By taking shortcuts we were circumventing important hooks.
Reported-by: Frank Behrens <frank@harz.behrens.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
We already handle vnet stuff on wg_reassign, and handling it here means
that everytime we toggle any jail that shares the vnet, we render the
link useless.
Reported-by: Matt Smith <matt.r.smith@bt.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
All of this allocation_order and copying garbage needs to go away by
making the crypto take scatter gather lists.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The outgoing, encrypted packets can use a specified FIB and therefore
utilize specific (default) routes. The implementation follows the
existing convention for other tunnel interfaces and reuses some code
from gre(4) implementation.
The FIB for wg(4) interface is set by standard ifconfig(8) with
parameter "tunnelfib", e.g. "ifconfig wg0 tunnelfib 1".
Signed-off-by: Frank Behrens <frank@harz.behrens.de>
[Jason: rewritten to avoid sosockopt and simplify]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
As reported by: https://marc.info/?l=openbsd-bugs&m=161618496905444&w=2
In particular, when consuming an initiation, we don't generate the
index until creating the response (which is incorrect). If we attempt
to create an initiation between these processes, we drop any
outstanding handshake which in this case has index 0 as set when
consuming the initiation.
The fix attached is to generate the index when consuming the initiation
so that any spurious initiation creation can drop a valid index. The
patch also consolidates setting fields on the handshake.
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
It's technically point to multipoint. Also, clear the multicast and
broadcast flags. This _could_ cause problems, but hopefully not.
This should fix issues with receiving incoming connections.
Reported-by: Ashish <ashish.is@lostca.se>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
These should have been fixed during our initial pass but somehow
weren't. Good thing we have more time to work on this.
Note that all the exporting and marshalling intermediate structs are
going to have to be thrown out at some point, as this whole dance here
still allocates tons of kernel memory needlessly.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This should allow us to get more testing coverage earlier.
This port here is also a bit janky. I really don't like the taskqgroup
business, having to copy and paste those structs. And this isn't well
tested, either. But, it's a start.
This distinguishes between compat.h and support.h, though both header
files are intended to operate in more or less the same way. It's
important to keep some discipline between things that we're backporting
and things that aren't _yet_ upstream or are shims for OpenBSD.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Rather than relying on the iflib one, which not everyone has available,
define our own.
Reported-by: Frank Behrens <frank@harz.behrens.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This involves weird backporting things. Hopefully support.c here is not
as bad as compat.h on Linux.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Jason A. Donenfeld