summaryrefslogtreecommitdiffstats
path: root/src/plugins/wireguard/wireguard_input.c
diff options
context:
space:
mode:
authorAlexander Chernavin <achernavin@netgate.com>2022-07-20 13:01:42 +0000
committerMatthew Smith <mgsmith@netgate.com>2022-08-09 15:42:43 +0000
commita6328e51e0c831ba3f0f4977f776491ac44eaec5 (patch)
tree2824c830f35554ed16887be32065d48f66809c34 /src/plugins/wireguard/wireguard_input.c
parentfd2417b2a42e34062e3d07875e5c4e11922513d5 (diff)
wireguard: add handshake rate limiting support
Type: feature With this change, if being under load a handshake message with both valid mac1 and mac2 is received, the peer will be rate limited. Cover this with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Id8d58bb293a7975c3d922c48b4948fd25e20af4b
Diffstat (limited to 'src/plugins/wireguard/wireguard_input.c')
-rw-r--r--src/plugins/wireguard/wireguard_input.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/plugins/wireguard/wireguard_input.c b/src/plugins/wireguard/wireguard_input.c
index 3f546cc494f..b85cdc610e4 100644
--- a/src/plugins/wireguard/wireguard_input.c
+++ b/src/plugins/wireguard/wireguard_input.c
@@ -25,6 +25,7 @@
#define foreach_wg_input_error \
_ (NONE, "No error") \
_ (HANDSHAKE_MAC, "Invalid MAC handshake") \
+ _ (HANDSHAKE_RATELIMITED, "Handshake ratelimited") \
_ (PEER, "Peer error") \
_ (INTERFACE, "Interface error") \
_ (DECRYPTION, "Failed during decryption") \
@@ -232,6 +233,8 @@ wg_handshake_process (vlib_main_t *vm, wg_main_t *wmp, vlib_buffer_t *b,
packet_needs_cookie = false;
else if (under_load && mac_state == VALID_MAC_BUT_NO_COOKIE)
packet_needs_cookie = true;
+ else if (mac_state == VALID_MAC_WITH_COOKIE_BUT_RATELIMITED)
+ return WG_INPUT_ERROR_HANDSHAKE_RATELIMITED;
else
return WG_INPUT_ERROR_HANDSHAKE_MAC;