Skip the test (rather than loading it) if if_ovpn.ko isn't loaded. Match
the behaviour of other tests.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Use the management interface to work out if we've timed out the client,
rather than looking for an openvpn process to die (with incorrect
syntax).
Sponsored by: Rubicon Communications, LLC ("Netgate")
When the tunneled (IPv6) traffic had traffic class bits set (but only >=
16) the packet got lost on the receive side.
This happened because the address family check in ovpn_get_af() failed
to mask correctly, so the version check didn't match, causing us to drop
the packet.
While here also extend the existing 6-in-6 test case to trigger this
issue.
PR: 266598
Sponsored by: Rubicon Communications, LLC ("Netgate")
At least one if_ovpn.sh test relies on pf, so the file includes
netpfil/pf/utils.subr, which doesn't exist if WITHOUT_PF is set.
Do not install the if_ovpn.sh tests if pf is disabled.
Suggested by: Olivier Cochard-Labbé <olivier@freebsd.org>
Sponsored by: Rubicon Communications, LLC ("Netgate")
With clang 15, the following -Werror warning is produced:
tests/sys/net/if_ovpn/if_ovpn_c.c:19:14: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
fake_sockaddr()
^
void
This is because fake_sockaddr() is declared with a (void) argument list,
but defined with an empty argument list. Make the definition match the
declaration.
MFC after: 3 days
This used to trigger panics, so try to reproduce it.
Create an if_ovpn interface, set a new peer on it with a TCP fd (as
opposed to the expected UDP) and ensure that this is rejected.
Sponsored by: Rubicon Communications, LLC ("Netgate")
If we receive a UDP packet (directed towards an active OpenVPN socket)
which is too short to contain an OpenVPN header ('struct
ovpn_wire_header') we wound up making m_copydata() read outside the
mbuf, and panicking the machine.
Explicitly check that the packet is long enough to copy the data we're
interested in. If it's not we will pass the packet to userspace, just
like we'd do for an unknown peer.
Extend a test case to provoke this situation.
Sponsored by: Rubicon Communications, LLC ("Netgate")
OpenVPN uses IPv4-mapped IPv6 addresses by default (if we don't specify
'proto udp4', or an IPv4 address to bind to). Test that this works.
Sponsored by: Rubicon Communications, LLC ("Netgate")
OpenVPN allows us to push routes for client networks with the 'iroute'
directive. Test that this works as expected.
Sponsored by: Rubicon Communications, LLC ("Netgate")
In client mode (i.e. if there's only one peer) we should be able to
route to the correct peer even if the routing table is incorrect.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Test that openvpn (DCO) clients are notified and handle timeout events.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35091
Set up an OpenVPN tunnel between two jails, send traffic through them to
confirm basic function.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35067