Change maxdgram sysctl variable to host interface mtu

Author: Serock3

test/Cargo.lock

@@ -29,42 +29,21 @@ use test_macro::test_function;
 use test_rpc::ServiceClient;
 
 #[cfg(target_os = "macos")]
-async fn setup_packetfilter_drop_pings_rule(
+async fn set_bridge_interface_mtu(
     max_packet_size: u16,
 ) -> anyhow::Result<scopeguard::ScopeGuard<(), impl FnOnce(())>> {
-    use anyhow::{bail, Context};
-
-    // Enable forwarding
-    let mut cmd = tokio::process::Command::new("/usr/bin/sudo");
-    cmd.args(["/usr/sbin/sysctl", "-n", "net.inet.raw.maxdgram"]);
-    let output = cmd.output().await.context("Run sysctl")?;
-    if !output.status.success() {
-        bail!("sysctl failed: {}", output.status.code().unwrap());
-    }
-    let output = String::from_utf8(output.stdout).unwrap();
-    let previous_maxdgram: u16 = output.trim().parse().unwrap();
-    log::warn!("{}", &previous_maxdgram); // TODO(seb) DELETE ME
-
-    let mut cmd = tokio::process::Command::new("/usr/bin/sudo");
-    cmd.args([
-        "/usr/sbin/sysctl",
-        &format!("net.inet.raw.maxdgram={max_packet_size}"),
-    ]);
-    let output = cmd.output().await.context("Run sysctl")?;
-    if !output.status.success() {
-        bail!("sysctl failed: {}", output.status.code().unwrap());
-    }
+    use anyhow::Context;
+    use test_rpc::net::unix;
+    let bridge_iface = crate::vm::network::macos::find_vm_bridge()
+        .context("Failed to get bridge interface name")?;
+
+    let previous_mtu = unix::get_mtu(bridge_iface)
+        .with_context(|| format!("Failed to get MTU for bridge interface '{bridge_iface}'"))?;
+    unix::set_mtu(bridge_iface, max_packet_size)
+        .with_context(|| format!("Failed to set MTU for bridge interface '{bridge_iface}'"))?;
 
     Ok(scopeguard::guard((), move |()| {
-        let mut cmd = std::process::Command::new("/usr/bin/sudo");
-        cmd.args([
-            "/usr/sbin/sysctl",
-            &format!("net.inet.raw.maxdgram={previous_maxdgram}"),
-        ]);
-        let output = cmd.output().expect("Run sysctl");
-        if !output.status.success() {
-            panic!("sysctl failed: {}", output.status.code().unwrap());
-        }
+        unix::set_mtu(bridge_iface, previous_mtu).expect("Failed to set MTU on bridge interface");
     }))
 }
 
@@ -132,7 +111,7 @@ async fn test_mtu_detection(
     #[cfg(target_os = "linux")]
     let _nft_guard = setup_nftables_drop_pings_rule(MAX_PACKET_SIZE).await;
     #[cfg(target_os = "macos")]
-    let _pf_guard = setup_packetfilter_drop_pings_rule(MAX_PACKET_SIZE).await?;
+    let _mtu_guard = set_bridge_interface_mtu(MAX_PACKET_SIZE).await?;
 
     // Test that the firewall rule works
     log::info!("Sending large ping outside tunnel");

test/test-manager/src/tests/tunnel_state.rs

@@ -29,6 +29,9 @@ hyper-rustls = { version = "0.24", features = ["log", "webpki-roots"] }
 tokio-rustls = "0.24"
 rustls-pemfile = "0.2"
 
+socket2 = { version = "0.5", features = ["all"] }
+libc = "0.2"
+
 [dependencies.tokio-util]
 version = "0.7"
 features = ["codec"]

test/test-rpc/Cargo.toml

@@ -3,6 +3,7 @@ use hyper::{Client, Uri};
 use once_cell::sync::Lazy;
 use serde::{de::DeserializeOwned, Deserialize, Serialize};
 use std::net::SocketAddr;
+
 use tokio_rustls::rustls::ClientConfig;
 
 use crate::{AmIMullvad, Error};
@@ -118,3 +119,99 @@ fn read_cert_store() -> tokio_rustls::rustls::RootCertStore {
 
     cert_store
 }
+
+#[cfg(unix)]
+pub mod unix {
+    use std::{io, os::fd::AsRawFd};
+    // TODO: These functions are copied/derived from `talpid_wireguard::unix`, since we don't want
+    // to depend on the entire `talpid_wireguard` crate. Perhaps they should be moved to a new
+    // crate, e.g. `talpid_unix`?
+
+    #[cfg(target_os = "macos")]
+    const SIOCGIFMTU: u64 = 0xc0206933;
+    #[cfg(target_os = "linux")]
+    const SIOCGIFMTU: u64 = libc::SIOCGIFMTU;
+
+    // #[cfg(target_os = "macos")]
+    pub fn get_mtu(interface_name: &str) -> Result<u16, io::Error> {
+        let sock = socket2::Socket::new(
+            socket2::Domain::IPV4,
+            socket2::Type::STREAM,
+            Some(socket2::Protocol::TCP),
+        )?;
+
+        let mut ifr: libc::ifreq = unsafe { std::mem::zeroed() };
+        if interface_name.len() >= ifr.ifr_name.len() {
+            return Err(io::Error::new(
+                io::ErrorKind::InvalidInput,
+                "Interface name too long",
+            ));
+        }
+
+        // SAFETY: interface_name is shorter than ifr.ifr_name
+        unsafe {
+            std::ptr::copy_nonoverlapping(
+                interface_name.as_ptr() as *const libc::c_char,
+                &mut ifr.ifr_name as *mut _,
+                interface_name.len(),
+            )
+        };
+
+        // TODO: define SIOCGIFMTU for macos
+        // SAFETY: SIOCGIFMTU expects an ifreq, and the socket is valid
+        if unsafe { libc::ioctl(sock.as_raw_fd(), SIOCGIFMTU, &mut ifr) } < 0 {
+            let e = io::Error::last_os_error();
+            log::error!("SIOCGIFMTU failed: {}", e);
+            return Err(e);
+        }
+
+        // SAFETY: ifru_mtu is set since SIOGCIFMTU succeeded
+        Ok(unsafe { ifr.ifr_ifru.ifru_mtu }
+            .try_into()
+            .expect("MTU should fit in u16"))
+    }
+
+    #[cfg(target_os = "macos")]
+    const SIOCSIFMTU: u64 = 0x80206934;
+    #[cfg(target_os = "linux")]
+    const SIOCSIFMTU: u64 = libc::SIOCSIFMTU;
+
+    pub fn set_mtu(interface_name: &str, mtu: u16) -> Result<(), io::Error> {
+        debug_assert_ne!(
+            interface_name, "eth0",
+            "Should be name of mullvad tunnel interface, e.g. 'wg0-mullvad'"
+        );
+
+        let sock = socket2::Socket::new(
+            socket2::Domain::IPV4,
+            socket2::Type::STREAM,
+            Some(socket2::Protocol::TCP),
+        )?;
+
+        let mut ifr: libc::ifreq = unsafe { std::mem::zeroed() };
+        if interface_name.len() >= ifr.ifr_name.len() {
+            return Err(io::Error::new(
+                io::ErrorKind::InvalidInput,
+                "Interface name too long",
+            ));
+        }
+
+        // SAFETY: interface_name is shorter than ifr.ifr_name
+        unsafe {
+            std::ptr::copy_nonoverlapping(
+                interface_name.as_ptr() as *const libc::c_char,
+                &mut ifr.ifr_name as *mut _,
+                interface_name.len(),
+            )
+        };
+        ifr.ifr_ifru.ifru_mtu = mtu as i32;
+
+        // SAFETY: SIOCGIFMTU expects an ifreq, and the socket is valid
+        if unsafe { libc::ioctl(sock.as_raw_fd(), SIOCSIFMTU, &ifr) } < 0 {
+            let e = io::Error::last_os_error();
+            log::error!("SIOCSIFMTU failed: {}", e);
+            return Err(e);
+        }
+        Ok(())
+    }
+}

test/test-rpc/src/net.rs

@@ -247,44 +247,9 @@ pub fn get_interface_mtu(_interface_name: &str) -> Result<u16, test_rpc::Error>
     todo!("Implement setting MTU on macOS")
 }
 
-#[cfg(target_os = "linux")]
+// #[cfg(target_os = "macos")]
 pub fn get_interface_mtu(interface_name: &str) -> Result<u16, test_rpc::Error> {
-    use std::os::fd::AsRawFd;
-
-    let sock = socket2::Socket::new(
-        socket2::Domain::IPV4,
-        socket2::Type::STREAM,
-        Some(socket2::Protocol::TCP),
-    )
-    .map_err(|e| test_rpc::Error::Io(e.to_string()))?;
-
-    let mut ifr: libc::ifreq = unsafe { std::mem::zeroed() };
-    if interface_name.len() >= ifr.ifr_name.len() {
-        panic!("Interface '{interface_name}' name too long")
-    }
-
-    // SAFETY: interface_name is shorter than ifr.ifr_name
-    unsafe {
-        std::ptr::copy_nonoverlapping(
-            interface_name.as_ptr() as *const libc::c_char,
-            &mut ifr.ifr_name as *mut _,
-            interface_name.len(),
-        )
-    };
-
-    // TODO: define SIOCGIFMTU for macos
-    // SAFETY: SIOCGIFMTU expects an ifreq, and the socket is valid
-    if unsafe { libc::ioctl(sock.as_raw_fd(), libc::SIOCGIFMTU, &mut ifr) } < 0 {
-        let e = std::io::Error::last_os_error();
-
-        log::error!("{}", e);
-        return Err(test_rpc::Error::Io(e.to_string()));
-    }
-
-    // SAFETY: ifru_mtu is set since SIOGCIFMTU succeeded
-    Ok(unsafe { ifr.ifr_ifru.ifru_mtu }
-        .try_into()
-        .expect("MTU should fit in u16"))
+    test_rpc::net::unix::get_mtu(interface_name).map_err(|e| test_rpc::Error::Io(e.to_string()))
 }
 
 #[cfg(target_os = "windows")]