[go] net: treat EPERM/EACCES in IPv6 probe as supported
Ravi Sastry Kadali (Gerrit)
Ravi Sastry Kadali has uploaded the change for review![]( "Open in Gerrit")
Commit message
net: treat EPERM/EACCES in IPv6 probe as supported
When a BPF/seccomp filter denies the bind in the IPv6 capability
probe with EPERM or EACCES, the probe incorrectly reports IPv6 as
unsupported even though socket creation and setsockopt succeeded.
This causes Listen on [::] to silently fall back to IPv4-only.
Treat EPERM/EACCES from the probe bind as "supported" since the
successful socket and setsockopt already confirm kernel capability.
Fixes #77430
Change diff
diff --git a/src/net/ipsock_posix.go b/src/net/ipsock_posix.go
index 1ed37d7..339221e 100644
--- a/src/net/ipsock_posix.go
+++ b/src/net/ipsock_posix.go
@@ -70,12 +70,17 @@
continue
}
if err := syscall.Bind(s, sa); err != nil {
- continue
- }
- if i == 0 {
- p.ipv6Enabled = true
- } else {
- p.ipv4MappedIPv6Enabled = true
+ // If the bind was denied by a security policy (BPF, seccomp,
+ // SELinux, etc.), the kernel still supports IPv6 — the socket
+ // was created and setsockopt succeeded. Only treat errors like
+ // EADDRNOTAVAIL as lack of support. See go.dev/issue/77430.
+ if err == syscall.EPERM || err == syscall.EACCES {
+ if i == 0 {
+ p.ipv6Enabled = true
+ } else {
+ p.ipv4MappedIPv6Enabled = true
+ }
+ }
}
}
}
diff --git a/src/net/ipsock_test.go b/src/net/ipsock_test.go
index aede354..4181423 100644
--- a/src/net/ipsock_test.go
+++ b/src/net/ipsock_test.go
@@ -280,3 +280,33 @@
}
}
}
+
+func TestListenIPv6WildcardAddr(t *testing.T) {
+ if !supportsIPv6() {
+ t.Skip("IPv6 not supported")
+ }
+
+ ln, err := Listen("tcp", "[::]:0")
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer ln.Close()
+
+ addr := ln.Addr().(*TCPAddr)
+ if addr.IP.To4() != nil {
+ t.Errorf("Listen(\"tcp\", \"[::]:0\") bound to %v, want IPv6 address", addr)
+ }
+}
+
+func TestProbeIPv6SocketImpliesSupport(t *testing.T) {
+ ln, err := Listen("tcp6", "[::1]:0")
+ if err != nil {
+ t.Skipf("cannot listen on [::1]: %v", err)
+ }
+ ln.Close()
+
+ if !supportsIPv6() {
+ t.Error("Listen on [::1] succeeded but supportsIPv6() is false; " +
+ "probe may be misinterpreting a bind error as lack of IPv6 support")
+ }
+}
Change information
- M src/net/ipsock_posix.go
- M src/net/ipsock_test.go
Related details
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ravi Sastry Kadali (Gerrit)
Ravi Sastry Kadali uploaded new patchset![]( "Open in Gerrit")
Related details
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ravi Sastry Kadali (Gerrit)
Ravi Sastry Kadali added 1 comment![]( "Open in Gerrit")
Appreciate if you can get this reviewed
Related details
- Damien Neil
- Ian Lance Taylor
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Sean Liao (Gerrit)
Sean Liao voted Commit-Queue+1![]( "Open in Gerrit")
- Damien Neil
- Ian Lance Taylor
- Ravi Sastry Kadali
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Sean Liao (Gerrit)
Sean Liao voted Commit-Queue+1![]( "Open in Gerrit")
| Commit-Queue | +1 |
Related details
- Damien Neil
- Ian Lance Taylor
- Ravi Sastry Kadali
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Richlan Chavis (Gerrit)
Richlan Chavis added 1 comment![]( "Open in Gerrit")
Endpoint: /changes/*~*/message
Trace Id: 1771210348950-926b843e
Related details
- Damien Neil
- Ian Lance Taylor
- Ravi Sastry Kadali
- Sean Liao
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Damien Neil (Gerrit)
Damien Neil added 1 comment![]( "Open in Gerrit")
Thanks.
The wasm failures look real.
Do we need to do something different for wasm? Or just skip the test on wasm, since it improves the situation on other platforms and makes things no worse on wasm?
Related details
- Ian Lance Taylor
- Ravi Sastry Kadali
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ravi Sastry Kadali (Gerrit)
Ravi Sastry Kadali added 1 comment![]( "Open in Gerrit")
The reported failures are unrelated to my change. Given that this fix improves behavior on other platforms and does not negatively impact wasm, I would request that the wasm test be skipped to help expedite landing this change.
Related details
- Ian Lance Taylor
- Nicholas Husin
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Nicholas Husin (Gerrit)
Nicholas Husin added 1 comment![]( "Open in Gerrit")
The reported failures are unrelated to my change. Given that this fix improves behavior on other platforms and does not negatively impact wasm, I would request that the wasm test be skipped to help expedite landing this change.
Unfortunately, the reported failures are related to your change: your test fails when running in WASM.
You can try it yourself by running:
```
PATH="$PATH:$(go env GOROOT)/lib/wasm" \
GOOS=js GOARCH=wasm \
go test ./net -run=TestListenIPv6WildcardAddr
```
Even if your code does not negatively impact WASM, we'd want to make sure that your test does not run for WASM here at least (assuming that we cannot make this work for WASM too), e.g.
```
if runtime.GOARCH == "wasm" {
t.Skip("reason")
}
```
Related details
- Ian Lance Taylor
- Ravi Sastry Kadali
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ravi Sastry Kadali (Gerrit)
Ravi Sastry Kadali uploaded new patchset![]( "Open in Gerrit")
Related details
- Ian Lance Taylor
- Ravi Sastry Kadali
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ravi Sastry Kadali (Gerrit)
Ravi Sastry Kadali added 2 comments![]( "Open in Gerrit")
The reported failures are unrelated to my change. Given that this fix improves behavior on other platforms and does not negatively impact wasm, I would request that the wasm test be skipped to help expedite landing this change.
Unfortunately, the reported failures are related to your change: your test fails when running in WASM.
You can try it yourself by running:
```
PATH="$PATH:$(go env GOROOT)/lib/wasm" \
GOOS=js GOARCH=wasm \
go test ./net -run=TestListenIPv6WildcardAddr
```Even if your code does not negatively impact WASM, we'd want to make sure that your test does not run for WASM here at least (assuming that we cannot make this work for WASM too), e.g.
```
if runtime.GOARCH == "wasm" {
t.Skip("reason")
}
```
- Ian Lance Taylor
- Nicholas Husin
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Nicholas Husin (Gerrit)
Nicholas Husin added 2 comments![]( "Open in Gerrit")
switch runtime.GOOS {
case "js", "wasip1":
// Both ipv4 and ipv6 are faked; see net_fake.go.
p.ipv4Enabled = true
p.ipv6Enabled = true
p.ipv4MappedIPv6Enabled = true
return
}I think previously your test was failing because for WASM, `runtime.GOOS` would be set to `js`, and it seems like this special case automatically set `ipv6Enabled` to `true`.
So, alternatively, rather than skipping the test when `runtime.GOARCH == "wasm"`, we can also fix `probe` to not automatically set `ipvEnabled = true` when `runtime.GOARCH = "wasm"` I think. Interestingly, the comments here seems to indicate that for `js`, IPv6 should always work as it is faked? I'm unfortunately not familiar with this part of the codebase, so not sure if `wasm` was just missed as a special case, or if there's a bug...
@dn...@google.com might know more here.
// If the bind was denied by a security policy (BPF, seccomp,
// SELinux, etc.), the kernel still supports IPv6 — the socket
// was created and setsockopt succeeded. Only treat errors like
// EADDRNOTAVAIL as lack of support. See go.dev/issue/77430.
if err == syscall.EPERM || err == syscall.EACCES {
if i == 0 {
p.ipv6Enabled = true
} else {
p.ipv4MappedIPv6Enabled = true
}
}Just to check: this change would cause behavioral difference when `err == nil` I think?
Previously, when `err == nil`, we'd execute:
```
if i == 0 {
p.ipv6Enabled = true
} else {
p.ipv4MappedIPv6Enabled = true
}
```
but now that is totally skipped. Is that intentional?
Related details
- Ian Lance Taylor
- Ravi Sastry Kadali
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ravi Sastry Kadali (Gerrit)
Ravi Sastry Kadali added 3 comments![]( "Open in Gerrit")
Thanks.
The wasm failures look real.
Do we need to do something different for wasm? Or just skip the test on wasm, since it improves the situation on other platforms and makes things no worse on wasm?
Done
switch runtime.GOOS {
case "js", "wasip1":
// Both ipv4 and ipv6 are faked; see net_fake.go.
p.ipv4Enabled = true
p.ipv6Enabled = true
p.ipv4MappedIPv6Enabled = true
return
}I think previously your test was failing because for WASM, `runtime.GOOS` would be set to `js`, and it seems like this special case automatically set `ipv6Enabled` to `true`.
So, alternatively, rather than skipping the test when `runtime.GOARCH == "wasm"`, we can also fix `probe` to not automatically set `ipvEnabled = true` when `runtime.GOARCH = "wasm"` I think. Interestingly, the comments here seems to indicate that for `js`, IPv6 should always work as it is faked? I'm unfortunately not familiar with this part of the codebase, so not sure if `wasm` was just missed as a special case, or if there's a bug...
@dn...@google.com might know more here.
Good point. The test skip has been updated from `runtime.GOARCH == "wasm"` to `runtime.GOOS == "js" || runtime.GOOS == "wasip1"`, which mirrors the existing early-return in `probe()` exactly.
As for whether this is a missed case or a bug in the fake networking: net_fake.go does implement socket() for these targets and technically accepts AF_INET6, but the wildcard [::]:0 assertion in the test (checking `addr.IP.To4() == nil`) doesn't hold reliably under the fake implementation. Since `probe()` already treats both `js` and `wasip1` as fully capable via the early-return (they're faked), skipping just this specific test is the right approach — it avoids masking a genuine issue while not regressing anything on those platforms.
// If the bind was denied by a security policy (BPF, seccomp,
// SELinux, etc.), the kernel still supports IPv6 — the socket
// was created and setsockopt succeeded. Only treat errors like
// EADDRNOTAVAIL as lack of support. See go.dev/issue/77430.
if err == syscall.EPERM || err == syscall.EACCES {
if i == 0 {
p.ipv6Enabled = true
} else {
p.ipv4MappedIPv6Enabled = true
}
}Just to check: this change would cause behavioral difference when `err == nil` I think?
Previously, when `err == nil`, we'd execute:
```
if i == 0 {
p.ipv6Enabled = true
} else {
p.ipv4MappedIPv6Enabled = true
}
```
but now that is totally skipped. Is that intentional?
Great catch, thank you. The restructured if-block did inadvertently drop the success path — when `syscall.Bind` returns nil, neither `ipv6Enabled` nor `ipv4MappedIPv6Enabled` was being set, which would break IPv6 detection on normal kernels.
Fixed by inverting the condition: now the continue (skip/unsupported) fires for any error that is `not EPERM or EACCES`, and both the success case and the permission-denied case fall through to set the capability flag:
```
if err := syscall.Bind(s, sa); err != nil {
if err != syscall.EPERM && err != syscall.EACCES {
continue
}
}
if i == 0 {
p.ipv6Enabled = true
} else {
p.ipv4MappedIPv6Enabled = true
}
- Damien Neil
- Ian Lance Taylor
- Nicholas Husin
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ravi Sastry Kadali (Gerrit)
Ravi Sastry Kadali uploaded new patchset![]( "Open in Gerrit")
Related details
- Damien Neil
- Ian Lance Taylor
- Nicholas Husin
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ravi Sastry Kadali (Gerrit)
Ravi Sastry Kadali added 3 comments![]( "Open in Gerrit")
Thank you @n...@golang.org and @dn...@google.com. Please re-review.
switch runtime.GOOS {
case "js", "wasip1":
// Both ipv4 and ipv6 are faked; see net_fake.go.
p.ipv4Enabled = true
p.ipv6Enabled = true
p.ipv4MappedIPv6Enabled = true
return
}Ravi Sastry KadaliI think previously your test was failing because for WASM, `runtime.GOOS` would be set to `js`, and it seems like this special case automatically set `ipv6Enabled` to `true`.
So, alternatively, rather than skipping the test when `runtime.GOARCH == "wasm"`, we can also fix `probe` to not automatically set `ipvEnabled = true` when `runtime.GOARCH = "wasm"` I think. Interestingly, the comments here seems to indicate that for `js`, IPv6 should always work as it is faked? I'm unfortunately not familiar with this part of the codebase, so not sure if `wasm` was just missed as a special case, or if there's a bug...
@dn...@google.com might know more here.
Good point. The test skip has been updated from `runtime.GOARCH == "wasm"` to `runtime.GOOS == "js" || runtime.GOOS == "wasip1"`, which mirrors the existing early-return in `probe()` exactly.
As for whether this is a missed case or a bug in the fake networking: net_fake.go does implement socket() for these targets and technically accepts AF_INET6, but the wildcard [::]:0 assertion in the test (checking `addr.IP.To4() == nil`) doesn't hold reliably under the fake implementation. Since `probe()` already treats both `js` and `wasip1` as fully capable via the early-return (they're faked), skipping just this specific test is the right approach — it avoids masking a genuine issue while not regressing anything on those platforms.
Done
// If the bind was denied by a security policy (BPF, seccomp,
// SELinux, etc.), the kernel still supports IPv6 — the socket
// was created and setsockopt succeeded. Only treat errors like
// EADDRNOTAVAIL as lack of support. See go.dev/issue/77430.
if err == syscall.EPERM || err == syscall.EACCES {
if i == 0 {
p.ipv6Enabled = true
} else {
p.ipv4MappedIPv6Enabled = true
}
}Ravi Sastry KadaliJust to check: this change would cause behavioral difference when `err == nil` I think?
Previously, when `err == nil`, we'd execute:
```
if i == 0 {
p.ipv6Enabled = true
} else {
p.ipv4MappedIPv6Enabled = true
}
```
but now that is totally skipped. Is that intentional?
Great catch, thank you. The restructured if-block did inadvertently drop the success path — when `syscall.Bind` returns nil, neither `ipv6Enabled` nor `ipv4MappedIPv6Enabled` was being set, which would break IPv6 detection on normal kernels.
Fixed by inverting the condition: now the continue (skip/unsupported) fires for any error that is `not EPERM or EACCES`, and both the success case and the permission-denied case fall through to set the capability flag:
```
if err := syscall.Bind(s, sa); err != nil {
if err != syscall.EPERM && err != syscall.EACCES {
continue
}
}
if i == 0 {
p.ipv6Enabled = true
} else {
p.ipv4MappedIPv6Enabled = true
}
```
Done
Related details
- Damien Neil
- Ian Lance Taylor
- Nicholas Husin
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |