Setting vlan flags needlessly takes the exclusive VLAN_XLOCK().
If we have stacked vlan devices (i.e. QinQ) and we set vlan flags (e.g.
IFF_PROMISC) we call rtnl_handle_ifevent() to send a notification about
the interface.
This ends up calling SIOCGIFMEDIA, which requires the VLAN_SLOCK().
Trying to take that one with the VLAN_XLOCK() held deadlocks us.
There's no need for the exclusive lock though, as we're only accessing
parent/trunk information, not modifying it, so a shared lock is
sufficient.
While here also add a test case for this issue.
Backtrace:
shared lock of (sx) vlan_sx @ /usr/src/sys/net/if_vlan.c:2192
while exclusively locked from /usr/src/sys/net/if_vlan.c:2307
panic: excl->share
cpuid = 29
time = 1683873033
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe015d4ad4b0
vpanic() at vpanic+0x152/frame 0xfffffe015d4ad500
panic() at panic+0x43/frame 0xfffffe015d4ad560
witness_checkorder() at witness_checkorder+0xcb5/frame 0xfffffe015d4ad720
_sx_slock_int() at _sx_slock_int+0x67/frame 0xfffffe015d4ad760
vlan_ioctl() at vlan_ioctl+0xf8/frame 0xfffffe015d4ad7c0
dump_iface() at dump_iface+0x12f/frame 0xfffffe015d4ad840
rtnl_handle_ifevent() at rtnl_handle_ifevent+0xab/frame 0xfffffe015d4ad8c0
if_setflag() at if_setflag+0xf6/frame 0xfffffe015d4ad930
ifpromisc() at ifpromisc+0x2a/frame 0xfffffe015d4ad960
vlan_setflags() at vlan_setflags+0x60/frame 0xfffffe015d4ad990
vlan_ioctl() at vlan_ioctl+0x216/frame 0xfffffe015d4ad9f0
if_setflag() at if_setflag+0xe4/frame 0xfffffe015d4ada60
ifpromisc() at ifpromisc+0x2a/frame 0xfffffe015d4ada90
bridge_ioctl_add() at bridge_ioctl_add+0x499/frame 0xfffffe015d4adb10
bridge_ioctl() at bridge_ioctl+0x328/frame 0xfffffe015d4adbc0
ifioctl() at ifioctl+0x972/frame 0xfffffe015d4adcc0
kern_ioctl() at kern_ioctl+0x1fe/frame 0xfffffe015d4add30
sys_ioctl() at sys_ioctl+0x154/frame 0xfffffe015d4ade00
amd64_syscall() at amd64_syscall+0x140/frame 0xfffffe015d4adf30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe015d4adf30
--- syscall (54, FreeBSD ELF64, ioctl), rip = 0x22b0f0ef8d8a, rsp = 0x22b0ec63f2c8, rbp = 0x22b0ec63f380 ---
KDB: enter: panic
[ thread pid 5715 tid 101132 ]
Sponsored by: Rubicon Communications, LLC ("Netgate")
* Move the .254 address to the tunnel device so we reply through the
tunnel.
* Remove the network route to 'break' routing, which we then 'fix' with
pf's route-to, which is the functionality we wanted to test in the
first place.
Reported by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Skip the test (rather than loading it) if if_ovpn.ko isn't loaded. Match
the behaviour of other tests.
Sponsored by: Rubicon Communications, LLC ("Netgate")
PR 254212 was resolved to avoid issues with not having IPv6 addresses
present in the jail, so we can safely drop this workaround now...
Reviewed by: jhb, markj
Differential Revision: https://reviews.freebsd.org/D37755
This adds a test for a semantic that we added to mirror a feature of
the Linux implementation w/ netns: if a wg interface is moved into a
jail, we still create the socket in the context of the home vnet. With
this added, one can actually create vnet jails that only have a wg
tunnel to the outside world providing network connectivity without any
epairs in the setup.
Reviewed by: jhb, markj (both earlier version)
Differential Revision: https://reviews.freebsd.org/D37755
Multiple improvements to sniffer.py:
* Remove ambiguity of configuring recvif, it must be now explicitly specified.
* Don't catch exceptions around creating the sniffer, let it properly
fail and display the whole stack trace.
* Count correct packets so that duplicates can be found.
MFC after: 1 week
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38120
Currently `close(2)` erroneously return `EOPNOTSUPP` for `PF_ROUTE` sockets.
It happened after making rtsock socket implementation self-contained (
36b10ac2cd ). Rtsock code marks socket as connected in `rts_attach()`.
`soclose()` tries to disconnect such socket using `.pr_disconnect` callback.
Rtsock does not implement this callback, resulting in the default method being
substituted. This default method returns `ENOTSUPP`, failing `soclose()` logic.
This diff restores the previous behaviour by adding custom `pr_disconnect()`
returning `ENOTCONN`.
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D38059
These were originally added in commit
74ae3f3e33 but have been updated to use
wg(8).
Reviewed by: kevans, markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37400
The root cause of the intermittent span test failures has been
identified as a race between sending the packet and starting the bpf
capture.
This is now resolved, so the test can be re-enabled.
PR: 260461
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Use the management interface to work out if we've timed out the client,
rather than looking for an openvpn process to die (with incorrect
syntax).
Sponsored by: Rubicon Communications, LLC ("Netgate")
When the tunneled (IPv6) traffic had traffic class bits set (but only >=
16) the packet got lost on the receive side.
This happened because the address family check in ovpn_get_af() failed
to mask correctly, so the version check didn't match, causing us to drop
the packet.
While here also extend the existing 6-in-6 test case to trigger this
issue.
PR: 266598
Sponsored by: Rubicon Communications, LLC ("Netgate")
At least one if_ovpn.sh test relies on pf, so the file includes
netpfil/pf/utils.subr, which doesn't exist if WITHOUT_PF is set.
Do not install the if_ovpn.sh tests if pf is disabled.
Suggested by: Olivier Cochard-Labbé <olivier@freebsd.org>
Sponsored by: Rubicon Communications, LLC ("Netgate")
With clang 15, the following -Werror warning is produced:
tests/sys/net/if_ovpn/if_ovpn_c.c:19:14: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
fake_sockaddr()
^
void
This is because fake_sockaddr() is declared with a (void) argument list,
but defined with an empty argument list. Make the definition match the
declaration.
MFC after: 3 days
This used to trigger panics, so try to reproduce it.
Create an if_ovpn interface, set a new peer on it with a TCP fd (as
opposed to the expected UDP) and ensure that this is rejected.
Sponsored by: Rubicon Communications, LLC ("Netgate")
We can now change the vlan ID of an if_vlan interface without
disassociating it from the parent interface.
Test that this works.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35847
If we receive a UDP packet (directed towards an active OpenVPN socket)
which is too short to contain an OpenVPN header ('struct
ovpn_wire_header') we wound up making m_copydata() read outside the
mbuf, and panicking the machine.
Explicitly check that the packet is long enough to copy the data we're
interested in. If it's not we will pass the packet to userspace, just
like we'd do for an unknown peer.
Extend a test case to provoke this situation.
Sponsored by: Rubicon Communications, LLC ("Netgate")
OpenVPN uses IPv4-mapped IPv6 addresses by default (if we don't specify
'proto udp4', or an IPv4 address to bind to). Test that this works.
Sponsored by: Rubicon Communications, LLC ("Netgate")
OpenVPN allows us to push routes for client networks with the 'iroute'
directive. Test that this works as expected.
Sponsored by: Rubicon Communications, LLC ("Netgate")
In client mode (i.e. if there's only one peer) we should be able to
route to the correct peer even if the routing table is incorrect.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Test that openvpn (DCO) clients are notified and handle timeout events.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35091
Set up an OpenVPN tunnel between two jails, send traffic through them to
confirm basic function.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35067
We now allow new bridge members to be added with a different MTU from
the bridge. We change the interface MTU to match the bridge.
Test this.
PR: 264883
When we destroy an interface while the jail containing it is being
destroyed we risk seeing a race between if_vmove() and the destruction
code, which results in us trying to move a destroyed interface.
Protect against this by using the ifnet_detach_sxlock to also covert
if_vmove() (and not just detach).
PR: 262829
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D34704
This test needs to have the loopback interface enabled, or route lookups
for our own IP addresses will fail.
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33041