XPost: linux.debian.kernel
Hello,
Just a follow-up to report that the upstream kernel developers have
now merged a fix for this issue into the 'net' tree.
The official commit is:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=4e914ef063de40397e25a025c70d9737a9e45a8c
The patch submission cover letter on the mailing list can be found
here, providing additional context:
https://lore.kernel.org/netdev/[email protected]/T/
I will be looking forward to seeing this fix in a future Debian kernel update. Best regards,
Aiden Yang
Salvatore Bonaccorso <
[email protected]> 于2025年6月29日周日 03:17写道:
Control: tags -1 + moreinfo
On Sat, Jun 28, 2025 at 08:49:17PM +0800, Aiden Yang wrote:
PACKAGE: linux SUBJECT: Kernel Regression between 6.1.0-35 and
6.1.0-37: IPv6 link-local multicast over GRE tunnel is silently
dropped SEVERITY: normal
===================================================================
Summary:
This report details a regression in the Linux kernel that prevents
IPv6 link-local all-nodes multicast packets (ff02::1) from being transmitted over a GRE tunnel. The issue is confirmed to have been introduced between kernel versions 6.1.0-35-cloud-amd64 (working) and 6.1.0-37-cloud-amd64 (failing) on Debian 12 (Bookworm).
On affected kernels, the ping utility reports 100% packet loss, and a tcpdump on the underlying physical interface confirms that the kernel
is silently dropping the encapsulated GRE packets instead of sending
them. The sendto() system call does not return an error to the
userspace application in the default namespace.
===================================================================
Regression Point:
Last Known Good Version: 6.1.0-35-cloud-amd64
First Failing Version: 6.1.0-37-cloud-amd64
The regression is also present in later kernels tested, including
6.12.33 and 6.15.x on Debian 13 (Trixie).
===================================================================
Steps to Reproduce:
Use a Debian system with an affected kernel (e.g., >= 6.1.0-37).
Establish a GRE tunnel. Replace [PEER_IP] and [LOCAL_IP] with actual endpoint addresses.
ip tunnel add tun_gre mode gre remote [PEER_IP] local [LOCAL_IP] ttl
255 ip link set tun_gre up
In one terminal, start a tcpdump on the physical interface that
provides the local IP, to monitor for outgoing GRE packets (GRE is IP protocol 47).
tcpdump -i [PHYSICAL_IFACE] -n 'proto gre'
In a second terminal, attempt to ping the link-local all-nodes
multicast address via the GRE tunnel interface.
ping ff02::1%tun_gre -c 4
===================================================================
Observed Behavior (The Bug):
The ping command runs and reports "4 packets transmitted, 0 received,
100% packet loss".
The tcpdump window on the physical interface shows NO outgoing GRE
packets. This proves the kernel is silently dropping the packets.
===================================================================
Expected Behavior (as observed on kernel 6.1.0-35):
The ping command runs.
The tcpdump window shows outgoing GRE packets being sent from
[LOCAL_IP] to [PEER_IP] for each ICMPv6 echo request. (Receiving a
reply is dependent on the peer configuration, but the packets should
be transmitted).
===================================================================
Additional Diagnostic Information:
VRF Context: When the failing GRE interface (tun_gre) is placed within
a VRF, the failure mode changes. The ping or sendto() system call
fails immediately with an ENETUNREACH (Network is unreachable) error.
This is likely because the VRF routing table does not have a route to
the tunnel's physical peer address, and the kernel correctly
identifies this dependency issue.
veth Control Test: The issue is specific to the gre tunnel interface
type. A control test using a veth pair inside a VRF works perfectly
for link-local multicast, proving the core VRF and multicast logic is sound.
This detailed bracketing of the regression should provide a strong
starting point for identifying the specific commit that introduced
this behavior.
since you can reproduce the regression on all newer upstream versions
as well, can you please report in to upstream and report back here the upstream report so we can follow its status.
Thanks already.
Regards,
Salvatore
WARNING: *This email (including its attachments) may contain confidential information protected by confidentiality agreements or other rights, and is intended only for the designated recipient or individuals who need to know it for the stated purpose. The recipient is prohibited from disclosing this information to unauthorized parties without prior permission from MoeDove LLC. If you have received this email in error, please notify the sender immediately and delete this email and its attachments from your system. Any use, dissemination, transmission, or copying of this email by someone other than the intended recipient is prohibited and may be unlawful.*
Drop this when you send public bugreports, thanks.
--
WARNING: *This email (including its attachments) may contain confidential information protected by confidentiality agreements or other rights, and is intended only for the designated recipient or individuals who need to know
it for the stated purpose. The recipient is prohibited from disclosing this information to unauthorized parties without prior permission from MoeDove
LLC. If you have received this email in error, please notify the sender immediately and delete this email and its attachments from your system. Any use, dissemination, transmission, or copying of this email by someone other than the intended recipient is prohibited and may be unlawful.*
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)