLE_TABLES=y
arch/arm/configs/qcom_defconfig:CONFIG_IP_MULTIPLE_TABLES=y
arch/arm/configs/tegra_defconfig:CONFIG_IPV6_MULTIPLE_TABLES=y
cc @dezgeg and @Ericson2314 (based on lib/systems/platforms.nix): Maybe you can help here?
primeos
on 14 Jun 2019
Since Discourse doesn't seem to add links anymore when referencing a PR:
This is also a problem for the networking.wg-quick module:
https://discourse.nixos.org/t/ip-rule-address-family-not-supported-by-protocol/3166
primeos
on 14 Jun 2019
Related issues
ayyess
路
3Comments
sid-kap
路
3Comments
grahamc
路
3Comments
yawnt
路
3Comments
copumpkin
路
3Comments
Most helpful comment
@matthias-t thanks, that should explain it :)
From
net/ipv4/Kconfig(forgot to paste that here):It should work if we add
IP_MULTIPLE_TABLES yhere (AFAIK). But I'm not sure what other distributions do and why this isn't in the defconfig (from v5.1):cc @dezgeg and @Ericson2314 (based on lib/systems/platforms.nix): Maybe you can help here?