Page MenuHomeFreeBSD
Differential D28933

wireguard: allow to set IPv6 endpoint
ClosedPublic
Actions

Authored by naito.yuichiro_gmail.com on Feb 26 2021, 1:11 AM.
Tags
None
Referenced Files
F106269087: D28933.diff
Sat, Dec 28, 6:44 AM
Unknown Object (File)
Oct 30 2024, 8:37 AM
Unknown Object (File)
Oct 22 2024, 3:51 PM
Unknown Object (File)
Oct 18 2024, 4:52 PM
Unknown Object (File)
Oct 18 2024, 4:52 PM
Unknown Object (File)
Oct 18 2024, 3:45 PM
Unknown Object (File)
Oct 3 2024, 5:48 AM
Unknown Object (File)
Sep 20 2024, 10:53 PM
View All 43 Files
Subscribers
donner
zarychtam_plan-b.pwste.edu.pl

Details

Reviewers
grehan
donner
Group Reviewers
network
Summary

Most of codes work for IPv6 endpoint, but handling of IPv6 address length is wrong.
This patch fixes to support both of the size of sockaddr_in and sockaddr_in6.
I can confirm this patch works for IPv6 endpoint.

Test Plan

Wireguard tunnel can be set up via IPv6.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

naito.yuichiro_gmail.com requested review of this revision.Feb 26 2021, 1:11 AM
naito.yuichiro_gmail.com created this revision.
kbowling added a reviewer: grehan.Feb 26 2021, 1:39 AM
zarychtam_plan-b.pwste.edu.pl added a subscriber: zarychtam_plan-b.pwste.edu.pl.Feb 26 2021, 5:06 AM
ae added a reviewer: network.Feb 26 2021, 6:44 AM
donner added a subscriber: donner.Feb 26 2021, 7:27 AM
donner added inline comments.
sys/dev/if_wg/module/if_wg_session.c
1885–1894

So we have uninitialized space, if sa_len < sizeof(...)?
So we can overwrite memory, if sa_len > sizeof(...)?

grehan added a comment.Feb 26 2021, 7:28 AM

There's a more complete fix for this in the pfsense repo, that also stores the source address so CARP destination addresses will work:

https://github.com/pfsense/FreeBSD-src/commit/1940e7d3

... also the minor fix for ipv6 tcpdump

https://github.com/pfsense/FreeBSD-src/commit/825ed9ee
naito.yuichiro_gmail.com added a comment.Feb 26 2021, 1:48 PM
In D28933#647903, @grehan wrote:

There's a more complete fix for this in the pfsense repo, that also stores the source address so CARP destination addresses will work:

https://github.com/pfsense/FreeBSD-src/commit/1940e7d3

I think it's better than my code.
Would you please commit pfsense patch after my patch?
It will record the authors of the codes clearly.

... also the minor fix for ipv6 tcpdump

https://github.com/pfsense/FreeBSD-src/commit/825ed9ee

I think it's also necessary for us.

sys/dev/if_wg/module/if_wg_session.c
1885–1894

I'll fix to see sa_family to determine the length of sockaddr_in{6}.

naito.yuichiro_gmail.com updated this revision to Diff 84748.Feb 26 2021, 1:51 PM

Fix to see sa_family to determine the length of struct sockaddr_in{6}.

donner accepted this revision as: donner.Feb 26 2021, 2:12 PM
This revision is now accepted and ready to land.Feb 26 2021, 2:12 PM
zarychtam_plan-b.pwste.edu.pl added a comment.Feb 26 2021, 6:53 PM

The IPv6 endpoint is accepted fine, but the tunnel is still not able to carry the data, at least legacy IP. Is it the complete solution or am I missing anything? At a glance, some outgoing and returning traffic can be dumped on the wg(4) interface, but it doesn't look fully functional since it behaves like a sinkhole with no local exit.

naito.yuichiro_gmail.com added a comment.Feb 27 2021, 1:04 AM
In D28933#648167, @zarychtam_plan-b.pwste.edu.pl wrote:

The IPv6 endpoint is accepted fine, but the tunnel is still not able to carry the data, at least legacy IP. Is it the complete solution or am I missing anything? At a glance, some outgoing and returning traffic can be dumped on the wg(4) interface, but it doesn't look fully functional since it behaves like a sinkhole with no local exit.

Yes, this patch works for me.
I'm going to show you a simple example between hostA and hostB.

After setting up wireguard tunnel:

hostA:
ifconfig wg0 inet 10.0.0.1
route add -host 10.0.0.2 -iface wg0

hostB:
ifocnfig wg0 inet 10.0.0.2
route add -host 10.0.0.1 -iface wg0
ping 10.0.0.1

Could you try this one?
wg(4) is a interface so that outgoing packet must be routed via the interface.

grehan added a comment.Feb 27 2021, 6:29 AM

FYI the cumulative pfsense wireguard changes are in D28962

naito.yuichiro_gmail.com added a comment.Feb 27 2021, 10:11 AM
In D28933#648397, @grehan wrote:

FYI the cumulative pfsense wireguard changes are in D28962

D28962 looks good to me.
If you commit D28962, I'll close this review.

zarychtam_plan-b.pwste.edu.pl added a comment.Mar 2 2021, 10:35 AM
In D28933#648321, @naito.yuichiro_gmail.com wrote:
In D28933#648167, @zarychtam_plan-b.pwste.edu.pl wrote:

The IPv6 endpoint is accepted fine, but the tunnel is still not able to carry the data, at least legacy IP. Is it the complete solution or am I missing anything? At a glance, some outgoing and returning traffic can be dumped on the wg(4) interface, but it doesn't look fully functional since it behaves like a sinkhole with no local exit.

Yes, this patch works for me.
I'm going to show you a simple example between hostA and hostB.

After setting up wireguard tunnel:

hostA:
ifconfig wg0 inet 10.0.0.1
route add -host 10.0.0.2 -iface wg0

hostB:
ifocnfig wg0 inet 10.0.0.2
route add -host 10.0.0.1 -iface wg0
ping 10.0.0.1

Could you try this one?
wg(4) is a interface so that outgoing packet must be routed via the interface.

Works, it was probably my fault.

grehan added a comment.Mar 2 2021, 11:35 AM

D28962 now committed with 95331c228a39

naito.yuichiro_gmail.com added a comment.Mar 3 2021, 12:47 AM

I'm glad the issue has been solved.
Thanks everyone for reviewing and testing my code.

naito.yuichiro_gmail.com closed this revision.Mar 3 2021, 12:49 AM

Revision Contents
Changeset List

PathSize
sys/
dev/
if_wg/
module/
11 lines
8 lines

Diff 84748

View Options

sys/dev/if_wg/module/if_wg_session.c

Loading...
View Options

sys/dev/if_wg/module/module.c

Loading...