From nobody Thu Feb 16 03:34:47 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PHLD74773z3s0wW; Thu, 16 Feb 2023 03:34:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PHLD73VKzz4M2b; Thu, 16 Feb 2023 03:34:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1676518487; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zjswXsSyx8piXsk3BEVLLQn0gyuu05bTfSwR9NyjELk=; b=RYQZnrg32ccdPulahQAWfpr7pgdTsOZMcSq08JJe01+wPIBh3yUW99iP31t0FpDWPk4kfb bZStVnYcMKM2gaJpn6IOVscX2bnY6EiVGpVYqNySlzmzRnrUPKmQc5ZqnUnCrsstCNEYmQ 7q6uwFOZ9u412lhZJY3uMCCHZyyboQB9yrAAWKQXoHzZp6nC4+zV1+clu6uIm0EvEGMlrr 6+CAY0rxYjek6JI4luKMbjuvMh1/u4pIn/P5+VwqDAMQCpMqpa+masFxMcTmPu1KAhrPcg kwB08zd3tiuI4EOt2YGd0Hwla2tcdhb76+2rDSQRvgTvYYwVpFRgPVAgeoPqdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1676518487; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zjswXsSyx8piXsk3BEVLLQn0gyuu05bTfSwR9NyjELk=; b=cu2zrWiMYM8RAOXI/qseMk5NnHwgO2nTJaE1Yvg6VKooXKkNEDiNSqVMR40VFgvBPaf58k Xs2TjHkVsVrYVzwxpsu8KY/skIJwk/aRfrAeRPCktpbLz31Ziehy7IIgqXslaFoBb+oKAe GyBXj1chat2pgLmmiLPc11w3SJ8ZXGcn+Dxa/8QVr2t11F05b9ZvlD2VTuQVcXUC1BmLyM lTX7R21RysDhA1PXbt5xgyirRTRHTaTCY3xgrW5N0J1pw/a/Jg894yR7Qup0C4z54k20Vn ncbFWQCAniBIZFA7eKhV4s6YGhNngaCMavtyZaJP2WkowRKu2KR/AAJKRyxrbQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1676518487; a=rsa-sha256; cv=none; b=lyJOYaib6+vlV3iYxJCrROflWal8eEvC2OvkLSZVZlAH93AIyJVNk/fBCwU3Yqe6jnnfXD y5I4zB9a0ZDnPdvngNZR0JkRb8BbkFNDE2aIFwFGWEXBNqdJPIs6AtK/iG+YM/UcB8Bbs9 6nv5jl9Seeefis0pVP1Kqx4vwQGns3ZKB3ypmaR4W4UQCMhPkI6ZsX3TYM2+d/VD4dFg/d ubiIg808E9a7ukVR+R6VIMo2QgKABQn8byCCK5i7SLbNCQwChjSnuuYW/OsaJdvM8qJt6D Ol9Tza9Ycfpp1j76MNL7TFi2y1reAw7TcFp8PaW2YKE64LRL/AFcPmfckUTWIg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PHLD72Yfszpxw; Thu, 16 Feb 2023 03:34:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31G3YlHH042922; Thu, 16 Feb 2023 03:34:47 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31G3Ylwl042921; Thu, 16 Feb 2023 03:34:47 GMT (envelope-from git) Date: Thu, 16 Feb 2023 03:34:47 GMT Message-Id: <202302160334.31G3Ylwl042921@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 0d277acfd12e - stable/13 - wg: add a test for the home jail socket feature List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 0d277acfd12e0f11e90791883ea814bca03dd97f Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=0d277acfd12e0f11e90791883ea814bca03dd97f commit 0d277acfd12e0f11e90791883ea814bca03dd97f Author: Kyle Evans AuthorDate: 2023-02-13 05:59:20 +0000 Commit: Kyle Evans CommitDate: 2023-02-16 03:29:30 +0000 wg: add a test for the home jail socket feature This adds a test for a semantic that we added to mirror a feature of the Linux implementation w/ netns: if a wg interface is moved into a jail, we still create the socket in the context of the home vnet. With this added, one can actually create vnet jails that only have a wg tunnel to the outside world providing network connectivity without any epairs in the setup. Reviewed by: jhb, markj (both earlier version) (cherry picked from commit 96f4ab26633a457c52fdb9c45f48dcb052b408a4) --- tests/sys/net/if_wg.sh | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/tests/sys/net/if_wg.sh b/tests/sys/net/if_wg.sh index 6946fb72524a..7f5f5daba95d 100644 --- a/tests/sys/net/if_wg.sh +++ b/tests/sys/net/if_wg.sh @@ -189,9 +189,81 @@ wg_key_peerdev_makeshared_cleanup() vnet_cleanup } +# The kernel is expected to create the wg socket in the jail context that the +# wg interface was created in, even if the interface is moved to a different +# vnet. +atf_test_case "wg_vnet_parent_routing" "cleanup" +wg_vnet_parent_routing_head() +{ + atf_set descr 'Create a wg(4) tunnel without epairs and pass traffic between jails' + atf_set require.user root +} + +wg_vnet_parent_routing_body() +{ + local pri1 pri2 pub1 pub2 wg1 wg2 + local tunnel1 tunnel2 + + kldload -n if_wg + + pri1=$(wg genkey) + pri2=$(wg genkey) + + tunnel1=169.254.0.1 + tunnel2=169.254.0.2 + + vnet_init + + wg1=$(ifconfig wg create) + wg2=$(ifconfig wg create) + + vnet_mkjail wgtest1 ${wg1} + vnet_mkjail wgtest2 ${wg2} + + echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \ + private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12346 \ + private-key /dev/stdin + pub2=$(jexec wgtest2 wg show $wg2 public-key) + + atf_check -s exit:0 -o ignore \ + jexec wgtest1 wg set $wg1 peer "$pub2" \ + endpoint 127.0.0.1:12346 allowed-ips ${tunnel2}/32 + atf_check -s exit:0 \ + jexec wgtest1 ifconfig $wg1 inet ${tunnel1}/24 up + + atf_check -s exit:0 -o ignore \ + jexec wgtest2 wg set $wg2 peer "$pub1" \ + endpoint 127.0.0.1:12345 allowed-ips ${tunnel1}/32 + atf_check -s exit:0 \ + jexec wgtest2 ifconfig $wg2 inet ${tunnel2}/24 up + + # Sanity check ICMP counters; should clearly be nothing on these new + # jails. We'll check them as we go to ensure that the ICMP packets + # generated really are being handled by the jails' vnets. + atf_check -o not-match:"histogram" jexec wgtest1 netstat -s -p icmp + atf_check -o not-match:"histogram" jexec wgtest2 netstat -s -p icmp + + # Generous timeout since the handshake takes some time. + atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 $tunnel2 + atf_check -o match:"echo reply: 1" jexec wgtest1 netstat -s -p icmp + atf_check -o match:"echo: 1" jexec wgtest2 netstat -s -p icmp + + atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1 + atf_check -o match:"echo reply: 1" jexec wgtest2 netstat -s -p icmp + atf_check -o match:"echo: 1" jexec wgtest1 netstat -s -p icmp +} + +wg_vnet_parent_routing_cleanup() +{ + vnet_cleanup +} + atf_init_test_cases() { atf_add_test_case "wg_basic" atf_add_test_case "wg_key_peerdev_shared" atf_add_test_case "wg_key_peerdev_makeshared" + atf_add_test_case "wg_vnet_parent_routing" }