This used to trigger panics, so try to reproduce it.
Create an if_ovpn interface, set a new peer on it with a TCP fd (as
opposed to the expected UDP) and ensure that this is rejected.
Sponsored by: Rubicon Communications, LLC ("Netgate")
The new tests exercise simulated COW that occurs when the protections on
a wired, copy-on-write mapping are changed from read-only to read-write.
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35636
Test fix in 637f317c6d, verifying that when ports run out, we get
an EADDRNOTAVAIL error from bind() rather than an EADDRINUSE error
from connect(). Use small port range to exhaust ports and see which
error happens.
Reviewed by: tuexen, glebius, melifaro
Differential Revision: https://reviews.freebsd.org/D36056
MFC after: 3 days (with 637f317c6d)
The test was failing due to the assert on lack of MSG_TRUNC flag in the
output flags of recvmsg().
The code passed MSG_TRUNC, along with sufficient-size buffer to hold the
message to-be-received to the recvmsg(), and expected MSG_TRUNC to be
returned as well.
This is not exactly correct as a) MSG_TRUNC was not even a supported
recvmsg() flag before be1f485d7d and b) it violates POSIX, as
POSIX states it should be set only "If a message is too long to fit in
the supplied buffers,".
The test was working before as the kernel copied input flags to the
output flags. be1f485d7d changed that behaviour to clear MSG_TRUNC
if it was present on the input.
Fix the test by checking POSIX-defined behaviour.
Discussed with: glebius
Implement Linux-variant of MSG_TRUNC input flag used in recv(), recvfrom() and recvmsg().
Posix defines MSG_TRUNC as an output flag, indicating packet/datagram truncation.
Linux extended it a while (~15+ years) ago to act as input flag,
resulting in returning the full packet size regarless of the input
buffer size.
It's a (relatively) popular pattern to do recvmsg( MSG_PEEK | MSG_TRUNC) to get the
packet size, allocate the buffer and issue another call to fetch the packet.
In particular, it's popular in userland netlink code, which is the primary driving factor of this change.
This commit implements the MSG_TRUNC support for SOCK_DGRAM sockets (udp, unix and all soreceive_generic() users).
PR: kern/176322
Reviewed by: pauamma(doc)
Differential Revision: https://reviews.freebsd.org/D35909
MFC after: 1 month
* Add tests for kqueue completion with all file types.
* Add a test for kqueue completion with EV_ONESHOT.
* Cleanup an unused variable.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D35359
We can now change the vlan ID of an if_vlan interface without
disassociating it from the parent interface.
Test that this works.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35847
It used to be mapped at the top of the UVA.
If the randomization is enabled any address above .data section will be
randomly chosen and a guard page will be inserted in the shared page
default location.
The shared page is now mapped in exec_map_stack, instead of
exec_new_vmspace. The latter function is called before image activator
has a chance to parse ASLR related flags.
The KERN_PROC_VM_LAYOUT sysctl was extended to provide shared page
address.
The feature is enabled by default for 64 bit applications on all
architectures.
It can be toggled kern.elf64.aslr.shared_page sysctl.
Approved by: mw(mentor)
Sponsored by: Stormshield
Obtained from: Semihalf
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D35349
Merge commit 1737d8397a0 by Brooks Davis:
time() is declared in time.h
This fixes a -Werror warning from clang 15:
tests/sys/cddl/zfs/bin/readmmap.c:97:9: error: call to undeclared function 'time'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
Obtained from: https://github.com/CTSRD-CHERI/cheribsd/commit/1737d8397a0
MFC after: 3 days
Teach pft_ether.py to send a range of packet sizes. Use this to move the
size sweep into Python, removing the repeated Python startup overhead
and greatly speeding up the pf.ether.short_pkt test.
This should fix test timeouts seen on ci.freebsd.org.
While here also extend the range of packet sizes tested, because it adds
very little runtime now.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Currently, processing of IPv6 local traffic is partially broken:
link-local connection fails and global unicast connect() takes
3 seconds to complete.
This happens due to the combination of multiple factors.
IPv6 code passes original interface "origifp" when passing
traffic via loopack to retain the scope that is mandatory for the
correct hadling of link-local traffic. First problem is that the logic
of passing source interface is not working correcly for TCP connections,
resulting in passing "origifp" on the first 2 connection attempts and
lo0 on the subsequent ones. Second problem is that source address
validation logic skips its checks iff the source interface is loopback,
which doesn't cover "origifp" case.
More detailed description is available at https://reviews.freebsd.org/D35732
Fix the first problem by untangling&simplifying ifp/origifp logic.
Fix the second problem by switching source address validation check to
using M_LOOP mbuf flag instead of interface type.
PR: 265089
Reviewed by: ae, bz(previous version)
Differential Revision: https://reviews.freebsd.org/D35732
MFC after: 2 weeks
Currently selectroute() contains two nearly-identical versions of
the route lookup logic - one for original destination and another
for the case when IPV6_NEXTHOP option was set on the socket.
Factor out handling these route lookups in a separation function to
improve readability.
This change also fixes handling of link-local IPV6_NEXTHOPs.
Differential Revision: https://reviews.freebsd.org/D35710
MFC after: 2 weeks
If we receive a UDP packet (directed towards an active OpenVPN socket)
which is too short to contain an OpenVPN header ('struct
ovpn_wire_header') we wound up making m_copydata() read outside the
mbuf, and panicking the machine.
Explicitly check that the packet is long enough to copy the data we're
interested in. If it's not we will pass the packet to userspace, just
like we'd do for an unknown peer.
Extend a test case to provoke this situation.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Do not panic if we try to dummynet an Ethernet packet that's not IPv4 or
IPv6. Simply give it to dummynet.
Sponsored by: Rubicon Communications, LLC ("Netgate")
OpenVPN uses IPv4-mapped IPv6 addresses by default (if we don't specify
'proto udp4', or an IPv4 address to bind to). Test that this works.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Instead of returning EMSGSIZE pass the error code from fdallocn() directly
to userland. That would be EMFILE, which makes much more sense. This
error code is not listed in the specification[1], but the specification
doesn't cover such edge case at all. Meanwhile the specification lists
EMSGSIZE as the error code for invalid value of msg_iovlen, and FreeBSD
follows that, see sys_recmsg(). Differentiating these two cases will make
a developer/admin life much easier when debugging.
[1] https://pubs.opengroup.org/onlinepubs/9699919799/functions/recvmsg.html
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D35640
OpenVPN allows us to push routes for client networks with the 'iroute'
directive. Test that this works as expected.
Sponsored by: Rubicon Communications, LLC ("Netgate")
In client mode (i.e. if there's only one peer) we should be able to
route to the correct peer even if the routing table is incorrect.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Test that openvpn (DCO) clients are notified and handle timeout events.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35091
Set up an OpenVPN tunnel between two jails, send traffic through them to
confirm basic function.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35067
Test sending very short packets (i.e. too short for an IP header)
packets in the Ethernet filtering code.
Sponsored by: Rubicon Communications, LLC ("Netgate")
We now allow new bridge members to be added with a different MTU from
the bridge. We change the interface MTU to match the bridge.
Test this.
PR: 264883
Most test pass identically on different kinds of sockets. However,
few edge cases work differently on stream and datagram sockets. We
want to exercise this and document.
Differential revision: https://reviews.freebsd.org/D35420
A one-to-many unix/dgram socket is a socket that has been bound
with bind(2) and can get multiple connections. A typical example
is /var/run/log bound by syslogd(8) and receiving multiple
connections from libc syslog(3) API. Until now all of these
connections shared the same receive socket buffer of the bound
socket. This made the socket vulnerable to overflow attack.
See 240d5a9b1c for a historical attempt to workaround the problem.
This commit creates a per-connection socket buffer for every single
connected socket and eliminates the problem. The new behavior will
optimize seldom writers over frequent writers. See added test case
scenarios and code comments for more detailed description of the
new behavior.
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D35303
Add tests for TCP_MD5 getsockopt for ipv6 and ipv4. These will only run
when the kernel module is loaded, but will be in place if further
regressions are found.
Reviewed by: rscheff
MFC after: 3 days
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D35532
If ktls.require_ifnet is set to true, then check the TLS offload mode
for tests sending and receiving records and skip the test if the
offload mode is not ifnet mode.
This can be used along with ktls.host to run KTLS tests against a NIC
supporting ifnet TLS and verify that expected cipher suites and
directions used ifnet TLS rather than software TLS. Receive tests may
result in a false positive as receive ifnet TLS can use software as a
fallback.
Reviewed by: markj
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D35427
Previously ktls tests always executed over a local socket pair.
ktls.host can be set to a host to connect to with a single socket
instead. The remote end is expected to echo back any data received
(such as the echo service). The port can be set with ktls.port which
defaults to "echo".
This is primarily useful to permit testing NIC TLS offload use cases
where the traffic needs to transit the NIC.
Note that the variables must be set via
'kyua -v test_suites.FreeBSD.ktls.host=host'.
Reviewed by: markj
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D35426
Make it a complex, but a single for(;;) statement. The previous cycle
with some loop logic in the beginning and some loop logic at the end
was confusing. Both me and markj@ were misleaded to a conclusion that
some checks are unnecessary, while they actually were necessary.
While here, handle an edge case found by Mark, when on 64-bit platform
an incorrect message from userland would underflow length counter, but
return without any error. Provide a test case for such message.
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D35375
Test pfsync in a more realistic scenario with carp and route_to rules.
Build this topology and initiate a single ping session from client to
server:
┌──────┐
│client│
└───┬──┘
│
┌───┴───┐
│bridge0│
└┬─────┬┘
│ │
┌────────────────┴─┐ ┌─┴────────────────┐
│gw_route_to_master├─┤gw_route_to_backup│
└────────────────┬─┘ └─┬────────────────┘
│ │
┌┴─────┴┐
│bridge1│
└┬─────┬┘
│ │
┌────────────────┴─┐ ┌─┴────────────────┐
│gw_reply_to_master├─┤gw_reply_to_backup│
└────────────────┬─┘ └─┬────────────────┘
│ │
┌┴─────┴┐
│bridge2│
└───┬───┘
│
┌───┴──┐
│server│
└──────┘
gw* jails forward traffic through pf route-to rules, not fib lookups.
If backup_promotion arg is given (as in the pfsync_pbr test case), a
carp failover event occurs during the ping session on both gateways.
Verify that ping messages still go where we expect them to go.
MFC after: 2 weeks
Sponsored by: Orange Business Services
Put some data into a socket and check that:
o select(2) sees readable data
o kevent(2) sees data, and correctly sees data size
o ioctl(FIONREAD) sees correct size
o aio(4) successfully reads the data
Repeat the test twice for a connected socket and not-connected. With
future implementation these two cases would exercise different code.
We could insert proxy NDP entries by the ndp command, but the host
with proxy ndp entries had not responded to Neighbor Solicitations.
Change the following points for proxy NDP to work as expected:
* join solicited-node multicast addresses for proxy NDP entries
in order to receive Neighbor Solicitations.
* look up proxy NDP entries not on the routing table but on the
link-level address table when receiving Neighbor Solicitations.
Reviewed By: melifaro
Differential Revision: https://reviews.freebsd.org/D35307
MFC after: 2 weeks
