summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/plugins/wireguard/wireguard_if.c8
-rw-r--r--src/plugins/wireguard/wireguard_peer.h2
-rw-r--r--test/test_wireguard.py62
3 files changed, 63 insertions, 9 deletions
diff --git a/src/plugins/wireguard/wireguard_if.c b/src/plugins/wireguard/wireguard_if.c
index ab37d086492..fd123471a8c 100644
--- a/src/plugins/wireguard/wireguard_if.c
+++ b/src/plugins/wireguard/wireguard_if.c
@@ -153,6 +153,14 @@ wg_if_update_adj (vnet_main_t * vnm, u32 sw_if_index, adj_index_t ai)
{
index_t wgii;
+ /* Convert any neighbour adjacency that has a next-hop reachable through
+ * the wg interface into a midchain. This is to avoid sending ARP/ND to
+ * resolve the next-hop address via the wg interface. Then, if one of the
+ * peers has matching prefix among allowed prefixes, the midchain will be
+ * updated to the corresponding one.
+ */
+ adj_nbr_midchain_update_rewrite (ai, NULL, NULL, ADJ_FLAG_NONE, NULL);
+
wgii = wg_if_find_by_sw_if_index (sw_if_index);
wg_if_peer_walk (wg_if_get (wgii), wg_peer_if_adj_change, &ai);
}
diff --git a/src/plugins/wireguard/wireguard_peer.h b/src/plugins/wireguard/wireguard_peer.h
index f3d80fbf9fe..a14f2692b1c 100644
--- a/src/plugins/wireguard/wireguard_peer.h
+++ b/src/plugins/wireguard/wireguard_peer.h
@@ -166,7 +166,7 @@ wg_peer_get (index_t peeri)
static inline index_t
wg_peer_get_by_adj_index (index_t ai)
{
- if (ai > vec_len (wg_peer_by_adj_index))
+ if (ai >= vec_len (wg_peer_by_adj_index))
return INDEX_INVALID;
return (wg_peer_by_adj_index[ai]);
}
diff --git a/test/test_wireguard.py b/test/test_wireguard.py
index 1a955b162f1..8ab0cbc6781 100644
--- a/test/test_wireguard.py
+++ b/test/test_wireguard.py
@@ -392,10 +392,12 @@ class TestWg(VppTestCase):
wg6_input_node_name = "/err/wg6-input/"
kp4_error = wg4_output_node_name + "Keypair error"
mac4_error = wg4_input_node_name + "Invalid MAC handshake"
- peer4_error = wg4_input_node_name + "Peer error"
+ peer4_in_err = wg4_input_node_name + "Peer error"
+ peer4_out_err = wg4_output_node_name + "Peer error"
kp6_error = wg6_output_node_name + "Keypair error"
mac6_error = wg6_input_node_name + "Invalid MAC handshake"
- peer6_error = wg6_input_node_name + "Peer error"
+ peer6_in_err = wg6_input_node_name + "Peer error"
+ peer6_out_err = wg6_output_node_name + "Peer error"
@classmethod
def setUpClass(cls):
@@ -421,10 +423,12 @@ class TestWg(VppTestCase):
super(VppTestCase, self).setUp()
self.base_kp4_err = self.statistics.get_err_counter(self.kp4_error)
self.base_mac4_err = self.statistics.get_err_counter(self.mac4_error)
- self.base_peer4_err = self.statistics.get_err_counter(self.peer4_error)
+ self.base_peer4_in_err = self.statistics.get_err_counter(self.peer4_in_err)
+ self.base_peer4_out_err = self.statistics.get_err_counter(self.peer4_out_err)
self.base_kp6_err = self.statistics.get_err_counter(self.kp6_error)
self.base_mac6_err = self.statistics.get_err_counter(self.mac6_error)
- self.base_peer6_err = self.statistics.get_err_counter(self.peer6_error)
+ self.base_peer6_in_err = self.statistics.get_err_counter(self.peer6_in_err)
+ self.base_peer6_out_err = self.statistics.get_err_counter(self.peer6_out_err)
def test_wg_interface(self):
"""Simple interface creation"""
@@ -577,6 +581,9 @@ class TestWg(VppTestCase):
r1 = VppIpRoute(
self, "10.11.3.0", 24, [VppRoutePath("10.11.3.1", wg0.sw_if_index)]
).add_vpp_config()
+ r2 = VppIpRoute(
+ self, "20.22.3.0", 24, [VppRoutePath("20.22.3.1", wg0.sw_if_index)]
+ ).add_vpp_config()
# route a packet into the wg interface
# use the allowed-ip prefix
@@ -592,6 +599,21 @@ class TestWg(VppTestCase):
self.base_kp4_err + 1, self.statistics.get_err_counter(self.kp4_error)
)
+ # route a packet into the wg interface
+ # use a not allowed-ip prefix
+ # this is dropped because there is no matching peer
+ p = (
+ Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
+ / IP(src=self.pg0.remote_ip4, dst="20.22.3.2")
+ / UDP(sport=555, dport=556)
+ / Raw()
+ )
+ self.send_and_assert_no_replies(self.pg0, [p])
+ self.assertEqual(
+ self.base_peer4_out_err + 1,
+ self.statistics.get_err_counter(self.peer4_out_err),
+ )
+
# send a handsake from the peer with an invalid MAC
p = peer_1.mk_handshake(self.pg1)
p[WireguardInitiation].mac1 = b"foobar"
@@ -606,7 +628,8 @@ class TestWg(VppTestCase):
)
self.send_and_assert_no_replies(self.pg1, [p])
self.assertEqual(
- self.base_peer4_err + 1, self.statistics.get_err_counter(self.peer4_error)
+ self.base_peer4_in_err + 1,
+ self.statistics.get_err_counter(self.peer4_in_err),
)
# send a valid handsake init for which we expect a response
@@ -694,6 +717,7 @@ class TestWg(VppTestCase):
self.assertEqual(rx[IP].ttl, 19)
r1.remove_vpp_config()
+ r2.remove_vpp_config()
peer_1.remove_vpp_config()
wg0.remove_vpp_config()
@@ -715,6 +739,9 @@ class TestWg(VppTestCase):
r1 = VppIpRoute(
self, "1::3:0", 112, [VppRoutePath("1::3:1", wg0.sw_if_index)]
).add_vpp_config()
+ r2 = VppIpRoute(
+ self, "22::3:0", 112, [VppRoutePath("22::3:1", wg0.sw_if_index)]
+ ).add_vpp_config()
# route a packet into the wg interface
# use the allowed-ip prefix
@@ -732,6 +759,21 @@ class TestWg(VppTestCase):
self.base_kp6_err + 1, self.statistics.get_err_counter(self.kp6_error)
)
+ # route a packet into the wg interface
+ # use a not allowed-ip prefix
+ # this is dropped because there is no matching peer
+ p = (
+ Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
+ / IPv6(src=self.pg0.remote_ip6, dst="22::3:2")
+ / UDP(sport=555, dport=556)
+ / Raw()
+ )
+ self.send_and_assert_no_replies(self.pg0, [p])
+ self.assertEqual(
+ self.base_peer6_out_err + 1,
+ self.statistics.get_err_counter(self.peer6_out_err),
+ )
+
# send a handsake from the peer with an invalid MAC
p = peer_1.mk_handshake(self.pg1, True)
p[WireguardInitiation].mac1 = b"foobar"
@@ -747,7 +789,8 @@ class TestWg(VppTestCase):
)
self.send_and_assert_no_replies(self.pg1, [p])
self.assertEqual(
- self.base_peer6_err + 1, self.statistics.get_err_counter(self.peer6_error)
+ self.base_peer6_in_err + 1,
+ self.statistics.get_err_counter(self.peer6_in_err),
)
# send a valid handsake init for which we expect a response
@@ -835,6 +878,7 @@ class TestWg(VppTestCase):
self.assertEqual(rx[IPv6].hlim, 19)
r1.remove_vpp_config()
+ r2.remove_vpp_config()
peer_1.remove_vpp_config()
wg0.remove_vpp_config()
@@ -886,7 +930,8 @@ class TestWg(VppTestCase):
)
self.send_and_assert_no_replies(self.pg1, [p])
self.assertEqual(
- self.base_peer4_err + 1, self.statistics.get_err_counter(self.peer4_error)
+ self.base_peer4_in_err + 1,
+ self.statistics.get_err_counter(self.peer4_in_err),
)
# send a valid handsake init for which we expect a response
@@ -1024,7 +1069,8 @@ class TestWg(VppTestCase):
)
self.send_and_assert_no_replies(self.pg1, [p])
self.assertEqual(
- self.base_peer6_err + 1, self.statistics.get_err_counter(self.peer6_error)
+ self.base_peer6_in_err + 1,
+ self.statistics.get_err_counter(self.peer6_in_err),
)
# send a valid handsake init for which we expect a response