fix: handle EAFNOSUPPORT in RouteList for Virtuozzo/OpenVZ kernels#1233
fix: handle EAFNOSUPPORT in RouteList for Virtuozzo/OpenVZ kernels#1233Wenri wants to merge 2 commits intogravitl:developfrom
Conversation
|
|
There was a problem hiding this comment.
Pull request overview
This PR addresses route enumeration failures on Virtuozzo/OpenVZ 3.10.x kernels where RTM_GETROUTE dumps using AF_UNSPEC return EAFNOSUPPORT, which can prevent netclient from configuring interfaces and detecting the default gateway. It introduces netlink route-list helper functions that fall back to per-family queries, and updates the container image configuration for userspace WireGuard selection.
Changes:
- Replace direct
netlink.RouteList(..., FAMILY_ALL)/RouteListFiltered(..., FAMILY_ALL)usage with helpers that fall back to V4+V6 queries onEAFNOSUPPORT. - Add
routeListAllandrouteListFilteredAllhelper functions towireguard_linux.go. - Set
WG_QUICK_USERSPACE_IMPLEMENTATION=wireguard-goin the mainDockerfile.
Reviewed changes
Copilot reviewed 65 out of 66 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
wireguard/wireguard_linux.go |
Adds EAFNOSUPPORT fallback helpers and routes callers through them to avoid failing on AF_UNSPEC route dumps. |
Dockerfile |
Sets WG_QUICK_USERSPACE_IMPLEMENTATION to prefer userspace WireGuard behavior in containers. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| v4, err4 := netlink.RouteList(link, netlink.FAMILY_V4) | ||
| if err4 != nil { | ||
| return nil, err4 | ||
| } | ||
| v6, _ := netlink.RouteList(link, netlink.FAMILY_V6) |
There was a problem hiding this comment.
In the EAFNOSUPPORT fallback, IPv6 route listing errors are currently ignored (v6, _ := ...), and the function also hard-fails if the IPv4 query fails even if IPv6 would succeed. This can silently drop IPv6 routes or incorrectly return an error on IPv6-only systems. Consider capturing err6 and returning a combined result when one family succeeds, only failing when both V4 and V6 queries fail (optionally ignoring only expected 'not supported' errors).
| v4, err4 := netlink.RouteListFiltered(netlink.FAMILY_V4, filter, filterMask) | ||
| if err4 != nil { | ||
| return nil, err4 | ||
| } | ||
| v6, _ := netlink.RouteListFiltered(netlink.FAMILY_V6, filter, filterMask) |
There was a problem hiding this comment.
Same issue as routeListAll: the EAFNOSUPPORT fallback ignores the IPv6 error and requires the IPv4 filtered query to succeed. This can hide real failures from the caller and/or break IPv6-only setups. Please handle err6 and only return an error if both family-specific queries fail (treating 'not supported' errors as non-fatal if desired).
Virtuozzo/OpenVZ 3.10.x kernels do not support RTM_GETROUTE dump with AF_UNSPEC, returning EAFNOSUPPORT. This caused netclient to fail on interface configuration and default gateway detection, preventing the daemon from applying any peer updates. Add routeListAll and routeListFilteredAll helpers that try FAMILY_ALL first and fall back to querying FAMILY_V4 and FAMILY_V6 separately. Also set WG_QUICK_USERSPACE_IMPLEMENTATION in Dockerfile. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Wenri
force-pushed
the
fix/routelist-eafnosupport
branch
from
3dbb9cb to
3a551b4
Compare
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Summary
RTM_GETROUTEdump withAF_UNSPEC, returningEAFNOSUPPORT. This caused netclient to fail on interface configuration and default gateway detection, preventing the daemon from applying any peer updates.routeListAllandrouteListFilteredAllhelpers that tryFAMILY_ALLfirst and fall back to queryingFAMILY_V4andFAMILY_V6separately whenEAFNOSUPPORTis returned.WG_QUICK_USERSPACE_IMPLEMENTATIONenv var in Dockerfile for userspace WireGuard support in containers.Test plan
FAMILY_ALLas before)WG_QUICK_USERSPACE_IMPLEMENTATIONenv var🤖 Generated with Claude Code