git: 60e92d17cfeb - main - if_ovpn: support IPv6 link-local addresses

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 04 Aug 2025 08:12:03 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=60e92d17cfeba02bc3c7a6edfa0bcaf7c63e5f35

commit 60e92d17cfeba02bc3c7a6edfa0bcaf7c63e5f35
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-28 11:36:35 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-08-04 06:08:32 +0000

    if_ovpn: support IPv6 link-local addresses
    
    MFC after:      3 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D51596
---
 sys/net/if_ovpn.c                | 21 ++++++++++-
 tests/sys/net/if_ovpn/if_ovpn.sh | 76 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+), 1 deletion(-)

diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index fe3e7bbd7fff..fe015632f33e 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -322,6 +322,8 @@ ovpn_sockaddr_compare(const struct sockaddr *a,
 
 		if (a6->sin6_port != b6->sin6_port)
 			return (false);
+		if (a6->sin6_scope_id != b6->sin6_scope_id)
+			return (false);
 
 		return (memcmp(&a6->sin6_addr, &b6->sin6_addr,
 		    sizeof(a6->sin6_addr)) == 0);
@@ -392,6 +394,8 @@ ovpn_nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *sa)
 {
 	int af;
 
+	memset(sa, 0, sizeof(*sa));
+
 	if (! nvlist_exists_number(nvl, "af"))
 		return (EINVAL);
 	if (! nvlist_exists_binary(nvl, "address"))
@@ -432,6 +436,10 @@ ovpn_nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *sa)
 
 		memcpy(&in6->sin6_addr, addr, sizeof(in6->sin6_addr));
 		in6->sin6_port = nvlist_get_number(nvl, "port");
+
+		if (nvlist_exists_number(nvl, "scopeid"))
+			in6->sin6_scope_id = nvlist_get_number(nvl, "scopeid");
+
 		break;
 	}
 #endif
@@ -468,6 +476,7 @@ ovpn_add_sockaddr(nvlist_t *parent, const char *name, const struct sockaddr *s)
 		nvlist_add_number(nvl, "port", s6->sin6_port);
 		nvlist_add_binary(nvl, "address", &s6->sin6_addr,
 		    sizeof(s6->sin6_addr));
+		nvlist_add_number(nvl, "scopeid", s6->sin6_scope_id);
 		break;
 	}
 	default:
@@ -725,7 +734,8 @@ ovpn_new_peer(struct ifnet *ifp, const nvlist_t *nvl)
 		NET_EPOCH_ENTER(et);
 		ret = in6_selectsrc_addr(curthread->td_proc->p_fibnum,
 		    &TO_IN6(&peer->remote)->sin6_addr,
-		    0, NULL, &TO_IN6(&peer->local)->sin6_addr, NULL);
+		    TO_IN6(&peer->remote)->sin6_scope_id, NULL,
+		    &TO_IN6(&peer->local)->sin6_addr, NULL);
 		NET_EPOCH_EXIT(et);
 		if (ret != 0) {
 			goto error;
@@ -2275,6 +2285,15 @@ ovpn_encap(struct ovpn_softc *sc, uint32_t peerid, struct mbuf *m)
 		memcpy(&ip6->ip6_dst, &in6_remote->sin6_addr,
 		    sizeof(ip6->ip6_dst));
 
+		if (IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src)) {
+			/* Local and remote must have the same scope. */
+			ip6->ip6_src.__u6_addr.__u6_addr16[1] =
+			    htons(in6_remote->sin6_scope_id & 0xffff);
+		}
+		if (IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst))
+			ip6->ip6_dst.__u6_addr.__u6_addr16[1] =
+			    htons(in6_remote->sin6_scope_id & 0xffff);
+
 		udp = mtodo(m, sizeof(*ip6));
 		udp->uh_sum = in6_cksum_pseudo(ip6,
 		    m->m_pkthdr.len - sizeof(struct ip6_hdr),
diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh
index c42344da1a3b..0281e7fc273d 100644
--- a/tests/sys/net/if_ovpn/if_ovpn.sh
+++ b/tests/sys/net/if_ovpn/if_ovpn.sh
@@ -499,6 +499,81 @@ atf_test_case "6in6" "cleanup"
 	ovpn_cleanup
 }
 
+atf_test_case "linklocal" "cleanup"
+linklocal_head()
+{
+	atf_set descr 'Use IPv6 link-local addresses'
+	atf_set require.user root
+	atf_set require.progs openvpn
+}
+
+linklocal_body()
+{
+	ovpn_init
+
+	l=$(vnet_mkepair)
+
+	vnet_mkjail a ${l}a
+	jexec a ifconfig ${l}a inet6 fe80::a/64 up no_dad
+	vnet_mkjail b ${l}b
+	jexec b ifconfig ${l}b inet6 fe80::b/64 up no_dad
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 fe80::b%${l}a
+
+	ovpn_start a "
+		dev ovpn0
+		dev-type tun
+		proto udp6
+
+		cipher AES-256-GCM
+		auth SHA256
+
+		local fe80::a%${l}a
+		server-ipv6 2001:db8:1::/64
+
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/server.crt
+		key $(atf_get_srcdir)/server.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		mode server
+		script-security 2
+		auth-user-pass-verify /usr/bin/true via-env
+		topology subnet
+
+		keepalive 100 600
+	"
+	ovpn_start b "
+		dev tun0
+		dev-type tun
+
+		client
+
+		remote fe80::a%${l}b
+		auth-user-pass $(atf_get_srcdir)/user.pass
+
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/client.crt
+		key $(atf_get_srcdir)/client.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		keepalive 100 600
+	"
+
+	# Give the tunnel time to come up
+	sleep 10
+	jexec a ifconfig
+
+	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
+	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1
+}
+
+linklocal_cleanup()
+{
+	ovpn_cleanup
+}
+
 atf_test_case "timeout_client" "cleanup"
 timeout_client_head()
 {
@@ -1412,6 +1487,7 @@ atf_init_test_cases()
 	atf_add_test_case "6in4"
 	atf_add_test_case "6in6"
 	atf_add_test_case "4in6"
+	atf_add_test_case "linklocal"
 	atf_add_test_case "timeout_client"
 	atf_add_test_case "explicit_exit"
 	atf_add_test_case "multi_client"