Bug 275341

Summary:

Cannot add a route to a wireguard interface without the device having an address.

Product:

Base System

Reporter:

Sean Cody <sean>

Component:

kern

Assignee:

R. Christian McDonald <rcm>

Status:

In Progress ---

Severity:

Affects Some People

CC:

benoitc, jlduran, ki, rcm, takahiro.kurosawa, zarychtam, zlei

Priority:

---

Version:

14.0-STABLE

Hardware:

Any

OS:

Any

URL:

https://lists.freebsd.org/archives/freebsd-net/2024-March/004700.html

Attachments:

Description	Flags
Change made to wg-quick to work around this problem.	none

Description Sean Cody 2023-11-25 21:55:23 UTC

Created attachment 246568 [details]
Change made to wg-quick to work around this problem.

Hi there I've noticed a behavior change that breaks wireguard setups after upgrade from 13.2-p5 to 14-RELEASE.  

After updating them from 13.2-p5 to 14-RELEASE the wireguard service just stopped working. I noticed that in FreeBSD 14 you are not able to add a route to a wireguard interface that doesn't have an address assigned.

Adding a wg interface with an IP address to /etc/rc.conf doesn't help because the script notices the interface is there and doesn't configure it.  

This is repeatable (tried on both my wireguard hosts, and firewalls and a service router that were all upgraded to 14.0 this evening) and the output looks like this (using wg1 to not interrupt existing traffic on wg0):

# freebsd-version
14.0-RELEASE
# ifconfig wg1 create
# ifconfig wg1 up
# route -n add 10.2.0.0/24 -interface wg1
add net 10.2.0.0: gateway wg1 fib 0: Invalid argument
# ifconfig wg1 inet 10.0.0.3/32
# route -n add 10.2.0.0/24 -interface wg1
add net 10.2.0.0: gateway wg1

This behavior does not happen in 13.2 (a test VM):
# freebsd-version
13.2-RELEASE-p1
# ifconfig wg1 create
# ifconfig wg1 up
# route -n add 10.2.0.0/24 -interface wg1
add net 10.2.0.0: gateway wg1

Notice if the device is created and up, the route command fails with 'invalid argument.'  Once I add an address (any address at all) the route command works but that doesn't fix the wireguard service.

To fix it I added an address to the created interface in /usr/local/bin/wg-quick specifically after line 119 where I added:
    'cmd ifconfig $INTERFACE inet 127.0.0.200/32'
(added diff for better context).  This is NOT a good fix at all, it just got me working and back into production again.

This would impact anyone upgrading a system running wireguard using the wireguard tools from v13 to v14.  It may also be repeatable on tunnel or other devices but I've not seen that in this troubleshooting.

Note when broaching this on discord, jlduran pointed out this link appears to be very similar to this but I can't relate it 100% as I don't see any kernel logging in dmesg/syslog (probably because I need to increase verbosity):
     https://reviews.freebsd.org/D41330

Comment 1 Sean Cody 2023-11-25 21:57:47 UTC

Comment on attachment 246568 [details]
Change made to wg-quick to work around this problem.

Sorry the first part is the only one that matters, the rest (@@ -315 and forward) is chaff from my troubleshooting.

Comment 2 Jose Luis Duran freebsd_committer

2023-11-26 00:51:11 UTC

I can verify that review D41330 fixes the problem.

Assuming 14.0-RELEASE sources in /usr/src:

    # git clone -b releng/14.0 https://git.freebsd.org/src.git /usr/src

Apply the patch:

    # cd /usr/src
    # patch < fetch https://reviews.freebsd.org/D41330.diff

Build and install the kernel:

    # make buildkernel
    # make installkernel

Reboot:

    # shutdown -r now

The old kernel is under /boot/kernel.old. It should work as expected.

Try again:

    # ifconfig wg1 create
    # ifconfig wg1 up
    # route -n add 10.2.0.0/24 -interface wg1
    add net 10.2.0.0: gateway wg1

Verify:

    # netstat -4nr

Comment 3 Jose Luis Duran freebsd_committer

2023-11-26 01:17:37 UTC

Sorry, the patch step should have read:

    # cd /usr/src
    # fetch https://reviews.freebsd.org/D41330.diff
    # patch < D41330.diff

Comment 4 commit-hook freebsd_committer

2023-11-28 21:14:04 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=f818559774cb0c1516364c4beca361480fd68b5b

commit f818559774cb0c1516364c4beca361480fd68b5b
Author:     KUROSAWA Takahiro <takahiro.kurosawa@gmail.com>
AuthorDate: 2023-11-28 18:14:50 +0000
Commit:     R. Christian McDonald <rcm@FreeBSD.org>
CommitDate: 2023-11-28 21:11:55 +0000

    netlink: fix adding an interface route

    route add <host> -iface <netif>" for a netif without an IPv4/IPv6
    address fails with EINVAL. Need to use a link-level ifaddr for gw if
    an ifaddr for dst is not found as the rtsock-based implementation does.

    PR:             275341
    Reported by:    Sean Cody <sean@tinfoilhat.ca>
    Reviewed by:    rcm
    Tested by:      rcm
    Approved by:    kp (mentor)
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D41330

 sys/netlink/route/rt.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

Comment 5 R. Christian McDonald freebsd_committer

2023-11-28 21:15:21 UTC

Thanks for the report!

Comment 6 Shuichi KITAGUCHI 2023-12-23 06:55:15 UTC

This fix has not been commited to stable/14 for now.
I'm waiting a patch for 14.0-RELEASE...
Thanks,

Comment 7 Zhenlei Huang freebsd_committer

2024-03-14 08:23:44 UTC

This bug is caused by https://cgit.freebsd.org/src/commit/?id=cc3793b1c54847e26001f42026778703970fa570 . The commit has not been MFCed to stable/13 so stable/13 and release/13.3 are not affected right now.

Reopen since the fix has not been in stable/14.

Link another report: https://lists.freebsd.org/archives/freebsd-net/2024-March/004700.html .

Comment 8 commit-hook freebsd_committer

2024-03-14 08:30:02 UTC

A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=7a4a122f9731c589831e1c00d85588ff9813b338

commit 7a4a122f9731c589831e1c00d85588ff9813b338
Author:     KUROSAWA Takahiro <takahiro.kurosawa@gmail.com>
AuthorDate: 2023-11-28 18:14:50 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2024-03-14 08:27:42 +0000

    netlink: fix adding an interface route

    route add <host> -iface <netif>" for a netif without an IPv4/IPv6
    address fails with EINVAL. Need to use a link-level ifaddr for gw if
    an ifaddr for dst is not found as the rtsock-based implementation does.

    PR:             275341
    Reported by:    Sean Cody <sean@tinfoilhat.ca>
    Reviewed by:    rcm
    Tested by:      rcm
    Approved by:    kp (mentor)
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D41330

    (cherry picked from commit f818559774cb0c1516364c4beca361480fd68b5b)

 sys/netlink/route/rt.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

Comment 9 benoitc 2024-03-31 07:38:28 UTC

I've tested the change with bird OSPFV3 and the problem is still there after the patch is applied. Until I set explicitely a dummy IP interface on the point to point interface I get the following error: 

```
"Mar 31 07:33:01 freebsd bird[17645]: ospfv4: Cannot find next hop addre
ss for vlan200"
```

Once you set a "dummy /32" ipv4 on vlan200 the issue disappear.

Eg. of configuration:

```
protocol ospf v3 ospfv4 {
  ipv4 {
    import filter ospf_import;
    export filter ospf_export;
  };

  area 0 {
    interface "lo1" { stub yes; };
    interface "vlan200" {
      type ptp;
      cost 10;
    };
  };
}
```


```
 ifconfig vlan200
vlan200: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 150
0
        options=4600703<RXCSUM,TXCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,MEXTPG>
        ether 9a:c7:bd:e8:62:dc
        inet6 fe80::98c7:bdff:fee8:62dc%vlan200 prefixlen 64 scopeid 0x4
        groups: vlan
        vlan: 200 vlanproto: 802.1q vlanpcp: 0 parent interface: iavf0
        media: Ethernet autoselect (10Gbase-SR <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
```

Comment 10 Zhenlei Huang freebsd_committer

2024-03-31 15:30:16 UTC

(In reply to benoitc from comment #9)
> I've tested the change with bird OSPFV3 and the problem is still there after the patch is applied.
That is weird. Can you please share your version? Is that 14.0-RELEASE or stable/14 ?

Comment 11 benoitc 2024-04-07 18:32:42 UTC

(In reply to Zhenlei Huang from comment #10)
this was on 14-RELEASE with patch applied. I will retry on 14-STABLE

Comment 12 Marek Zarychta 2024-04-07 18:50:55 UTC

(In reply to benoitc from comment #11)
Please feel free to try using BGP, for OSPFv3 it's not implemented yet. Maybe with the next version of BIRD it will work[1].

1. https://bird.network.cz/pipermail/bird-users/2024-April/017555.html

Comment 13 Mark Linimon freebsd_committer

2024-10-08 04:43:19 UTC

^Triage: a fix was MFCed to 14 and 13.  However, the problem is not yet confirmed resolved.

Comment 14 Zhenlei Huang freebsd_committer

2024-10-20 15:06:55 UTC

@benoitc

Any good news ?