The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=60e92d17cfeba02bc3c7a6edfa0bcaf7c63e5f35
commit 60e92d17cfeba02bc3c7a6edfa0bcaf7c63e5f35
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-28 11:36:35 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-08-04 06:08:32 +0000
if_ovpn: support IPv6 link-local addresses
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D51596
---
sys/net/if_ovpn.c | 21 ++++++++++-
tests/sys/net/if_ovpn/if_ovpn.sh | 76 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 96 insertions(+), 1 deletion(-)
diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index fe3e7bbd7fff..fe015632f33e 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -322,6 +322,8 @@ ovpn_sockaddr_compare(const struct sockaddr *a,
if (a6->sin6_port != b6->sin6_port)
return (false);
+ if (a6->sin6_scope_id != b6->sin6_scope_id)
+ return (false);
return (memcmp(&a6->sin6_addr, &b6->sin6_addr,
sizeof(a6->sin6_addr)) == 0);
@@ -392,6 +394,8 @@ ovpn_nvlist_to_sockaddr(const nvlist_t *nvl, struct
sockaddr_storage *sa)
{
int af;
+ memset(sa, 0, sizeof(*sa));
+
if (! nvlist_exists_number(nvl, "af"))
return (EINVAL);
if (! nvlist_exists_binary(nvl, "address"))
@@ -432,6 +436,10 @@ ovpn_nvlist_to_sockaddr(const nvlist_t *nvl, struct
sockaddr_storage *sa)
memcpy(&in6->sin6_addr, addr, sizeof(in6->sin6_addr));
in6->sin6_port = nvlist_get_number(nvl, "port");
+
+ if (nvlist_exists_number(nvl, "scopeid"))
+ in6->sin6_scope_id = nvlist_get_number(nvl, "scopeid");
+
break;
}
#endif
@@ -468,6 +476,7 @@ ovpn_add_sockaddr(nvlist_t *parent, const char *name, const
struct sockaddr *s)
nvlist_add_number(nvl, "port", s6->sin6_port);
nvlist_add_binary(nvl, "address", &s6->sin6_addr,
sizeof(s6->sin6_addr));
+ nvlist_add_number(nvl, "scopeid", s6->sin6_scope_id);
break;
}
default:
@@ -725,7 +734,8 @@ ovpn_new_peer(struct ifnet *ifp, const nvlist_t *nvl)
NET_EPOCH_ENTER(et);
ret = in6_selectsrc_addr(curthread->td_proc->p_fibnum,
&TO_IN6(&peer->remote)->sin6_addr,
- 0, NULL, &TO_IN6(&peer->local)->sin6_addr, NULL);
+ TO_IN6(&peer->remote)->sin6_scope_id, NULL,
+ &TO_IN6(&peer->local)->sin6_addr, NULL);
NET_EPOCH_EXIT(et);
if (ret != 0) {
goto error;
@@ -2275,6 +2285,15 @@ ovpn_encap(struct ovpn_softc *sc, uint32_t peerid,
struct mbuf *m)
memcpy(&ip6->ip6_dst, &in6_remote->sin6_addr,
sizeof(ip6->ip6_dst));
+ if (IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src)) {
+ /* Local and remote must have the same scope. */
+ ip6->ip6_src.__u6_addr.__u6_addr16[1] =
+ htons(in6_remote->sin6_scope_id & 0xffff);
+ }
+ if (IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst))
+ ip6->ip6_dst.__u6_addr.__u6_addr16[1] =
+ htons(in6_remote->sin6_scope_id & 0xffff);
+
udp = mtodo(m, sizeof(*ip6));
udp->uh_sum = in6_cksum_pseudo(ip6,
m->m_pkthdr.len - sizeof(struct ip6_hdr),
diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh
index c42344da1a3b..0281e7fc273d 100644
--- a/tests/sys/net/if_ovpn/if_ovpn.sh
+++ b/tests/sys/net/if_ovpn/if_ovpn.sh
@@ -499,6 +499,81 @@ atf_test_case "6in6" "cleanup"
ovpn_cleanup
}
+atf_test_case "linklocal" "cleanup"
+linklocal_head()
+{
+ atf_set descr 'Use IPv6 link-local addresses'
+ atf_set require.user root
+ atf_set require.progs openvpn
+}
+
+linklocal_body()
+{
+ ovpn_init
+
+ l=$(vnet_mkepair)
+
+ vnet_mkjail a ${l}a
+ jexec a ifconfig ${l}a inet6 fe80::a/64 up no_dad
+ vnet_mkjail b ${l}b
+ jexec b ifconfig ${l}b inet6 fe80::b/64 up no_dad
+
+ # Sanity check
+ atf_check -s exit:0 -o ignore jexec a ping6 -c 1 fe80::b%${l}a
+
+ ovpn_start a "
+ dev ovpn0
+ dev-type tun
+ proto udp6
+
+ cipher AES-256-GCM
+ auth SHA256
+
+ local fe80::a%${l}a
+ server-ipv6 2001:db8:1::/64
+
+ ca $(atf_get_srcdir)/ca.crt
+ cert $(atf_get_srcdir)/server.crt
+ key $(atf_get_srcdir)/server.key
+ dh $(atf_get_srcdir)/dh.pem
+
+ mode server
+ script-security 2
+ auth-user-pass-verify /usr/bin/true via-env
+ topology subnet
+
+ keepalive 100 600
+ "
+ ovpn_start b "
+ dev tun0
+ dev-type tun
+
+ client
+
+ remote fe80::a%${l}b
+ auth-user-pass $(atf_get_srcdir)/user.pass
+
+ ca $(atf_get_srcdir)/ca.crt
+ cert $(atf_get_srcdir)/client.crt
+ key $(atf_get_srcdir)/client.key
+ dh $(atf_get_srcdir)/dh.pem
+
+ keepalive 100 600
+ "
+
+ # Give the tunnel time to come up
+ sleep 10
+ jexec a ifconfig
+
+ atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
+ atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1
+}
+
+linklocal_cleanup()
+{
+ ovpn_cleanup
+}
+
atf_test_case "timeout_client" "cleanup"
timeout_client_head()
{
@@ -1412,6 +1487,7 @@ atf_init_test_cases()
atf_add_test_case "6in4"
atf_add_test_case "6in6"
atf_add_test_case "4in6"
+ atf_add_test_case "linklocal"
atf_add_test_case "timeout_client"
atf_add_test_case "explicit_exit"
atf_add_test_case "multi_client"
