diff options
author | Alexander Chernavin <achernavin@netgate.com> | 2022-07-20 12:43:42 +0000 |
---|---|---|
committer | Fan Zhang <roy.fan.zhang@intel.com> | 2022-08-08 14:24:06 +0000 |
commit | ce91af8ad27e5ddef1e1f8316129bfcaa3de9ef6 (patch) | |
tree | 42fa54977a8b413e43d7b03f27ce8a256ad8f109 /src/plugins/wireguard/wireguard_if.h | |
parent | 03aae9637922023dd77955cb15caafb7ce309200 (diff) |
wireguard: add dos mitigation support
Type: feature
With this change:
- if the number of received handshake messages exceeds the limit
calculated based on the peers number, under load state will activate;
- if being under load a handshake message with a valid mac1 is
received, but mac2 is invalid, a cookie reply will be sent.
Also, cover these with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
Diffstat (limited to 'src/plugins/wireguard/wireguard_if.h')
-rw-r--r-- | src/plugins/wireguard/wireguard_if.h | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/src/plugins/wireguard/wireguard_if.h b/src/plugins/wireguard/wireguard_if.h index 0a042cb2d9b..2a6ab8e4be5 100644 --- a/src/plugins/wireguard/wireguard_if.h +++ b/src/plugins/wireguard/wireguard_if.h @@ -36,6 +36,10 @@ typedef struct wg_if_t_ /* hash table of peers on this link */ uword *peers; + + /* Under load params */ + f64 handshake_counting_end; + u32 handshake_num; } wg_if_t; @@ -81,6 +85,44 @@ wg_if_indexes_get_by_port (u16 port) return (wg_if_indexes_by_port[port]); } +#define HANDSHAKE_COUNTING_INTERVAL 0.5 +#define UNDER_LOAD_INTERVAL 1.0 +#define HANDSHAKE_NUM_PER_PEER_UNTIL_UNDER_LOAD 40 + +static_always_inline bool +wg_if_is_under_load (vlib_main_t *vm, wg_if_t *wgi) +{ + static f64 wg_under_load_end; + f64 now = vlib_time_now (vm); + u32 num_until_under_load = + hash_elts (wgi->peers) * HANDSHAKE_NUM_PER_PEER_UNTIL_UNDER_LOAD; + + if (wgi->handshake_counting_end < now) + { + wgi->handshake_counting_end = now + HANDSHAKE_COUNTING_INTERVAL; + wgi->handshake_num = 0; + } + wgi->handshake_num++; + + if (wgi->handshake_num >= num_until_under_load) + { + wg_under_load_end = now + UNDER_LOAD_INTERVAL; + return true; + } + + if (wg_under_load_end > now) + { + return true; + } + + return false; +} + +static_always_inline void +wg_if_dec_handshake_num (wg_if_t *wgi) +{ + wgi->handshake_num--; +} #endif |