| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was recently added to Linux to improve incremental update support,
as you could previously add Allowed-IPs but not remove without replacing
the whole set (and thus, potentially disrupting existing traffic).
Removal is incredibly straightforward; we'll find it in p_aips first
to ensure that it's actually valid for this peer, then we'll delete it
from the radix tree before we remove the corresponding p_aips entry.
Reviewed by: Jason A. Donenfeld, jhb
(cherry picked from commit d15d610fac97df4fefed3f14b31dcfbdcec65bf9)
(cherry picked from commit d1ac3e245f084ee0637bde9a446687621358c418)
|
| |
|
|
|
|
|
|
|
| |
We'll re-use these in a future wg_aip_del() to perfectly reconstruct
what we expect to find in a_addr/a_mask.
Reviewed by: ivy, markj (both earlier version), Aaron LI, jhb
(cherry picked from commit 2475a3dab0d5c5614e303c0022a834f725e2a078)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The only difference in the wg_aip_add() call after IP validation is the
address family. Just pull that out into a variable and avoid the two
different callsites for wg_aip_add(). A future change will add a new
call for each case to remove an address from the peer, so it's nice to
avoid needing to repeat the logic for two different branches.
Reviewed by: Aaron LI, Jason A. Donenfeld, ivy, jhb, markj
(cherry picked from commit ba2607ae7dff17957d9e62ccd567ba716c168e77)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the necessary extra logics (i.e., noise_remote_enable() and
TAILQ_INSERT_TAIL()) from wg_ioctl_set() to wg_peer_alloc(), and thus
make it easier to be called. Actually, the updated version is more
asymmetric to wg_peer_destroy() and thus less likely to be misused.
Meanwhile, rename it to wg_peer_create() to look more consistent with
wg_peer_destroy().
Reviewed by: aly_aaronly.me (diff), markj
Obtained from: DragonflyBSD 902964ab24ba (with some changes)
(cherry picked from commit 7121e9414f294d116caeadd07ebd969136d3a631)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPv4 packets can be routed via an IPv6 nexthop, so the handling of the
parsed address family is more strict than it needs to be. If we have a
valid header that matches a known peer, then we have no reason to
decline the packet.
Convert it to an assertion that it matches the destination as viewed by
the stack below it, instead. `dst` may be the gateway instead of the
destination in the case of a nexthop, so the `af` assignment must be
switched to use the destination in all cases.
Add a test case that approximates a setup like in the PR and
demonstrates the issue.
PR: 284857
Reviewed by: markj (earlier version), zlei
(cherry picked from commit 2bef0d54f74dad6962ef7d1dfa407e95cb4fb4ad)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit bf454ca88bdf made wg_transmit() defined only when "device netmap"
is configured, as if_wg's if_transmit implementation should never be
called otherwise, but this breaks a requirement that interfaces
implement both or neither of if_transmit and if_qflush.
Restore the old behaviour of unconditionally defining wg_transmit(). It
contains an assertion that the interface is in netmap mode.
Reported by: peterj
MFC after: 2 weeks
Fixes: bf454ca88bdf ("wg: Add netmap support")
(cherry picked from commit 5515e8874a8d85a8d961fca64c494dfc1bea4bd0)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When in netmap (emulated) mode, wireguard interfaces prepend or strip a
dummy ethernet header when interfacing with netmap. The netmap
application thus sees unencrypted, de-encapsulated frames with a fixed
header.
In this mode, netmap hooks the if_input and if_transmit routines of the
ifnet. Packets from the host TX ring are handled by wg_if_input(),
which simply hands them to the netisr layer; packets which would
otherwise be tunneled are intercepted in wg_output() and placed in the
host RX ring.
The "physical" TX ring is processed by wg_transmit(), which behaves
identically to wg_output() when netmap is not enabled, and packets
appear in the "physical" RX ring by hooking wg_deliver_in().
Reviewed by: vmaffione
MFC after: 1 month
Sponsored by: Klara, Inc.
Sponsored by: Zenarmor
Differential Revision: https://reviews.freebsd.org/D43460
(cherry picked from commit bf454ca88bdf4acfa873386e876ff5e772e6a830)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pseudo_AF_HDRCMPLT check is already being done in if_loop and
just needed to be ported over to if_ic, if_wg, if_disc, if_gif,
if_gre, if_me, if_tuntap and ng_iface. This is needed in order to
allow these interfaces to work properly with e.g., tcpreplay.
PR: 256587
Reviewed by: markj
MFC after: 2 weeks
Pull Request: https://github.com/freebsd/freebsd-src/pull/876
(cherry picked from commit 2cb0fce24d64039090dc9243cdf0715ee80c91b1)
|
| |
|
|
|
|
|
|
| |
No functional change intended.
MFC after: 1 week
(cherry picked from commit b6a0ed7c78dd45937e404706620467bef61c308d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The old errno value used is specifically for Capsicum and shouldn't be
co-opted in this way. It has special handling in the generic syscall
layer (see syscallret()). OpenBSD returns ENETUNREACH in this case;
let's do the same thing.
Reviewed by: kevans, imp
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D44582
(cherry picked from commit 63613e3ba1e188e9fece43e1613bd697f04b345e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without appropriate load-synchronization to pair with store barriers in
wg_encrypt() and wg_decrypt(), the compiler and hardware are often
allowed to reorder these loads in wg_deliver_out() and wg_deliver_in()
such that we end up with a garbage or intermediate mbuf that we try to
pass on. The issue is particularly prevalent with the weaker
memory models of !x86 platforms.
Switch from the big-hammer wmb() to more explicit acq/rel atomics to
both make it obvious what we're syncing up with, and to avoid somewhat
hefty fences on platforms that don't necessarily need this.
With this patch, my dual-iperf3 reproducer is dramatically more stable
than it is without on aarch64.
PR: 264115
Reviewed by: andrew, zlei
(cherry picked from commit 3705d679a6344c957cae7a1b6372a8bfb8c44f0e)
|
| |
|
|
|
|
|
|
|
|
|
| |
bpfattach() is called in wg_clone_create(), but the bpfdetach() is
missing from wg_close_destroy(). Add the missing bpfdetach() to avoid
leaking both the associated bpf bits as well as the ifnet that bpf will
hold a reference to.
PR: 276526
(cherry picked from commit 43be2d7aaf25b719aec8f49aab110c0061f1edec)
|
| |
|
|
|
|
|
|
|
|
| |
These members are protected by the identity lock, so rlock it in
noise_remote_alloc() and then assert that we have it held to some extent
in noise_precompute_ss().
PR: 276392
(cherry picked from commit 7a4d1d1df0b2e369adcb32aea9ef8c180f885751)
|
| |
|
|
|
|
|
|
|
|
|
| |
In practice this is harmless; only keepalive packets may realistically have
p_mtu == 0, and they'll also have no payload so the math works out the same
either way. Still, let's prefer technical accuracy and calculate the amount
of padding needed rather than the padded length...
PR: 276363
(cherry picked from commit b891f61ef538a4e9b4658b4b756635c8036a5788)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In function 'wg_aip_add()', the error path of returning ENOMEM when
(node == NULL) is forgetting to unlock the radix tree, and thus may lead
to a deadlock.
PR: 275001
Reviewed by: kp
MFC after: 1 week
(cherry picked from commit dcc4d2939f789a6d1f272ffeab2068ba2b7525ea)
|
| |
|
|
| |
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If MOD_LOAD fails, then MOD_UNLOAD will be called to unwind module
state, but wg_module_init() will have already deinitialized everything
it needs to in a manner that renders it unsafe to call MOD_UNLOAD
after (e.g., freed zone not reset to NULL, wg_osd_jail_slot not reset
to 0). Let's simply stop trying to handle freeing everything in
wg_module_init() to simplify it; let the subsequent MOD_UNLOAD deal with
it, and let's make that robust against partially-constructed state.
jhb@ notes that MOD_UNLOAD being called if MOD_LOAD fails is kind of an
anomaly that doesn't match other paradigms in the kernel; e.g., if
device_attach() fails, we don't invoke device_detach(). It's likely
that a future commit will revert this and instead stop calling
MOD_UNLOAD if MOD_LOAD fails, expecting modules to clean up after
themselves in MOD_LOAD upon failure. Some other modules already do this
and may see similar problems to the wg module (see: carp). The proper
fix is decidedly a bit too invasive to do this close to 14 branching,
and it requires auditing all kmods (base + ports) for potential leaks.
PR: 272089
Reviewed by: emaste
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D40708
|
| |
|
|
|
|
|
|
|
| |
Previously we'd jump to the `free_crypto` label, but never set `ret` to
a failure value -- it would retain success from the call just prior.
Set ret up properly.
This is part of D40708, but not the main point of the change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Other virtual interface drivers (e.g. if_gif, if_stf, if_ovpn) all start
with if_. The wireguard file is also named if_wg, but the module name
was 'wg'.
Fix this inconsistency.
Reported by: Christian McDonald <cmcdonald@netgate.com>
Reviewed by: zlei, kevans
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D39853
|
| |
|
|
|
|
| |
Reviewed By: jhb
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D38307
|
| |
|
|
|
|
| |
MFC after: 2 weeks
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D37740
|
| |
|
|
|
|
| |
Reviewed by: jhb, kp
Approved by: kp (mentor)
Differential Revision: https://reviews.freebsd.org/D37734
|
| |
|
|
|
|
|
| |
I had to make a few other changes when merging the driver to stable/13
anyway, so adjusting this as well isn't really a big deal.
MFC after: 3 days
|
| |
|
|
|
|
| |
Reviewed by: kevans, markj, emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36913
|
| |
|
|
|
|
| |
Reviewed by: kevans, markj, emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36912
|
| |
|
|
|
|
| |
Reviewed by: kevans, markj, emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36911
|
| |
|
|
|
|
|
|
|
| |
Kernel sanitizers only support atomic(9) operations.
Reviewed by: kevans, markj, emaste
Reported by: markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36910
|
|
|
This commit brings back the driver from FreeBSD commit
f187d6dfbf633665ba6740fe22742aec60ce02a2 plus subsequent fixes from
upstream.
Relative to upstream this commit includes a few other small fixes such
as additional INET and INET6 #ifdef's, #include cleanups, and updates
for recent API changes in main.
Reviewed by: pauamma, gbe, kevans, emaste
Obtained from: git@git.zx2c4.com:wireguard-freebsd @ 3cc22b2
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36909
|
