From nobody Sat Mar 15 02:52:08 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZF5P56S1bz5rBk9; Sat, 15 Mar 2025 02:52:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZF5P46sXKz3xNv; Sat, 15 Mar 2025 02:52:08 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1742007129; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GdgJMWLCCFhX0gHog0a0igDmvxy5MBfp5mBhVm9SEMY=; b=jZE2mg/VBTV5V1WVj7Ompg0+hWwdsNqKSpV9tIO+TBIakLDZnUU9fvdN/LWi49jwseZKvD gkesWDx8DgiFa+6BlTsiMPiSMLoZuzyCWqtT9XeAwsTVyWtrh7ya57hDQH1XNamRxTHLkc C8MK/YowOBKjePbtxwON/Z5YjMwCGmAWvnn1BVqikcbccanF54vIaUuLEjbcIHhbFcu2Xt rcB1/el0J1t58hh+KfYQ1Tu26jjHGjKepfhUrxXoXTLc1r9swTuC9SYob7PHlssdKn2gtJ 1GQ8PJDdLwFcouRNSBlosO4jG6b0o3iMTNvOdimogUFo1xUikFNSogjemBKXAQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1742007129; a=rsa-sha256; cv=none; b=tVc5qctETNqdSEF6HC1cv1ZRP/9MDDI522ndx80nTpb54daj/ttf5QmxX/EJI6rjvNQlA4 hMaBbqHxPeaMzqE/9dDfZLVokcZHPFP/QGkLpx5w6h+FZb6pfujV4gD1FMTzmodyBmh3KL ItraSTDgkuK6VjASWD5yewmeYA/qRv4oyRjEjdfq58+YKHqKoHx9q+dkDbWAQh2dHL3gYM BRpOgjavTKNid1S1sXZTp9ut2YHp1suBi8fxghAkWDx7Ls+yN87izX5P4ZsOdaijzUdMPP 49rscUWReBbs/YNSzzoptKBMnl/HgQ6BKMi3o3Lt7La64A/04SmB+rjTceNRlQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1742007129; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GdgJMWLCCFhX0gHog0a0igDmvxy5MBfp5mBhVm9SEMY=; b=qj0/ciyPq7dQ4MZLeMj+U1e7v1pWfiW3ENgEEVLUPnCJ0vP2RAV73R/QuiUDuHs11UyL7I CrZN7kvgInC8H3LMfXMqHpNIZY3KjsFyldHc9+XJHDMkqoHxg8vwxVeVDw/X6dUscANanM hntwyJgPXwrkxwfnByOjNreZl5RT6mHXKOtP39X8WJH1U6Dm0TxRXhhD5h8iliq9tHvrtB u1VHQ1vFkPmcgrAO8TcXteqUHsNRKrM0JCk4LvIe912z6C3D8+HeafKCE/LLgKEegD35jQ ojtELsMCGo8RNTGmH677O/huiiQGv9Kv8B0ISSBzSQridVkHHoe1CQ9NfXd8Kg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZF5P46MQ3z1B2h; Sat, 15 Mar 2025 02:52:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 52F2q8ha070890; Sat, 15 Mar 2025 02:52:08 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 52F2q8fH070887; Sat, 15 Mar 2025 02:52:08 GMT (envelope-from git) Date: Sat, 15 Mar 2025 02:52:08 GMT Message-Id: <202503150252.52F2q8fH070887@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 7215aed7974c - stable/14 - kern: wg: remove overly-restrictive address family check List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 7215aed7974cc4b7d3197ca5e5fcf545d3a28c0f Auto-Submitted: auto-generated The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=7215aed7974cc4b7d3197ca5e5fcf545d3a28c0f commit 7215aed7974cc4b7d3197ca5e5fcf545d3a28c0f Author: Kyle Evans AuthorDate: 2025-03-04 19:57:34 +0000 Commit: Kyle Evans CommitDate: 2025-03-15 02:52:02 +0000 kern: wg: remove overly-restrictive address family check IPv4 packets can be routed via an IPv6 nexthop, so the handling of the parsed address family is more strict than it needs to be. If we have a valid header that matches a known peer, then we have no reason to decline the packet. Convert it to an assertion that it matches the destination as viewed by the stack below it, instead. `dst` may be the gateway instead of the destination in the case of a nexthop, so the `af` assignment must be switched to use the destination in all cases. Add a test case that approximates a setup like in the PR and demonstrates the issue. PR: 284857 Reviewed by: markj (earlier version), zlei (cherry picked from commit 2bef0d54f74dad6962ef7d1dfa407e95cb4fb4ad) --- sys/dev/wg/if_wg.c | 8 ++--- tests/sys/net/if_wg.sh | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+), 5 deletions(-) diff --git a/sys/dev/wg/if_wg.c b/sys/dev/wg/if_wg.c index b0ad94e284f1..ed23baf33a17 100644 --- a/sys/dev/wg/if_wg.c +++ b/sys/dev/wg/if_wg.c @@ -2333,7 +2333,7 @@ wg_output(if_t ifp, struct mbuf *m, const struct sockaddr *dst, struct route *ro if (dst->sa_family == AF_UNSPEC || dst->sa_family == pseudo_AF_HDRCMPLT) memcpy(&af, dst->sa_data, sizeof(af)); else - af = dst->sa_family; + af = RO_GET_FAMILY(ro, dst); if (af == AF_UNSPEC) { xmit_err(ifp, m, NULL, af); return (EAFNOSUPPORT); @@ -2358,10 +2358,8 @@ wg_output(if_t ifp, struct mbuf *m, const struct sockaddr *dst, struct route *ro xmit_err(ifp, m, NULL, AF_UNSPEC); return (ret); } - if (parsed_af != af) { - xmit_err(ifp, m, NULL, AF_UNSPEC); - return (EAFNOSUPPORT); - } + + MPASS(parsed_af == af); mtu = (ro != NULL && ro->ro_mtu > 0) ? ro->ro_mtu : if_getmtu(ifp); return (wg_xmit(ifp, m, parsed_af, mtu)); } diff --git a/tests/sys/net/if_wg.sh b/tests/sys/net/if_wg.sh index b43b40f25018..e5df6afface1 100644 --- a/tests/sys/net/if_wg.sh +++ b/tests/sys/net/if_wg.sh @@ -92,6 +92,84 @@ wg_basic_cleanup() vnet_cleanup } +atf_test_case "wg_basic_crossaf" "cleanup" +wg_basic_crossaf_head() +{ + atf_set descr 'Create a wg(4) tunnel and pass IPv4 traffic over an IPv6 nexthop' + atf_set require.user root +} + +wg_basic_crossaf_body() +{ + local epair pri1 pri2 pub1 pub2 wg1 wg2 + local endpoint1 endpoint2 tunnel1 tunnel2 + local testnet testlocal testremote + + kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" + + pri1=$(wg genkey) + pri2=$(wg genkey) + + endpoint1=192.168.2.1 + endpoint2=192.168.2.2 + tunnel1=2001:db8:1::1 + tunnel2=2001:db8:1::2 + + testnet=192.168.3.0/24 + testlocal=192.168.3.1 + testremote=192.168.3.2 + + epair=$(vnet_mkepair) + + vnet_init + + vnet_mkjail wgtest1 ${epair}a + vnet_mkjail wgtest2 ${epair}b + + jexec wgtest1 ifconfig ${epair}a ${endpoint1}/24 up + jexec wgtest2 ifconfig ${epair}b ${endpoint2}/24 up + + wg1=$(jexec wgtest1 ifconfig wg create) + echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \ + private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + wg2=$(jexec wgtest2 ifconfig wg create) + echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12345 \ + private-key /dev/stdin + pub2=$(jexec wgtest2 wg show $wg2 public-key) + + atf_check -s exit:0 -o ignore \ + jexec wgtest1 wg set $wg1 peer "$pub2" \ + endpoint ${endpoint2}:12345 allowed-ips ${tunnel2}/128,${testnet} + atf_check -s exit:0 \ + jexec wgtest1 ifconfig $wg1 inet6 ${tunnel1}/64 up + + atf_check -s exit:0 -o ignore \ + jexec wgtest2 wg set $wg2 peer "$pub1" \ + endpoint ${endpoint1}:12345 allowed-ips ${tunnel1}/128,${testnet} + atf_check -s exit:0 \ + jexec wgtest2 ifconfig $wg2 inet6 ${tunnel2}/64 up + + atf_check -s exit:0 jexec wgtest1 ifconfig $wg1 inet ${testlocal}/32 + atf_check -s exit:0 jexec wgtest2 ifconfig $wg2 inet ${testremote}/32 + + # Generous timeout since the handshake takes some time. + atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 "$tunnel2" + + # Setup our IPv6 endpoint and routing + atf_check -s exit:0 -o ignore \ + jexec wgtest1 route add -inet ${testnet} -inet6 "$tunnel2" + atf_check -s exit:0 -o ignore \ + jexec wgtest2 route add -inet ${testnet} -inet6 "$tunnel1" + # Now ping an address on the other side + atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 3 ${testremote} +} + +wg_basic_crossaf_cleanup() +{ + vnet_cleanup +} + atf_test_case "wg_basic_netmap" "cleanup" wg_basic_netmap_head() { @@ -349,6 +427,7 @@ wg_vnet_parent_routing_cleanup() atf_init_test_cases() { atf_add_test_case "wg_basic" + atf_add_test_case "wg_basic_crossaf" atf_add_test_case "wg_basic_netmap" atf_add_test_case "wg_key_peerdev_shared" atf_add_test_case "wg_key_peerdev_makeshared"