wireguard: add dos mitigation support

Type: feature With this change: - if the number of received handshake messages exceeds the limit calculated based on the peers number, under load state will activate; - if being under load a handshake message with a valid mac1 is received, but mac2 is invalid, a cookie reply will be sent. Also, cover these with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
author: Alexander Chernavin <achernavin@netgate.com> 2022-07-20 12:43:42 +0000
committer: Fan Zhang <roy.fan.zhang@intel.com> 2022-08-08 14:24:06 +0000
commit: ce91af8ad27e5ddef1e1f8316129bfcaa3de9ef6 (patch)
tree: 42fa54977a8b413e43d7b03f27ce8a256ad8f109 /src/plugins/wireguard/wireguard_if.c
parent: 03aae9637922023dd77955cb15caafb7ce309200 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/src/plugins/wireguard/wireguard_if.c b/src/plugins/wireguard/wireguard_if.c
index fd123471a8c..c4199d23354 100644
--- a/src/plugins/wireguard/wireguard_if.c
+++ b/src/plugins/wireguard/wireguard_if.c
@@ -287,7 +287,7 @@ wg_if_create (u32 user_instance,
       return VNET_API_ERROR_INVALID_REGISTRATION;
     }
 
-  pool_get (wg_if_pool, wg_if);
+  pool_get_zero (wg_if_pool, wg_if);
 
   /* tunnel index (or instance) */
   u32 t_idx = wg_if - wg_if_pool;
@@ -354,6 +354,8 @@ wg_if_delete (u32 sw_if_index)
   // Remove peers before interface deletion
   wg_if_peer_walk (wg_if, wg_peer_if_delete, NULL);
 
+  hash_free (wg_if->peers);
+
   index_t *ii;
   index_t *ifs = wg_if_indexes_get_by_port (wg_if->port);
   vec_foreach (ii, ifs)
author	Alexander Chernavin <achernavin@netgate.com>	2022-07-20 12:43:42 +0000
committer	Fan Zhang <roy.fan.zhang@intel.com>	2022-08-08 14:24:06 +0000
commit	ce91af8ad27e5ddef1e1f8316129bfcaa3de9ef6 (patch)
tree	42fa54977a8b413e43d7b03f27ce8a256ad8f109 /src/plugins/wireguard/wireguard_if.c
parent	03aae9637922023dd77955cb15caafb7ce309200 (diff)