| #
04a7134c |
| 01-Apr-2025 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn: fix use-after-free of mbuf
m_unshare() can return a new mbuf pointer. We update the 'm' pointer in
ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's for
an unknown
if_ovpn: fix use-after-free of mbuf
m_unshare() can return a new mbuf pointer. We update the 'm' pointer in
ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's for
an unknown peer) the caller (udp_append()) continues with the old 'm' pointer,
eventually resulting in a use-after-free.
Re-order operations in ovpn_udp_input() so that we don't modify the 'm' pointer
until we're committed to keeping the packet.
PR: 283426
Test case by: takahiro.kurosawa@gmail.com
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
|
Revision tags: release/13.5.0, release/14.2.0-p2, release/14.1.0-p8, release/13.4.0-p4, release/14.1.0-p7, release/14.2.0-p1, release/13.4.0-p3, release/14.2.0, release/13.4.0 |
|
| #
136b8134 |
| 09-Sep-2024 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: destroy an if_ovpn interface before it's been used
Ensure that we correctly clean up even if the interface never gets a socket
assigned.
Reviewed by: markj
Sponsored by: Rubicon Comm
if_ovpn tests: destroy an if_ovpn interface before it's been used
Ensure that we correctly clean up even if the interface never gets a socket
assigned.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46617
show more ...
|
| #
480ad405 |
| 04-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
vnet tests: check for if_bridge.ko
A number of tests create a bridge, but did not check if if_bridge.ko is loaded.
We usually get away with that, because `ifconfig bridge create` autoloads the
modu
vnet tests: check for if_bridge.ko
A number of tests create a bridge, but did not check if if_bridge.ko is loaded.
We usually get away with that, because `ifconfig bridge create` autoloads the
module, but if we run the tests in a jail (e.g. because of kyua's upcoming
execenv.jail.params feature) we can't load the module and these tests can fail.
Check if the module is loaded, skip the test if it is not.
Reviewed by: markj
MFC after: 1 week
Event: Kitchener-Waterloo Hackathon 202406
Differential Revision: https://reviews.freebsd.org/D45487
show more ...
|
|
Revision tags: release/14.1.0 |
|
| #
59a6666e |
| 13-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn: cope with loops
User misconfiguration may lead to routing loops where we try to send the tunnel
packet into the tunnel. This eventually leads to stack overflows and panics.
Avoid this usin
if_ovpn: cope with loops
User misconfiguration may lead to routing loops where we try to send the tunnel
packet into the tunnel. This eventually leads to stack overflows and panics.
Avoid this using if_tunnel_check_nesting(), which will drop the packet if we're
looping or we hit three layers of nested tunnels.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
e08b4433 |
| 21-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: test large packets in IPv6 tunnel
There's a report of MTU issues over IPv6 DCO tunnels.
Extend the 4in6 test to send a series of pings with different sizes, as
well as transfer a larg
if_ovpn tests: test large packets in IPv6 tunnel
There's a report of MTU issues over IPv6 DCO tunnels.
Extend the 4in6 test to send a series of pings with different sizes, as
well as transfer a large file.
No issues were found, but we may as well extend the test case.
PR: 276838
show more ...
|
|
Revision tags: release/13.3.0, release/14.0.0 |
|
| #
956a4631 |
| 05-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: fix ra test
Client one is supposed to be assigend 198.51.100.2, but sometimes it
loses the race and the address ends up assigned to client two. When this
happened one would try to pin
if_ovpn tests: fix ra test
Client one is supposed to be assigend 198.51.100.2, but sometimes it
loses the race and the address ends up assigned to client two. When this
happened one would try to ping itself, which failed because the loopback
interface isn't up.
Ideally we'd generate static address assignments, but that would
complicate the test. Activate loopback interfaces so the test always
passes, and just try to ping both possible addresses.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
4d846d26 |
| 10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.
Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix
show more ...
|
| #
f76df471 |
| 08-May-2023 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: fix route_to test case
* Move the .254 address to the tunnel device so we reply through the
tunnel.
* Remove the network route to 'break' routing, which we then 'fix' with
pf's ro
if_ovpn tests: fix route_to test case
* Move the .254 address to the tunnel device so we reply through the
tunnel.
* Remove the network route to 'break' routing, which we then 'fix' with
pf's route-to, which is the functionality we wanted to test in the
first place.
Reported by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
|
Revision tags: release/13.2.0, release/12.4.0 |
|
| #
832c8a58 |
| 11-Nov-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: add aes-128-gcm test case
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
e838ed7c |
| 10-Nov-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: fix typo in test description
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
713efe05 |
| 17-Oct-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: fix timeout test case
Use the management interface to work out if we've timed out the client,
rather than looking for an openvpn process to die (with incorrect
syntax).
Sponsored by:
if_ovpn tests: fix timeout test case
Use the management interface to work out if we've timed out the client,
rather than looking for an openvpn process to die (with incorrect
syntax).
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
188e0696 |
| 17-Oct-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: test explicit exit notifications
Test that when a client exits the server notices this, even without
keepalive traffic.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
76e1c9c6 |
| 26-Sep-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn: fix address family check when traffic class bits are set
When the tunneled (IPv6) traffic had traffic class bits set (but only >=
16) the packet got lost on the receive side.
This happened
if_ovpn: fix address family check when traffic class bits are set
When the tunneled (IPv6) traffic had traffic class bits set (but only >=
16) the packet got lost on the receive side.
This happened because the address family check in ovpn_get_af() failed
to mask correctly, so the version check didn't match, causing us to drop
the packet.
While here also extend the existing 6-in-6 test case to trigger this
issue.
PR: 266598
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
b77d5815 |
| 28-Jul-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: remote access test case
Add a (multi-client) test case where we route traffic beyond the ovpn
server, onto a shared LAN.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
6ba6c05c |
| 05-Jul-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn: deal with short packets
If we receive a UDP packet (directed towards an active OpenVPN socket)
which is too short to contain an OpenVPN header ('struct
ovpn_wire_header') we wound up making
if_ovpn: deal with short packets
If we receive a UDP packet (directed towards an active OpenVPN socket)
which is too short to contain an OpenVPN header ('struct
ovpn_wire_header') we wound up making m_copydata() read outside the
mbuf, and panicking the machine.
Explicitly check that the packet is long enough to copy the data we're
interested in. If it's not we will pass the packet to userspace, just
like we'd do for an unknown peer.
Extend a test case to provoke this situation.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
5fb35bad |
| 30-Jun-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: IPv4-mapped IPv6 address test
OpenVPN uses IPv4-mapped IPv6 addresses by default (if we don't specify
'proto udp4', or an IPv4 address to bind to). Test that this works.
Sponsored by
if_ovpn tests: IPv4-mapped IPv6 address test
OpenVPN uses IPv4-mapped IPv6 addresses by default (if we don't specify
'proto udp4', or an IPv4 address to bind to). Test that this works.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
1e5ef2a7 |
| 15-Jun-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: extend multi_client test with an iroute test
OpenVPN allows us to push routes for client networks with the 'iroute'
directive. Test that this works as expected.
Sponsored by: Rubicon
if_ovpn tests: extend multi_client test with an iroute test
OpenVPN allows us to push routes for client networks with the 'iroute'
directive. Test that this works as expected.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
a7a27354 |
| 15-Jun-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: test multiple simultaneous clients
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
2fc1fc66 |
| 14-Jun-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: Test if_ovpn when there's no route
In client mode (i.e. if there's only one peer) we should be able to
route to the correct peer even if the routing table is incorrect.
Sponsored by:
if_ovpn tests: Test if_ovpn when there's no route
In client mode (i.e. if there's only one peer) we should be able to
route to the correct peer even if the routing table is incorrect.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
f8b1ddbf |
| 13-Jun-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: tunnel with CHACHA20-POLY1305
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
c09e62cd |
| 09-Jun-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: test pf's route-to
Ensure that pf's route-to works with if_ovpn.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
85a15e47 |
| 20-May-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: IPv6 in IPv4 and IPv4 in IPv6 tunnels
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
3d4f6135 |
| 18-May-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: tunnel over IPv6
Set up a tunnel over IPv6 carrying IPv6 traffic.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
|
Revision tags: release/13.1.0 |
|
| #
08926ae3 |
| 26-Apr-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: timeout on clients
Test that openvpn (DCO) clients are notified and handle timeout events.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://review
if_ovpn tests: timeout on clients
Test that openvpn (DCO) clients are notified and handle timeout events.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35091
show more ...
|
| #
067acae2 |
| 25-Apr-2022 |
Kristof Provost <kp@FreeBSD.org> |
if_ovpn tests: basic test case
Set up an OpenVPN tunnel between two jails, send traffic through them to
confirm basic function.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Re
if_ovpn tests: basic test case
Set up an OpenVPN tunnel between two jails, send traffic through them to
confirm basic function.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35067
show more ...
|