target/linux/generic/backport-5.4/080-wireguard-0085-wireguard-device-use-icmp_ndo_send-helper.patch - T108 - Gitiles

 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: "Jason A. Donenfeld" <Jason@zx2c4.com>
 Date: Tue, 11 Feb 2020 20:47:08 +0100
 Subject: [PATCH] wireguard: device: use icmp_ndo_send helper

 commit a12d7f3cbdc72c7625881c8dc2660fc2c979fdf2 upstream.

 Because wireguard is calling icmp from network device context, it should
 use the ndo helper so that the rate limiting applies correctly.  This
 commit adds a small test to the wireguard test suite to ensure that the
 new functions continue doing the right thing in the context of
 wireguard. It does this by setting up a condition that will definately
 evoke an icmp error message from the driver, but along a nat'd path.

 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 ---
  drivers/net/wireguard/device.c             |  4 ++--
  tools/testing/selftests/wireguard/netns.sh | 11 +++++++++++
  2 files changed, 13 insertions(+), 2 deletions(-)

 --- a/drivers/net/wireguard/device.c
 +++ b/drivers/net/wireguard/device.c
 @@ -203,9 +203,9 @@ err_peer:
  err:
  	++dev->stats.tx_errors;
  	if (skb->protocol == htons(ETH_P_IP))
 -		icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
 +		icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
  	else if (skb->protocol == htons(ETH_P_IPV6))
 -		icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0);
 +		icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0);
  	kfree_skb(skb);
  	return ret;
  }
 --- a/tools/testing/selftests/wireguard/netns.sh
 +++ b/tools/testing/selftests/wireguard/netns.sh
 @@ -24,6 +24,7 @@
  set -e

  exec 3>&1
 +export LANG=C
  export WG_HIDE_KEYS=never
  netns0="wg-test-$$-0"
  netns1="wg-test-$$-1"
 @@ -297,7 +298,17 @@ ip1 -4 rule add table main suppress_pref
  n1 ping -W 1 -c 100 -f 192.168.99.7
  n1 ping -W 1 -c 100 -f abab::1111

 +# Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route.
 +n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
 +n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit.
 +n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
 +ip0 -4 route add 192.168.241.1 via 10.0.0.100
 +n2 wg set wg0 peer "$pub1" remove
 +[[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]]
 +
  n0 iptables -t nat -F
 +n0 iptables -t filter -F
 +n2 iptables -t nat -F
  ip0 link del vethrc
  ip0 link del vethrs
  ip1 link del wg0
	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	From: "Jason A. Donenfeld" <Jason@zx2c4.com>
	Date: Tue, 11 Feb 2020 20:47:08 +0100
	Subject: [PATCH] wireguard: device: use icmp_ndo_send helper

	commit a12d7f3cbdc72c7625881c8dc2660fc2c979fdf2 upstream.

	Because wireguard is calling icmp from network device context, it should
	use the ndo helper so that the rate limiting applies correctly. This
	commit adds a small test to the wireguard test suite to ensure that the
	new functions continue doing the right thing in the context of
	wireguard. It does this by setting up a condition that will definately
	evoke an icmp error message from the driver, but along a nat'd path.

	Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
	---
	drivers/net/wireguard/device.c \| 4 ++--
	tools/testing/selftests/wireguard/netns.sh \| 11 +++++++++++
	2 files changed, 13 insertions(+), 2 deletions(-)

	--- a/drivers/net/wireguard/device.c
	+++ b/drivers/net/wireguard/device.c
	@@ -203,9 +203,9 @@ err_peer:
	err:
	++dev->stats.tx_errors;
	if (skb->protocol == htons(ETH_P_IP))
	- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
	+ icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
	else if (skb->protocol == htons(ETH_P_IPV6))
	- icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0);
	+ icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0);
	kfree_skb(skb);
	return ret;
	}
	--- a/tools/testing/selftests/wireguard/netns.sh
	+++ b/tools/testing/selftests/wireguard/netns.sh
	@@ -24,6 +24,7 @@
	set -e

	exec 3>&1
	+export LANG=C
	export WG_HIDE_KEYS=never
	netns0="wg-test-$$-0"
	netns1="wg-test-$$-1"
	@@ -297,7 +298,17 @@ ip1 -4 rule add table main suppress_pref
	n1 ping -W 1 -c 100 -f 192.168.99.7
	n1 ping -W 1 -c 100 -f abab::1111

	+# Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route.
	+n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
	+n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit.
	+n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
	+ip0 -4 route add 192.168.241.1 via 10.0.0.100
	+n2 wg set wg0 peer "$pub1" remove
	+[[ $(! n0 ping -W 1 -c 1 192.168.241.1 \|\| false) == "From 10.0.0.100 icmp_seq=1 Destination Host Unreachable" ]]
	+
	n0 iptables -t nat -F
	+n0 iptables -t filter -F
	+n2 iptables -t nat -F
	ip0 link del vethrc
	ip0 link del vethrs
	ip1 link del wg0