diff options
| author | Ravi Sastry Kadali <ravisastryk@gmail.com> | 2026-02-07 11:39:15 -0800 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2026-03-03 16:23:39 -0800 |
| commit | fdf3bee34261f383e394a06b1e4cf87fff684c1b (patch) | |
| tree | bf232c990eb8e8cb6879c963a188a385fa2b9000 /src/net | |
| parent | 0856d46fd1f5d882e9033af813b0e2acfc31889f (diff) | |
| download | go-fdf3bee34261f383e394a06b1e4cf87fff684c1b.tar.xz | |
net: treat EPERM/EACCES in IPv6 probe as supported
When a BPF/seccomp filter denies the bind in the IPv6 capability
probe with EPERM or EACCES, the probe incorrectly reports IPv6 as
unsupported even though socket creation and setsockopt succeeded.
This causes Listen on [::] to silently fall back to IPv4-only.
Treat EPERM/EACCES from the probe bind as "supported" since the
successful socket and setsockopt already confirm kernel capability.
Fixes #77430
Change-Id: Ie1164a3e835521dc441387af1c485a3d15e2e2d9
Reviewed-on: https://go-review.googlesource.com/c/go/+/743080
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Ravi Sastry Kadali <ravisastryk@gmail.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
Reviewed-by: Nicholas Husin <husin@google.com>
Diffstat (limited to 'src/net')
| -rw-r--r-- | src/net/ipsock_posix.go | 8 | ||||
| -rw-r--r-- | src/net/ipsock_test.go | 21 |
2 files changed, 28 insertions, 1 deletions
diff --git a/src/net/ipsock_posix.go b/src/net/ipsock_posix.go index e34e9fe3d6..1d5e8ef226 100644 --- a/src/net/ipsock_posix.go +++ b/src/net/ipsock_posix.go @@ -70,7 +70,13 @@ func (p *ipStackCapabilities) probe() { continue } if err := syscall.Bind(s, sa); err != nil { - continue + // If the bind was denied by a security policy (BPF, seccomp, + // SELinux, etc.), the kernel still supports IPv6 — the socket + // was created and setsockopt succeeded. Only treat errors like + // EADDRNOTAVAIL as lack of support. See go.dev/issue/77430. + if err != syscall.EPERM && err != syscall.EACCES { + continue + } } if i == 0 { p.ipv6Enabled = true diff --git a/src/net/ipsock_test.go b/src/net/ipsock_test.go index aede354844..887bbda5fa 100644 --- a/src/net/ipsock_test.go +++ b/src/net/ipsock_test.go @@ -6,6 +6,7 @@ package net import ( "reflect" + "runtime" "testing" ) @@ -280,3 +281,23 @@ func TestAddrListPartition(t *testing.T) { } } } + +func TestListenIPv6WildcardAddr(t *testing.T) { + if runtime.GOOS == "js" || runtime.GOOS == "wasip1" { + t.Skip("fake networking does not implement [::] wildcard address assertions") + } + if !supportsIPv6() { + t.Skip("IPv6 not supported") + } + + ln, err := Listen("tcp", "[::]:0") + if err != nil { + t.Fatal(err) + } + defer ln.Close() + + addr := ln.Addr().(*TCPAddr) + if addr.IP.To4() != nil { + t.Errorf("Listen(\"tcp\", \"[::]:0\") bound to %v, want IPv6 address", addr) + } +} |