tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

wireguard: device: use icmp_ndo_send helper

Because wireguard is calling icmp from network device context, it should
use the ndo helper so that the rate limiting applies correctly. This
commit adds a small test to the wireguard test suite to ensure that the
new functions continue doing the right thing in the context of
wireguard. It does this by setting up a condition that will definately
evoke an icmp error message from the driver, but along a nat'd path.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Jason A. Donenfeld and committed by
David S. Miller a12d7f3c 67c9a7e1

+13 -2
+2 -2
drivers/net/wireguard/device.c
··· 203 203 err: 204 204 ++dev->stats.tx_errors; 205 205 if (skb->protocol == htons(ETH_P_IP)) 206 - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); 206 + icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); 207 207 else if (skb->protocol == htons(ETH_P_IPV6)) 208 - icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0); 208 + icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0); 209 209 kfree_skb(skb); 210 210 return ret; 211 211 }
+11
tools/testing/selftests/wireguard/netns.sh
··· 24 24 set -e 25 25 26 26 exec 3>&1 27 + export LANG=C 27 28 export WG_HIDE_KEYS=never 28 29 netns0="wg-test-$$-0" 29 30 netns1="wg-test-$$-1" ··· 298 297 n1 ping -W 1 -c 100 -f 192.168.99.7 299 298 n1 ping -W 1 -c 100 -f abab::1111 300 299 300 + # Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route. 301 + n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2 302 + n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit. 303 + n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward' 304 + ip0 -4 route add 192.168.241.1 via 10.0.0.100 305 + n2 wg set wg0 peer "$pub1" remove 306 + [[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]] 307 + 301 308 n0 iptables -t nat -F 309 + n0 iptables -t filter -F 310 + n2 iptables -t nat -F 302 311 ip0 link del vethrc 303 312 ip0 link del vethrs 304 313 ip1 link del wg0