- User Since
- Jan 19 2016, 3:04 PM (296 w, 5 d)
Nov 28 2020
Nov 24 2020
moved the test setup to a different machine and after 1 hour and 19 minutes of running the test setup i got a panic here:
Nov 23 2020
i did not test Diff 21 79917 ( Mon, Nov 23, 10:04 PM ) since it does not seem to involve the code responsible for the device destruction panics.
Nov 20 2020
with 79581 applied, device destruction can still panic the kernel (same setup as before: loop create, ping, sleep, destroy on FreeBSD and ping flood the wg address of the FreeBSD machine)
Oct 27 2020
with the same setup (on FreeBSD: while true; do ifconfig wg0 create .....; ping -c 1 PEERIP; sleep 1; ifconfig wg0 destroy; done and on the Linux peer: ping -f FreeBSDwgIP) i can also get a different panic: here the gtaskqueue_drain thread got to wg_deliver_in(...) but peer->p_sc->sc_socket->so_so4 is 0x0
with 78675 applied (and clone_setdefcallback changed to clone_setdefcallback_prefix in ifwg.c), i got another
kernel panic (on wg device destruction):
Oct 15 2020
Another kernel panic triggered by interface destruction: incoming upd traffic from the wg peer arrives in wg_input() where sc is already gone.
Oct 14 2020
In order to have working wg in VIMAGE jails:
Oct 1 2020
This might be out of scope of this review:
the WGC_SET ioctl is not priv(9) checked (and there is no PRIV_NET_WG entry in sys/priv.h)
IMHO wg_get() (sys/dev/if_wg/module/module.c:526) should not expose private-key
and wireguard_status() (sbin/ifconfig/ifwg.c:546) should not print it.
When a peer has more than one AllowedIPs, dump_peer() (sys/ifconfig/ifwg.c:270)
will print the address (but not the mask) of the first entry multiple times
because of sys/ifconfig/ifwg.c:306 which should be
Sep 12 2020
Sep 10 2020
According to ifconfig(8): Cloned interfaces are members of their interface family group by default.
Sep 8 2020
if the wg interface has an ipv6 address, SIOCIFDESTROY can panic the kernel.
Jul 13 2020
after reading D24586 :
update path in diff, add PORTREVISION
Jul 12 2020
May 16 2018
May 12 2018
fix RESCUE: include lib/libjail/jail.c in librescue if necessary
May 11 2018
cap_jail.c: improve allocation and error handling in service command
cap_sysctl.c: resolve names to mibs when limits are set.
- rename cap_jail_get -> cap_jail and system.cap_jail_get -> system.cap_jail
- fix copyright
- add man page
- style(9) changes
- use dnvlist_* in service command
- split nvlist -> iov function in two: nvl_to_iov_s is used by the service and makes sure there is space before memcpy
- jls.c: use caph_enter_casper
- cap_sysctl.c: style
- cap_sysclt.3: reference sysctl(3)
May 10 2018
I removed to kernel changes and used libcasper to obtain sysctl and jail_get functionality needed for jls(1).
May 4 2018
caph_cache_catpages(3) before cap_enter(2)