| b.liu | e958203 | 2025-04-17 19:18:16 +0800 | [diff] [blame] | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | From: "Jason A. Donenfeld" <Jason@zx2c4.com> |
| 3 | Date: Tue, 11 Feb 2020 20:47:08 +0100 |
| 4 | Subject: [PATCH] wireguard: device: use icmp_ndo_send helper |
| 5 | |
| 6 | commit a12d7f3cbdc72c7625881c8dc2660fc2c979fdf2 upstream. |
| 7 | |
| 8 | Because wireguard is calling icmp from network device context, it should |
| 9 | use the ndo helper so that the rate limiting applies correctly. This |
| 10 | commit adds a small test to the wireguard test suite to ensure that the |
| 11 | new functions continue doing the right thing in the context of |
| 12 | wireguard. It does this by setting up a condition that will definately |
| 13 | evoke an icmp error message from the driver, but along a nat'd path. |
| 14 | |
| 15 | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> |
| 16 | Signed-off-by: David S. Miller <davem@davemloft.net> |
| 17 | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> |
| 18 | --- |
| 19 | drivers/net/wireguard/device.c | 4 ++-- |
| 20 | tools/testing/selftests/wireguard/netns.sh | 11 +++++++++++ |
| 21 | 2 files changed, 13 insertions(+), 2 deletions(-) |
| 22 | |
| 23 | --- a/drivers/net/wireguard/device.c |
| 24 | +++ b/drivers/net/wireguard/device.c |
| 25 | @@ -203,9 +203,9 @@ err_peer: |
| 26 | err: |
| 27 | ++dev->stats.tx_errors; |
| 28 | if (skb->protocol == htons(ETH_P_IP)) |
| 29 | - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); |
| 30 | + icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); |
| 31 | else if (skb->protocol == htons(ETH_P_IPV6)) |
| 32 | - icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0); |
| 33 | + icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0); |
| 34 | kfree_skb(skb); |
| 35 | return ret; |
| 36 | } |
| 37 | --- a/tools/testing/selftests/wireguard/netns.sh |
| 38 | +++ b/tools/testing/selftests/wireguard/netns.sh |
| 39 | @@ -24,6 +24,7 @@ |
| 40 | set -e |
| 41 | |
| 42 | exec 3>&1 |
| 43 | +export LANG=C |
| 44 | export WG_HIDE_KEYS=never |
| 45 | netns0="wg-test-$$-0" |
| 46 | netns1="wg-test-$$-1" |
| 47 | @@ -297,7 +298,17 @@ ip1 -4 rule add table main suppress_pref |
| 48 | n1 ping -W 1 -c 100 -f 192.168.99.7 |
| 49 | n1 ping -W 1 -c 100 -f abab::1111 |
| 50 | |
| 51 | +# Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route. |
| 52 | +n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2 |
| 53 | +n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit. |
| 54 | +n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward' |
| 55 | +ip0 -4 route add 192.168.241.1 via 10.0.0.100 |
| 56 | +n2 wg set wg0 peer "$pub1" remove |
| 57 | +[[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]] |
| 58 | + |
| 59 | n0 iptables -t nat -F |
| 60 | +n0 iptables -t filter -F |
| 61 | +n2 iptables -t nat -F |
| 62 | ip0 link del vethrc |
| 63 | ip0 link del vethrs |
| 64 | ip1 link del wg0 |