diff options
author | Matt Dunwoodie <ncon@noconroy.net> | 2021-04-22 15:22:53 +1000 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-04-22 00:02:45 -0600 |
commit | 4947482e22600b07b18b76c38901d648eaae7745 (patch) | |
tree | 10dfc45dfc397c46beb46c270cce2058db87e68b | |
parent | selftests: fixup headers (diff) | |
download | wireguard-freebsd-4947482e22600b07b18b76c38901d648eaae7745.tar.xz wireguard-freebsd-4947482e22600b07b18b76c38901d648eaae7745.zip |
if_wg: better loop detection
While it was nice to have per peer loop detection, it was not meant to
be. The loop tag has a tag type == 0, which conflicts with other tags.
Therefore we want to at least be a little bit more sure that the tag
cookie is unique to the loop tag. I guess the peer address was also
quite hacky so on the other side, I'm glad to be rid of that.
Now we have a loop of 8 (to any peer) which should be good enough for an
edge case operation.
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
-rw-r--r-- | src/if_wg.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/if_wg.c b/src/if_wg.c index 46a9910..9984a1e 100644 --- a/src/if_wg.c +++ b/src/if_wg.c @@ -272,6 +272,9 @@ struct wg_softc { #define WGF_DYING 0x0001 +#define MAX_LOOPS 8 +#define MTAG_WGLOOP 0x77676c70 /* wglp */ + /* TODO the following defines are freebsd specific, we should see what is * necessary and cleanup from there (i suspect a lot can be junked). */ @@ -2006,9 +2009,7 @@ wg_transmit(struct ifnet *ifp, struct mbuf *m) goto err; } - /* Detect packet loops, TODO make better unique identifier than p_id - * (because it is truncated from uint64_t to uint32_t). */ - if (__predict_false(if_tunnel_check_nesting(ifp, m, peer->p_id, 1))) { + if (__predict_false(if_tunnel_check_nesting(ifp, m, MTAG_WGLOOP, MAX_LOOPS))) { DPRINTF(sc, "Packet looped"); rc = ELOOP; goto err; |