From nobody Thu Jun 26 02:59:11 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bSNgg5m5qz5yvb1; Thu, 26 Jun 2025 02:59:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bSNgg3lRhz3Lhg; Thu, 26 Jun 2025 02:59:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750906751; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rr2XEI2/5ZEc93xXkLZfp+J6V19pkXufDddpbZrHvDI=; b=piG2BOjibW++ymUkZgFvTCxF+wTFYlesh2TGifxRiRF4VS4f3h0M6Sj6Z55ORjLdtQy67n mfS+gsV/yPn3v2udBI3dhUNteMtRn7nMdyPOJ46OfljmtgK+Tikh3NM3rIs1tfbm0znZmX AnXioWJ5n2ZFR7HKc58Y+1F+dLRkj6lcuoGzQCvAJtyo4lKKcV6XYOHgpU8yfjF/es2yqn 7aDGubaVxQ6sqYYEGTpsJH8kHFEr9/gLOSpMX2CzI7QaCESD0ODeczAbyQFQCLE5Tb19sR GojVPbv27cv9/rOjEb9mYFCd16ie9nY7KFC//ZwAJpB/M77NvxUcr1bvQ2aV9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750906751; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rr2XEI2/5ZEc93xXkLZfp+J6V19pkXufDddpbZrHvDI=; b=VaPzuBXM7n3+5vVI6X/XdRSZxxBdzAWlS4G1RYm9NAkEAey7oXwvsgGqVot3t/Ux9vfZxp OusVdxMl4O/Lc8BUH8mV4oWZnCsaNyziOZz+90EC50ukuOp+0nzpnS419x7Aomj4j1cylD vgKBECtBQBmbNRhbJ6JnaQ7u/eYlmJGHphvvAQTEnDItlVN87C9ftQjk3YHt3cHZSG6p24 4b+Fhx/0zbBY3zpAC7U/4d8svi8jdiZ4Ong8gjSrf9OSxK+e6bkqei7QhnZkgukrckKkOj RBf+IBDGdFJJZm+TgCsk6diBVK+otnXQXcywvx01nFt1kuFeqvDbZjtQ7p2KDw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750906751; a=rsa-sha256; cv=none; b=mdBtl7DbQW2XjQxk5yLrtsZuwiGgBVJtFEFP0q6ktuGnidgYcSeAUx2Rd9rJRJXa1OUkJD NS8MQKdUafrz9BPVdAUx4lXQNiZuMj9tapf8Qaqkdg2OgovZI7bj/u7qTZBIl8W9wadBCm /tx/zVpKeBjl2syyRnj/qOD3YfragkDHP9ftzpw0EZVAywA/zixcQ4nhFBPXWx0kCx9bKr 2cAfyWYI8BeyKamakfl57jRqUO108I21shhe7bAmfzTNLMAN23rAlPr7iLd2X/qRHSpaA3 I8DUg8KX+uOk2yBqrS2N5gQMDJmsQKdLEWuwKzipQwhVHzyqKOq8WUSGhmyS8A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bSNgg3FsMzlm6; Thu, 26 Jun 2025 02:59:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 55Q2xBVj053058; Thu, 26 Jun 2025 02:59:11 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 55Q2xBHg053055; Thu, 26 Jun 2025 02:59:11 GMT (envelope-from git) Date: Thu, 26 Jun 2025 02:59:11 GMT Message-Id: <202506260259.55Q2xBHg053055@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kyle Evans Subject: git: 716b6667b65b - main - tests: extend wireguard test to cover incremental allowed-ips updates List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 716b6667b65b50c15900be9f88cc67f2326872b4 Auto-Submitted: auto-generated The branch main has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=716b6667b65b50c15900be9f88cc67f2326872b4 commit 716b6667b65b50c15900be9f88cc67f2326872b4 Author: Kyle Evans AuthorDate: 2025-06-26 02:57:03 +0000 Commit: Kyle Evans CommitDate: 2025-06-26 02:58:26 +0000 tests: extend wireguard test to cover incremental allowed-ips updates New +/- syntax in wg(8) allows us to add or remove just a single allowed-ip rather than forcing replacement or weird tricks to do an atomic removal. Ensure that it works now that we've added kernel support for it. Reviewed by: ivy Differential Revision: https://reviews.freebsd.org/D50449 --- tests/sys/net/if_wg.sh | 205 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 205 insertions(+) diff --git a/tests/sys/net/if_wg.sh b/tests/sys/net/if_wg.sh index 6d2f56dc8f2e..1f51d86c8efa 100644 --- a/tests/sys/net/if_wg.sh +++ b/tests/sys/net/if_wg.sh @@ -417,6 +417,208 @@ wg_vnet_parent_routing_cleanup() vnet_cleanup } +# The kernel should now allow removing a single allowed-ip without having to +# replace the whole list. We can't really test the atomicity of it all that +# easily, but we'll trust that it worked right if just that addr/mask is gone. +atf_test_case "wg_allowedip_incremental" "cleanup" +wg_allowedip_incremental_head() +{ + atf_set descr "Add/remove allowed-ips from a peer with the +/- incremental syntax" + atf_set require.user root +} + +wg_allowedip_incremental_body() +{ + local pri1 pri2 pub1 pub2 wg1 + local tunnel1 tunnel2 tunnel3 + + kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" + + pri1=$(wg genkey) + pri2=$(wg genkey) + pub2=$(echo "$pri2" | wg pubkey) + + tunnel1=169.254.0.1 + tunnel2=169.254.0.2 + tunnel3=169.254.0.3 + + vnet_mkjail wgtest1 + + wg1=$(jexec wgtest1 ifconfig wg create) + echo "$pri1" | jexec wgtest1 wg set $wg1 private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "${tunnel1}/32,${tunnel2}/32" + + atf_check -o save:wg.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check grep -q "${tunnel1}/32" wg.allowed + atf_check grep -q "${tunnel2}/32" wg.allowed + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "-${tunnel2}/32" + + atf_check -o save:wg-2.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check grep -q "${tunnel1}/32" wg-2.allowed + atf_check -s not-exit:0 grep -q "${tunnel2}/32" wg-2.allowed + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "+${tunnel2}/32" + + atf_check -o save:wg-3.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check grep -q "${tunnel1}/32" wg-3.allowed + atf_check grep -q "${tunnel2}/32" wg-3.allowed + + # Now attempt to add the address yet again to confirm that it's not + # harmful. + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "+${tunnel2}/32" + + atf_check -o save:wg-4.allowed -x \ + "jexec wgtest1 wg show $wg1 allowed-ips | cut -f2 | tr ' ' '\n'" + atf_check -o match:"2 wg-4.allowed$" wc -l wg-4.allowed + + # Finally, let's try removing an address that we never had at all and + # confirm that we still have our two addresses. + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "-${tunnel3}/32" + + atf_check -o save:wg-5.allowed -x \ + "jexec wgtest1 wg show $wg1 allowed-ips | cut -f2 | tr ' ' '\n'" + atf_check cmp -s wg-4.allowed wg-5.allowed +} + +wg_allowedip_incremental_cleanup() +{ + vnet_cleanup +} + +atf_test_case "wg_allowedip_incremental_inet6" "cleanup" +wg_allowedip_incremental_inet6_head() +{ + atf_set descr "Add/remove IPv6 allowed-ips from a peer with the +/- incremental syntax" + atf_set require.user root +} + +wg_allowedip_incremental_inet6_body() +{ + local pri1 pri2 pub1 pub2 wg1 + local tunnel1 tunnel2 + + kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" + + pri1=$(wg genkey) + pri2=$(wg genkey) + pub2=$(echo "$pri2" | wg pubkey) + + tunnel1=2001:db8:1::1 + tunnel2=2001:db8:1::2 + + vnet_mkjail wgtest1 + + wg1=$(jexec wgtest1 ifconfig wg create) + echo "$pri1" | jexec wgtest1 wg set $wg1 private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "${tunnel1}/128" + atf_check -o save:wg.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check grep -q "${tunnel1}/128" wg.allowed + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "+${tunnel2}/128" + atf_check -o save:wg-2.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check grep -q "${tunnel1}/128" wg-2.allowed + atf_check grep -q "${tunnel2}/128" wg-2.allowed + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "-${tunnel1}/128" + atf_check -o save:wg-3.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check -s not-exit:0 grep -q "${tunnel1}/128" wg-3.allowed + atf_check grep -q "${tunnel2}/128" wg-3.allowed +} + +wg_allowedip_incremental_inet6_cleanup() +{ + vnet_cleanup +} + + +atf_test_case "wg_allowedip_incremental_stealing" "cleanup" +wg_allowedip_incremental_stealing_head() +{ + atf_set descr "Add/remove allowed-ips from a peer with the +/- incremental syntax to steal" + atf_set require.user root +} + +wg_allowedip_incremental_stealing_body() +{ + local pri1 pri2 pri3 pub1 pub2 pub3 wg1 + local regex2 regex3 + local tunnel1 tunnel2 + + kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" + + pri1=$(wg genkey) + pri2=$(wg genkey) + pri3=$(wg genkey) + pub2=$(echo "$pri2" | wg pubkey) + pub3=$(echo "$pri3" | wg pubkey) + + regex2=$(echo "$pub2" | sed -e 's/[+]/[+]/g') + regex3=$(echo "$pub3" | sed -e 's/[+]/[+]/g') + + tunnel1=169.254.0.1 + tunnel2=169.254.0.2 + tunnel3=169.254.0.3 + + vnet_mkjail wgtest1 + + wg1=$(jexec wgtest1 ifconfig wg create) + echo "$pri1" | jexec wgtest1 wg set $wg1 private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "${tunnel1}/32,${tunnel2}/32" + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub3 \ + allowed-ips "${tunnel3}/32" + + # First, confirm that the negative syntax doesn't do anything because + # we have the wrong peer. + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "-${tunnel3}/32" + + atf_check -o save:wg.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check grep -Eq "^${regex3}.+${tunnel3}/32" wg.allowed + + # Next, steal it with an incremental move and check that it moved. + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "+${tunnel3}/32" + + atf_check -o save:wg-2.allowed jexec wgtest1 wg show $wg1 allowed-ips + + atf_check grep -Eq "^${regex2}.+${tunnel3}/32" wg-2.allowed + atf_check grep -Evq "^${regex3}.+${tunnel3}/32" wg-2.allowed +} + +wg_allowedip_incremental_stealing_cleanup() +{ + vnet_cleanup +} + atf_init_test_cases() { atf_add_test_case "wg_basic" @@ -425,4 +627,7 @@ atf_init_test_cases() atf_add_test_case "wg_key_peerdev_shared" atf_add_test_case "wg_key_peerdev_makeshared" atf_add_test_case "wg_vnet_parent_routing" + atf_add_test_case "wg_allowedip_incremental" + atf_add_test_case "wg_allowedip_incremental_inet6" + atf_add_test_case "wg_allowedip_incremental_stealing" }