Page MenuHomeFreeBSD
Differential D37755

wg: add a test for the home jail socket feature
ClosedPublic
Actions

Authored by kevans on Dec 20 2022, 5:48 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sep 26 2024, 3:49 PM
Unknown Object (File)
Sep 15 2024, 11:16 PM
Unknown Object (File)
Sep 4 2024, 6:32 PM
Unknown Object (File)
Sep 3 2024, 5:33 AM
Unknown Object (File)
Aug 28 2024, 1:26 PM
Unknown Object (File)
Aug 17 2024, 2:16 AM
Unknown Object (File)
Aug 5 2024, 6:02 PM
Unknown Object (File)
Aug 4 2024, 4:52 AM
View All 46 Files
Subscribers
ae
glebius
imp
melifaro
zlei

Details

Reviewers
jhb
markj
Commits
rGe63dcbe7a2cb: wg: tests: remove an obsolete workaround
rG96f4ab26633a: wg: add a test for the home jail socket feature
Summary

This adds a test for a semantic that we added to mirror a feature of
the Linux implementation w/ netns: if a wg interface is moved into a
jail, we still create the socket in the context of the home vnet. With
this added, one can actually create vnet jails that only have a wg
tunnel to the outside world providing network connectivity without any
epairs in the setup.

While we're here, PR 254212 was resolved to avoid issues with not having
IPv6 addresses present in the jail, so let's just drop that workaround.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kevans created this revision.Dec 20 2022, 5:48 AM
Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptDec 20 2022, 5:48 AM
kevans requested review of this revision.Dec 20 2022, 5:48 AM
Harbormaster completed remote builds in B48767: Diff 114309.Dec 20 2022, 5:48 AM
zlei added a subscriber: zlei.Dec 20 2022, 9:01 AM

if a wg interface is moved into a
jail, we still create the socket in the context of the home vnet.

I think that is technically possible.
The idea is somewhat similar with SIOC[SG]TUNFIB vs SIOC[SG]IFFIB , it is TUN VNET vs IF VNET.

With this added, one can actually create vnet jails that only have a wg
tunnel to the outside world providing network connectivity without any
epairs in the setup

Then processes in child vnet shall not operate (get or set) the tunnel part of ifnet, unless explicitly permitted.
And it will also be complicated to operate the tunnel part of ifnet in home vnet.

kevans added a comment.Dec 20 2022, 3:29 PM
In D37755#858722, @zlei wrote:

if a wg interface is moved into a
jail, we still create the socket in the context of the home vnet.

I think that is technically possible.
The idea is somewhat similar with SIOC[SG]TUNFIB vs SIOC[SG]IFFIB , it is TUN VNET vs IF VNET.

With this added, one can actually create vnet jails that only have a wg
tunnel to the outside world providing network connectivity without any
epairs in the setup

Then processes in child vnet shall not operate (get or set) the tunnel part of ifnet, unless explicitly permitted.
And it will also be complicated to operate the tunnel part of ifnet in home vnet.

This is a feature already implemented- when the interface is created, we hold a reference to the current thread's ucred and use that in socket creation instead of the context at the time of creation. We just didn't have any test coverage for it, yet.

We don't allow the flexibility of changing which vnet the socket is created in on the fly, though... imo if you wanted a tunnel in the current vnet you could have just created it yourself, or your parent could have created the tunnel in your vnet to begin with. We don't want the child to be able to selectively push a socket into the parent's context that the parent didn't bless, so I think we can get away without any added complexity here.

zlei added a comment.Dec 20 2022, 3:53 PM
In D37755#858824, @kevans wrote:
In D37755#858722, @zlei wrote:

if a wg interface is moved into a
jail, we still create the socket in the context of the home vnet.

I think that is technically possible.
The idea is somewhat similar with SIOC[SG]TUNFIB vs SIOC[SG]IFFIB , it is TUN VNET vs IF VNET.

With this added, one can actually create vnet jails that only have a wg
tunnel to the outside world providing network connectivity without any
epairs in the setup

Then processes in child vnet shall not operate (get or set) the tunnel part of ifnet, unless explicitly permitted.
And it will also be complicated to operate the tunnel part of ifnet in home vnet.

This is a feature already implemented- when the interface is created, we hold a reference to the current thread's ucred and use that in socket creation instead of the context at the time of creation. We just didn't have any test coverage for it, yet.

Sorry I have not full looked through the if_wg code and did not know the feature is already implemented .

We don't allow the flexibility of changing which vnet the socket is created in on the fly, though... imo if you wanted a tunnel in the current vnet you could have just created it yourself, or your parent could have created the tunnel in your vnet to begin with. We don't want the child to be able to selectively push a socket into the parent's context that the parent didn't bless, so I think we can get away without any added complexity here.

Looks reasonable!

markj accepted this revision.Dec 20 2022, 4:24 PM
markj added inline comments.
tests/sys/net/if_wg.sh
192
243

I'd maybe go a bit further and try to check that the ICMP packets really are being handled by the jail vnets. Something like checking the netstat -s -p icmp counters in both jails. Just a suggestion, I don't think it's required for the test to be useful.

248

Does this handle destroying the wg interfaces? I thought they would just get rehomed to the jail host.

This revision is now accepted and ready to land.Dec 20 2022, 4:24 PM
jhb accepted this revision.Dec 20 2022, 6:18 PM
jhb added inline comments.
tests/sys/net/if_wg.sh
62

I would maybe split this out as a separate commit?

248

Hmm, if not we need to fix the other tests. I feel like I don't see leaked wg interfaces from the other tests when I've run them though.

markj added inline comments.Dec 20 2022, 6:45 PM
tests/sys/net/if_wg.sh
248

The other tests create the interfaces inside the vnets rather than moving them in. I'm not certain at all, but I believe they'll get destroyed together with their vnets. Here we're creating the interfaces on the host and attaching them to vnets.

kevans added inline comments.Dec 20 2022, 6:50 PM
tests/sys/net/if_wg.sh
248

Yup- vnet_mkjail records the vnet.interface it sets, vnet_cleanup destroys all of those interfaces in the first branch:

if [ -f created_jails.lst ]; then                                       
        while read jailname ifnames; do                                 
                for ifname in ${ifnames}; do                            
                        jexec ${jailname} ifconfig ${ifname} destroy    
                done                                                    
                jail -r ${jailname}                                     
        done < created_jails.lst                                        
        rm created_jails.lst                                            
fi
kevans marked 6 inline comments as done.Feb 13 2023, 6:09 AM
Closed by commit rG96f4ab26633a: wg: add a test for the home jail socket feature (authored by kevans). · Explain WhyFeb 13 2023, 6:10 AM
This revision was automatically updated to reflect the committed changes.
kevans added a commit: rG96f4ab26633a: wg: add a test for the home jail socket feature.
kevans added a commit: rGe63dcbe7a2cb: wg: tests: remove an obsolete workaround.

Revision Contents
Changeset List

PathSize
tests/
sys/
net/
72 lines

Diff 117075

View Options

tests/sys/net/if_wg.sh

Loading...