From: Wang Jian <larkwang@gmail.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>,
Jan De Landtsheer <jan@delandtsheer.eu>
Subject: Re: Multihomed server issue
Date: Sun, 13 Aug 2017 00:08:37 +0800 [thread overview]
Message-ID: <CAF75rJB_eToq4bTqRzqsB7ncObVo2SpsMFKOZFNzoenzkMnJDg@mail.gmail.com> (raw)
In-Reply-To: <CAHmME9q5T-KpTatXxLZ_H_j_Ly=ZTX63wKTeYD=jqKQeupFFpQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1216 bytes --]
2017-08-10 22:29 GMT+08:00 Jason A. Donenfeld <Jason@zx2c4.com>:
> Hi Wang,
>
> Did you have any luck reproducing this with the netns.sh script?
I managed to test with dummy interface but things are not as expected.
I think it's because my test case patch is not equvalent to my real setup.
I was building a more complex test case that mimics my real setup, but
got stuck on other things and got no progress by now.
It seems that you have figured out what the scenario is and how to deal
with it.
IMHO, you have several options
1. Use request's destination address as reply source address, inject
the packet, then let kernel routing code do the left work, because a
policy route is installed anyway
2. like 1, but your code lookup routing table and search best route for
reply source address
3. provide config option that ListenAddress can be specified. You just
use it/them to check against request packet's dest address, and inject
the reply packet.
(Disclaimer: I haven't looked into your code related to routing due to
time constraint, so my opinions may be totally wrong)
I understand that you prefer 0.0.0.0 for most flexible, thus option 3
is not convicing.
BTW: finished test case is attached anyway.
[-- Attachment #2: netns.dummy.patch --]
[-- Type: application/octet-stream, Size: 4053 bytes --]
diff --git a/src/tests/netns.sh b/src/tests/netns.sh
index 6a58b37..66869a6 100755
--- a/src/tests/netns.sh
+++ b/src/tests/netns.sh
@@ -325,3 +325,69 @@ n2 ping -W 1 -c 1 192.168.241.1
ip1 link del veth1
ip1 link del wg0
ip2 link del wg0
+
+
+# Test multihomed server which uses dummy interfaces
+# ┌────────────────────────────────────────┐ ┌─────────────────────────────────────────────────────────┐
+# │ $ns1 namespace │ │ $ns2 namespace │
+# │ client │ │ server │
+# │ ┌─────┐ ┌─────┐ │ │ ┌─────┐ ┌────────┐ ┌─────┐ │
+# │ │ wg0 │─────────────│veth1│───────────┼────┼──│veth2│────────────│ dummy0 │───────│ wg0 │ │
+# │ ├─────┴──────────┐ ├─────┴──────────┐│ │ ├─────┴──────────┐ ├────────┴─────┐ ├─────┴──────────┐ │
+# │ │192.168.241.1/24│ │10.0.0.1/24 ││ │ │10.0.0.2/24 │ │172.16.0.2/32 │ │192.168.241.2/24│ │
+# │ │fd00::1/24 │ │fd00:aa::1/96 ││ │ │fd00:aa::2/96 │ │ │ │fd00::2/24 │ │
+# │ └────────────────┘ └────────────────┘│ │ └────────────────┘ └──────────────┘ └────────────────┘ │
+# └────────────────────────────────────────┘ └─────────────────────────────────────────────────────────┘
+
+ip1 link add dev wg0 type wireguard
+ip2 link add dev wg0 type wireguard
+configure_peers
+ip1 link add veth1 type veth peer name veth2
+ip1 link set veth2 netns $netns2
+n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth1/accept_dad'
+n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth2/accept_dad'
+n1 bash -c 'printf 1 > /proc/sys/net/ipv4/conf/veth1/promote_secondaries'
+
+# Now we show that we can successfully do reply to sender routing
+ip1 link set veth1 down
+ip2 link set veth2 down
+ip1 addr flush dev veth1
+ip2 addr flush dev veth2
+ip1 addr add 10.0.0.1/24 dev veth1
+ip1 addr add fd00:aa::1/96 dev veth1
+ip2 addr add 10.0.0.2/24 dev veth2
+ip2 addr add fd00:aa::2/96 dev veth2
+ip1 link set veth1 up
+ip2 link set veth2 up
+waitiface $netns1 veth1
+waitiface $netns2 veth2
+
+ip2 link add dev dummy0 type dummy
+ip2 addr add 172.16.0.2/32 dev dummy0
+ip1 route add 172.16.0.2/32 via 10.0.0.2
+
+ip2 rule add pref 20000 from 172.16.0.2/32 table 2000
+ip2 route add table 2000 default via 10.0.0.1 dev veth2 src 172.16.0.2
+n1 ping -W 1 -c 1 -I 10.0.0.1 172.16.0.2
+n2 ping -W 1 -c 1 -I 172.16.0.2 10.0.0.1
+
+n1 wg set wg0 peer "$pub2" endpoint 172.16.0.2:2
+n1 ping -W 1 -c 1 192.168.241.2 || true
+n1 wg
+n2 wg
+
+ip1 link del wg0
+ip2 link del wg0
+ip1 link add dev wg0 type wireguard
+ip2 link add dev wg0 type wireguard
+configure_peers
+n1 wg set wg0 peer "$pub2" endpoint 172.16.0.2:2
+n2 wg set wg0 fwmark 0x300
+n2 ip rule add pref 20000 fwmark 0x300 table 2000
+n1 ping -W 1 -c 5 192.168.241.2 || true
+n1 wg
+n2 wg
+
+ip1 link del veth1
+ip1 link del wg0
+ip2 link del wg0
next prev parent reply other threads:[~2017-08-12 15:46 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-28 0:51 Wang Jian
2017-07-31 15:34 ` Jason A. Donenfeld
2017-08-01 2:01 ` Wang Jian
2017-08-01 3:06 ` Jason A. Donenfeld
2017-08-01 11:28 ` Wang Jian
2017-08-03 3:00 ` Wang Jian
2017-08-03 12:59 ` Jason A. Donenfeld
2017-08-03 18:38 ` Wang Jian
2017-08-10 14:29 ` Jason A. Donenfeld
2017-08-10 18:43 ` Jason A. Donenfeld
2017-08-10 21:17 ` Jan De Landtsheer
2017-08-10 22:16 ` Baptiste Jonglez
2017-08-10 23:50 ` Jason A. Donenfeld
2017-08-12 1:55 ` Jason A. Donenfeld
2017-08-12 16:08 ` Wang Jian [this message]
2017-09-07 21:28 ` Jason A. Donenfeld
2017-09-09 8:26 ` Wang Jian
2017-09-20 13:15 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAF75rJB_eToq4bTqRzqsB7ncObVo2SpsMFKOZFNzoenzkMnJDg@mail.gmail.com \
--to=larkwang@gmail.com \
--cc=Jason@zx2c4.com \
--cc=jan@delandtsheer.eu \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).