From 96f4ab26633a457c52fdb9c45f48dcb052b408a4 Mon Sep 17 00:00:00 2001 From: Kyle Evans Date: Sun, 12 Feb 2023 23:59:20 -0600 Subject: [PATCH] wg: add a test for the home jail socket feature This adds a test for a semantic that we added to mirror a feature of the Linux implementation w/ netns: if a wg interface is moved into a jail, we still create the socket in the context of the home vnet. With this added, one can actually create vnet jails that only have a wg tunnel to the outside world providing network connectivity without any epairs in the setup. Reviewed by: jhb, markj (both earlier version) Differential Revision: https://reviews.freebsd.org/D37755 --- tests/sys/net/if_wg.sh | 72 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/tests/sys/net/if_wg.sh b/tests/sys/net/if_wg.sh index 1612e05ef168..80461127fde7 100644 --- a/tests/sys/net/if_wg.sh +++ b/tests/sys/net/if_wg.sh @@ -189,9 +189,81 @@ wg_key_peerdev_makeshared_cleanup() vnet_cleanup } +# The kernel is expected to create the wg socket in the jail context that the +# wg interface was created in, even if the interface is moved to a different +# vnet. +atf_test_case "wg_vnet_parent_routing" "cleanup" +wg_vnet_parent_routing_head() +{ + atf_set descr 'Create a wg(4) tunnel without epairs and pass traffic between jails' + atf_set require.user root +} + +wg_vnet_parent_routing_body() +{ + local pri1 pri2 pub1 pub2 wg1 wg2 + local tunnel1 tunnel2 + + kldload -n if_wg + + pri1=$(wg genkey) + pri2=$(wg genkey) + + tunnel1=169.254.0.1 + tunnel2=169.254.0.2 + + vnet_init + + wg1=$(ifconfig wg create) + wg2=$(ifconfig wg create) + + vnet_mkjail wgtest1 ${wg1} + vnet_mkjail wgtest2 ${wg2} + + echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \ + private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12346 \ + private-key /dev/stdin + pub2=$(jexec wgtest2 wg show $wg2 public-key) + + atf_check -s exit:0 -o ignore \ + jexec wgtest1 wg set $wg1 peer "$pub2" \ + endpoint 127.0.0.1:12346 allowed-ips ${tunnel2}/32 + atf_check -s exit:0 \ + jexec wgtest1 ifconfig $wg1 inet ${tunnel1}/24 up + + atf_check -s exit:0 -o ignore \ + jexec wgtest2 wg set $wg2 peer "$pub1" \ + endpoint 127.0.0.1:12345 allowed-ips ${tunnel1}/32 + atf_check -s exit:0 \ + jexec wgtest2 ifconfig $wg2 inet ${tunnel2}/24 up + + # Sanity check ICMP counters; should clearly be nothing on these new + # jails. We'll check them as we go to ensure that the ICMP packets + # generated really are being handled by the jails' vnets. + atf_check -o not-match:"histogram" jexec wgtest1 netstat -s -p icmp + atf_check -o not-match:"histogram" jexec wgtest2 netstat -s -p icmp + + # Generous timeout since the handshake takes some time. + atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 $tunnel2 + atf_check -o match:"echo reply: 1" jexec wgtest1 netstat -s -p icmp + atf_check -o match:"echo: 1" jexec wgtest2 netstat -s -p icmp + + atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1 + atf_check -o match:"echo reply: 1" jexec wgtest2 netstat -s -p icmp + atf_check -o match:"echo: 1" jexec wgtest1 netstat -s -p icmp +} + +wg_vnet_parent_routing_cleanup() +{ + vnet_cleanup +} + atf_init_test_cases() { atf_add_test_case "wg_basic" atf_add_test_case "wg_key_peerdev_shared" atf_add_test_case "wg_key_peerdev_makeshared" + atf_add_test_case "wg_vnet_parent_routing" }