On 9/21/25 11:58, Guido Falsi wrote:
On 9/21/25 00:17, Herbert J. Skuhra wrote:
On Sat, 20 Sep 2025 14:31:52 +0200, Guido Falsi wrote:
The branch main has been updated by madpilot:
URL: https://cgit.FreeBSD.org/src/commit/?
id=31ec8b6407fdd5a87d70265762457c67ce618283
commit 31ec8b6407fdd5a87d70265762457c67ce618283
Author: Guido Falsi <[email protected]>
AuthorDate: 2025-09-20 12:26:41 +0000
Commit: Guido Falsi <[email protected]>
CommitDate: 2025-09-20 12:31:44 +0000
sys/netinet6: Implement RFC 7217
Implement RFC 7217 (A Method for Generating Semantically Opaque
Interface Identifiers with IPv6 Stateless Address Autoconfiguration
(SLAAC)) in our IPv6 stack.
A new ifconfig `stableaddr` flag is added to enable the feature on
interfaces, which defaults to on or off for new interfaces based
on the sysctl `net.inet6.ip6.use_stableaddr` (off by default, so
this commit causes no change in behavior with default settings).
The algorithm follows the RFC in its logic, using SHA256-HMAC as
the algorithm to derive addresses so as to provide code that can
be leveraged by future implentations of RFC 8981, leveraging the
`hostuuid` as the secret.
The source of the hostidentifier can be configured using the sysctl
`net.inet6.ip6.stableaddr_netifsource`, while the number of retries
generating a new address in case of collision can be configured
using the `net.inet6.ip6.stableaddr_maxretries` sysctl (default 3).
Documentation about all these flags is added to the ifconfig(8) man
page.
Reviewed by: cognet, glebius, hrs
Tested by: [email protected]
Approved by: cognet, glebius
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D49681
---
sbin/ifconfig/af_inet6.c | 2 +
sbin/ifconfig/af_nd6.c | 1 +
sbin/ifconfig/ifconfig.8 | 30 +++++
sys/netinet6/in6.h | 3 +
sys/netinet6/in6_ifattach.c | 275 +++++++++++++++++++++++++++++++++
++++-------
sys/netinet6/in6_ifattach.h | 2 +
sys/netinet6/in6_proto.c | 10 ++
sys/netinet6/ip6_input.c | 1 +
sys/netinet6/ip6_var.h | 12 ++
sys/netinet6/nd6.c | 9 ++
sys/netinet6/nd6.h | 2 +
sys/netinet6/nd6_nbr.c | 35 +++++-
sys/netinet6/nd6_rtr.c | 128 +++++++++++++--------
usr.sbin/ndp/ndp.c | 7 ++
14 files changed, 423 insertions(+), 94 deletions(-)
This commit breaks security/netbird:
Management: Disconnected, reason: create wg interface: error creating
tun device: unable to get nd6 flags for tun0: invalid argument
Signal: Disconnected, reason: create wg interface: error creating tun
device: unable to get nd6 flags for tun0: invalid argument
Thanks for reporting this,
I'm going to take a look shortly, although I'm not sure why, since the
functionality is disabled by default.
Hi again,
I'm going to try to reproduce this, but in the while, looking at the
source code, the error comes from the wireguard-go package that is being
used by netbird (we also have that in a port of its own BTW).
The code there is manipulating the interface flags at a low level, but
my commit modified that structure. There is some chance that simply
forcing a rebuild and reinstall of the package will "fix" it.
Have you tried that?
If you already have, I'll go on and reproduce locally, if I can.
--
Guido Falsi <[email protected]>
