diff options
author | Kyle Evans <kevans@FreeBSD.org> | 2021-03-15 02:25:40 +0000 |
---|---|---|
committer | Kyle Evans <kevans@FreeBSD.org> | 2021-03-15 04:52:04 +0000 |
commit | 74ae3f3e33b810248da19004c58b3581cd367843 (patch) | |
tree | b17ce98b77a3a1a86e8255dad7861d9c160222a9 /sys/sys | |
parent | 3e5e9939cda3b24df37c37da5f195415a894d9fd (diff) | |
download | src-74ae3f3e33b810248da19004c58b3581cd367843.tar.gz src-74ae3f3e33b810248da19004c58b3581cd367843.zip |
if_wg: import latest fixup work from the wireguard-freebsd project
This is the culmination of about a week of work from three developers to
fix a number of functional and security issues. This patch consists of
work done by the following folks:
- Jason A. Donenfeld <Jason@zx2c4.com>
- Matt Dunwoodie <ncon@noconroy.net>
- Kyle Evans <kevans@FreeBSD.org>
Notable changes include:
- Packets are now correctly staged for processing once the handshake has
completed, resulting in less packet loss in the interim.
- Various race conditions have been resolved, particularly w.r.t. socket
and packet lifetime (panics)
- Various tests have been added to assure correct functionality and
tooling conformance
- Many security issues have been addressed
- if_wg now maintains jail-friendly semantics: sockets are created in
the interface's home vnet so that it can act as the sole network
connection for a jail
- if_wg no longer fails to remove peer allowed-ips of 0.0.0.0/0
- if_wg now exports via ioctl a format that is future proof and
complete. It is additionally supported by the upstream
wireguard-tools (which we plan to merge in to base soon)
- if_wg now conforms to the WireGuard protocol and is more closely
aligned with security auditing guidelines
Note that the driver has been rebased away from using iflib. iflib
poses a number of challenges for a cloned device trying to operate in a
vnet that are non-trivial to solve and adds complexity to the
implementation for little gain.
The crypto implementation that was previously added to the tree was a
super complex integration of what previously appeared in an old out of
tree Linux module, which has been reduced to crypto.c containing simple
boring reference implementations. This is part of a near-to-mid term
goal to work with FreeBSD kernel crypto folks and take advantage of or
improve accelerated crypto already offered elsewhere.
There's additional test suite effort underway out-of-tree taking
advantage of the aforementioned jail-friendly semantics to test a number
of real-world topologies, based on netns.sh.
Also note that this is still a work in progress; work going further will
be much smaller in nature.
MFC after: 1 month (maybe)
Diffstat (limited to 'sys/sys')
-rw-r--r-- | sys/sys/priv.h | 1 | ||||
-rw-r--r-- | sys/sys/socketvar.h | 1 |
2 files changed, 2 insertions, 0 deletions
diff --git a/sys/sys/priv.h b/sys/sys/priv.h index 7ef54782a60d..9d8a3204add5 100644 --- a/sys/sys/priv.h +++ b/sys/sys/priv.h @@ -347,6 +347,7 @@ #define PRIV_NET_VXLAN 420 /* Administer vxlan. */ #define PRIV_NET_SETLANPCP 421 /* Set LAN priority. */ #define PRIV_NET_SETVLANPCP PRIV_NET_SETLANPCP /* Alias Set VLAN priority */ +#define PRIV_NET_WG 422 /* Administrate if_wg. */ /* * 802.11-related privileges. diff --git a/sys/sys/socketvar.h b/sys/sys/socketvar.h index 295a1cf3d37f..a5bb8a2587ea 100644 --- a/sys/sys/socketvar.h +++ b/sys/sys/socketvar.h @@ -414,6 +414,7 @@ void soaio_enqueue(struct task *task); void soaio_rcv(void *context, int pending); void soaio_snd(void *context, int pending); int socheckuid(struct socket *so, uid_t uid); +int sogetsockaddr(struct socket *so, struct sockaddr **nam); int sobind(struct socket *so, struct sockaddr *nam, struct thread *td); int sobindat(int fd, struct socket *so, struct sockaddr *nam, struct thread *td); |