poll - Fix events == 0 handling for TAP and TUN, fix console spam

* BSD poll() supports events == 0 representing a "HUP ONLY" event.
Most of our devices properly support this but TAP and TUN did n

poll - Fix events == 0 handling for TAP and TUN, fix console spam

* BSD poll() supports events == 0 representing a "HUP ONLY" event.
Most of our devices properly support this but TAP and TUN did not.

Fix TAP and TUN to support this feature. This fixes openvpn()
when operating under heavier loads.

* Fix console spam on non-debug kprintf()s by rate-limiting any
such spam if it occurs. If a device doe snot support poll()'s
HUP ONLY feature, the loop deregistration path will be hit and
generate a kprintf(). We don't want console spam to stall the
cpu.

show more ...

Whitespace cleanups

sys: Minor fixes to some comments

sys: Minor code cleanups

No functional changes.

wg: Minor code cleanups

net: Clean up ifa_ifwithnet() and ifaof_ifpforaddr()

- Add the static inline function ifa_match_withmask() to deduplicate the
address match code in both functions.
- Use NULL instead of 0 for poin

net: Clean up ifa_ifwithnet() and ifaof_ifpforaddr()

- Add the static inline function ifa_match_withmask() to deduplicate the
address match code in both functions.
- Use NULL instead of 0 for pointers.
- Minor style cleanups.

show more ...

net: Improve rt_print() and rt_addrinfo_print() debug functions

- Update rt_print() to print the full interface name (if_xname) instead
of the underlying device name (if_dname).
- Update rt_addrin

net: Improve rt_print() and rt_addrinfo_print() debug functions

- Update rt_print() to print the full interface name (if_xname) instead
of the underlying device name (if_dname).
- Update rt_addrinfo_print() to print flags, ifp and ifa; similar to
rt_print().

show more ...

net: Fix panic in the rt_addrinfo_print() debug function

The 'rti_addrs' member is a bitmask of RTA_* values, not a count value,
so the rt_addrinfo_print() debug function would just panic.

Use RTAX

net: Fix panic in the rt_addrinfo_print() debug function

The 'rti_addrs' member is a bitmask of RTA_* values, not a count value,
so the rt_addrinfo_print() debug function would just panic.

Use RTAX_MAX instead to fix this bug. Meanwhile, add brief comments to
'rti_addrs' and 'rti_flags' members.

show more ...

net: Clean up sockaddr_print() by removing duplicate switch()

netinet: Improve the deletion of loopback route

When the target host address is still bound to another interface address
(e.g., an address on another interface added later), the loopback route
shoul

netinet: Improve the deletion of loopback route

When the target host address is still bound to another interface address
(e.g., an address on another interface added later), the loopback route
should be updated to point to that address instead of simply being
removed.

Given that our rtrequest1() only supports route addition and deletion,
but not route change, we have to first remove the original loopback
route and then re-add a route with the wanted interface address.

See also in_localip_more() and ifa_switch_loopback_route() in FreeBSD.

show more ...

netinet: Auto add loopback routes to interface addresses

When adding an address to an interface, a loopback route will be created
to route the traffic targeting it through the lo0 interface. The
lo

netinet: Auto add loopback routes to interface addresses

When adding an address to an interface, a loopback route will be created
to route the traffic targeting it through the lo0 interface. The
loopback route will also be removed when the corresponding interface
address is deleted.

In principle, this can help simplify the network input and output paths
by avoiding special handling of local addresses. That deserves some
further efforts.

Nonetheless, an immediate benefit goes to wg(4). Now we can access
(e.g., ping) from localhost a wg(4) interface's IPv4 addresses.
Previously it was broken because wg(4) is a virtual device and doesn't
have/use ARP. For Ethernet devices, the ether_output() function will
redirect the traffic targeting its own address to the loopback interface
by calling if_simloop().

Derived from FreeBSD; the major commits are:
- This patch adds a host route to an interface address ...
https://github.com/freebsd/freebsd-src/commit/ebc90701ac6c1f814c5bd6f3e19f0113ebe06156
- Self pointing routes are installed for configured interface addr ...
https://github.com/freebsd/freebsd-src/commit/9bb7d0f47a3265a1782a64837ae93dde4c550a6a
- Unify loopback route switching
https://github.com/freebsd/freebsd-src/commit/59c180c35c1ddc1d544a1c73c789d126a8fbac78
- Fix rt_ifa selection during loopback route insertion process
https://github.com/freebsd/freebsd-src/commit/2ad7ed6e4a84448234e9aaef3c9fa884848f7387

Discussed-with: dillon

show more ...

net: Integrate link_rtrequest() into rt_getifa()

When a route was inserted but had an invalid IFA (rt_ifa), the
link_rtrequest() would be called to fix it with a link-level gateway.

Move the link_r

net: Integrate link_rtrequest() into rt_getifa()

When a route was inserted but had an invalid IFA (rt_ifa), the
link_rtrequest() would be called to fix it with a link-level gateway.

Move the link_rtrequest() logic into the pre-insertion rt_getifa() step,
and thus simplifies the IFA selection. This will also help the
forthcoming mangement of loopback routes for interface addresses.

Obtained-from: FreeBSD
- https://reviews.freebsd.org/D20076
- https://github.com/freebsd/freebsd-src/commit/2ad7ed6e4a84448234e9aaef3c9fa884848f7387

show more ...

wg: Add comment for noise_remote_index() in handling cookie replies

noise_remote_index() will lookup the index for both remote and keypair
entries. Add a comment to explain why this double lookup i

wg: Add comment for noise_remote_index() in handling cookie replies

noise_remote_index() will lookup the index for both remote and keypair
entries. Add a comment to explain why this double lookup is necessary.

Credit: Jason A. Donenfeld

show more ...

wg: Disable auto link-local configuration and DAD

They're useless for this virtual interface.

Actually, this code presents in the FreeBSD version but was removed
during the porting; now add it back.

stf(4): Set ND6 flags to disable auto link-local and DAD

Clear the 'ND6_IFF_AUTO_LINKLOCAL' flag and set the 'ND6_IFF_NO_DAD'
flag for the stf(4) interface after if_attach(). In this way, the
quirk

stf(4): Set ND6 flags to disable auto link-local and DAD

Clear the 'ND6_IFF_AUTO_LINKLOCAL' flag and set the 'ND6_IFF_NO_DAD'
flag for the stf(4) interface after if_attach(). In this way, the
quirks in in6_ifattach() is removed.

show more ...

net: Reimplement packet loop detection based on mbuf tags

The original naive implementation based on mbuf 'm_pkthdr.loop_cnt' was
flawed:

* There were likely some code paths that allocated mbufs fa

net: Reimplement packet loop detection based on mbuf tags

The original naive implementation based on mbuf 'm_pkthdr.loop_cnt' was
flawed:

* There were likely some code paths that allocated mbufs failed to
initialize the 'loop_cnt' to be zero. This caused unwanted packet
drops in gif(4), as reported by Kyle Butt (iteratee).

* The 'loop_cnt' was system-wide and thus cannot distinguish between the
nesting of specific drivers. For example, it would break an actually
valid setup that makes use of both gif(4) and gre(4).

As a result, follow the FreeBSD's way and reimplement the packet loop
detection based on mbuf tags. Each driver is allocated a unique mbuf
tag cookie, and thus a unique mbuf tag will be created to track the
nesting level of each driver.

The if_tunnel_check_nesting() was derived from FreeBSD but I changed it
to use only one mbuf tag for each cookie (i.e., driver). Although it
can no longer directly detect that a packet loops through the same
interface, it would still be prevented as that would lead to infinite
recursions.

Update gif(4), gre(4) and wg(4) to use the new loop detection facility.

Bump __DragonFly_version as well.

Reported-by: Kyle Butt (iteratee)

show more ...

wg: Update wg_handshake() to increase 'ierrors' on error

Meanwhile, add a comment for 'pkt->p_mbuf' update after m_pullup().

wg: Improve error handling in wg_output()

- Don't send ICMP error if the packet looped, avoiding infinite loops.
- Move the packet loop detection upper to optimize the logic a bit.
- Integrate xmit_

wg: Improve error handling in wg_output()

- Don't send ICMP error if the packet looped, avoiding infinite loops.
- Move the packet loop detection upper to optimize the logic a bit.
- Integrate xmit_err() into wg_output() to simplify the error handling.
- Just increase 'oerrors' and don't use 'oqdrops', which doesn't really
make more sense here.

show more ...

crypto: Move blake2s_hmac() to its only user wg_noise.c

The blake2s_hmac() is simply an ad-hoc HMAC implementation using the
BLAKE2s hash algorithm. It's not generic; a proper solution is to
implem

crypto: Move blake2s_hmac() to its only user wg_noise.c

The blake2s_hmac() is simply an ad-hoc HMAC implementation using the
BLAKE2s hash algorithm. It's not generic; a proper solution is to
implement the HMAC construction that supports any hash algorithms.
Therefore, it's better to move blake2s_hmac() to wg_noise.c as
noise_hmac().

See also: https://git.zx2c4.com/wireguard-freebsd/commit/?id=5c5832279855722b939a381b9a291dc5ca2ee52e

show more ...

wg: Change cpu_sfence() to release store + acquire load pair

Although DragonFly is currently x86-only and this is actually
unnecessary, update to use the store+load pairs for better
portability.

wg: Convert BPF_MTAP_AF() macro to inline function wg_bpf_ptap()

wg: Add RXCSUM support to avoid unnecessary checksum validation

The packet that is about to be delivered in is authentic as ensured by
the AEAD tag, so we can tell the networking stack that this pac

wg: Add RXCSUM support to avoid unnecessary checksum validation

The packet that is about to be delivered in is authentic as ensured by
the AEAD tag, so we can tell the networking stack that this packet has
valid checksums and thus is unnecessary to check again.

Therefore, implement RXCSUM support for the wg interface, and update the
ioctl() to support to enable/disable this feature.

Meanwhile, move the mbuf flags clearance code just before the delivery,
i.e., netisr_queue() and wg_send().

show more ...

wg: Track noise_{local,remote,keypair} allocations to detect leaks

Use lists to track the allocations of noise_{local,remote,keypair}
structs, and then assert that all of them have been freed upon t

wg: Track noise_{local,remote,keypair} allocations to detect leaks

Use lists to track the allocations of noise_{local,remote,keypair}
structs, and then assert that all of them have been freed upon the
module deinitialization.

Enclose the code within 'INVARIANTS' macro, so that it can be just
ignored when performance is important.

show more ...

wg: Some code cleanups, minor improvements and comment updates

- Clean up some code logics to make the conditional flow and error
handling more smooth.
- Add and update various comments to make th

wg: Some code cleanups, minor improvements and comment updates

- Clean up some code logics to make the conditional flow and error
handling more smooth.
- Add and update various comments to make the code more understandable.
A large fraction of the comments are derived from the WireGuard code
in Linux/OpenBSD, and from commit messages.

show more ...

wg: Minor improvements to wg_ioctl_set()

- Skip allowed IPs removal for a new peer.
- Try and send staged packets if the interface is UP.

Referred to the Linux version of WireGuard.