Re: git: 31ec8b6407fd - main - sys/netinet6: Implement RFC 7217
Date: Sun, 21 Sep 2025 10:44:42 UTC
On 9/21/25 11:58, Guido Falsi wrote: > On 9/21/25 00:17, Herbert J. Skuhra wrote: >> On Sat, 20 Sep 2025 14:31:52 +0200, Guido Falsi wrote: >>> >>> The branch main has been updated by madpilot: >>> >>> URL: https://cgit.FreeBSD.org/src/commit/? >>> id=31ec8b6407fdd5a87d70265762457c67ce618283 >>> >>> commit 31ec8b6407fdd5a87d70265762457c67ce618283 >>> Author: Guido Falsi <madpilot@FreeBSD.org> >>> AuthorDate: 2025-09-20 12:26:41 +0000 >>> Commit: Guido Falsi <madpilot@FreeBSD.org> >>> CommitDate: 2025-09-20 12:31:44 +0000 >>> >>> sys/netinet6: Implement RFC 7217 >>> Implement RFC 7217 (A Method for Generating Semantically Opaque >>> Interface Identifiers with IPv6 Stateless Address Autoconfiguration >>> (SLAAC)) in our IPv6 stack. >>> A new ifconfig `stableaddr` flag is added to enable the feature on >>> interfaces, which defaults to on or off for new interfaces based >>> on the sysctl `net.inet6.ip6.use_stableaddr` (off by default, so >>> this commit causes no change in behavior with default settings). >>> The algorithm follows the RFC in its logic, using SHA256-HMAC as >>> the algorithm to derive addresses so as to provide code that can >>> be leveraged by future implentations of RFC 8981, leveraging the >>> `hostuuid` as the secret. >>> The source of the hostidentifier can be configured using the sysctl >>> `net.inet6.ip6.stableaddr_netifsource`, while the number of retries >>> generating a new address in case of collision can be configured >>> using the `net.inet6.ip6.stableaddr_maxretries` sysctl (default 3). >>> Documentation about all these flags is added to the ifconfig(8) man >>> page. >>> Reviewed by: cognet, glebius, hrs >>> Tested by: zarychtam@plan-b.pwste.edu.pl >>> Approved by: cognet, glebius >>> Relnotes: yes >>> Differential Revision: https://reviews.freebsd.org/D49681 >>> --- >>> sbin/ifconfig/af_inet6.c | 2 + >>> sbin/ifconfig/af_nd6.c | 1 + >>> sbin/ifconfig/ifconfig.8 | 30 +++++ >>> sys/netinet6/in6.h | 3 + >>> sys/netinet6/in6_ifattach.c | 275 +++++++++++++++++++++++++++++++++ >>> ++++------- >>> sys/netinet6/in6_ifattach.h | 2 + >>> sys/netinet6/in6_proto.c | 10 ++ >>> sys/netinet6/ip6_input.c | 1 + >>> sys/netinet6/ip6_var.h | 12 ++ >>> sys/netinet6/nd6.c | 9 ++ >>> sys/netinet6/nd6.h | 2 + >>> sys/netinet6/nd6_nbr.c | 35 +++++- >>> sys/netinet6/nd6_rtr.c | 128 +++++++++++++-------- >>> usr.sbin/ndp/ndp.c | 7 ++ >>> 14 files changed, 423 insertions(+), 94 deletions(-) >> >> This commit breaks security/netbird: >> >> Management: Disconnected, reason: create wg interface: error creating >> tun device: unable to get nd6 flags for tun0: invalid argument >> Signal: Disconnected, reason: create wg interface: error creating tun >> device: unable to get nd6 flags for tun0: invalid argument >> > > Thanks for reporting this, > > I'm going to take a look shortly, although I'm not sure why, since the > functionality is disabled by default. > > Hi again, I'm going to try to reproduce this, but in the while, looking at the source code, the error comes from the wireguard-go package that is being used by netbird (we also have that in a port of its own BTW). The code there is manipulating the interface flags at a low level, but my commit modified that structure. There is some chance that simply forcing a rebuild and reinstall of the package will "fix" it. Have you tried that? If you already have, I'll go on and reproduce locally, if I can. -- Guido Falsi <madpilot@FreeBSD.org>