summaryrefslogtreecommitdiffstats
path: root/src/plugins/wireguard/wireguard_peer.c
diff options
context:
space:
mode:
authorAlexander Chernavin <achernavin@netgate.com>2022-07-20 12:43:42 +0000
committerFan Zhang <roy.fan.zhang@intel.com>2022-08-08 14:24:06 +0000
commitce91af8ad27e5ddef1e1f8316129bfcaa3de9ef6 (patch)
tree42fa54977a8b413e43d7b03f27ce8a256ad8f109 /src/plugins/wireguard/wireguard_peer.c
parent03aae9637922023dd77955cb15caafb7ce309200 (diff)
wireguard: add dos mitigation support
Type: feature With this change: - if the number of received handshake messages exceeds the limit calculated based on the peers number, under load state will activate; - if being under load a handshake message with a valid mac1 is received, but mac2 is invalid, a cookie reply will be sent. Also, cover these with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
Diffstat (limited to 'src/plugins/wireguard/wireguard_peer.c')
-rw-r--r--src/plugins/wireguard/wireguard_peer.c48
1 files changed, 2 insertions, 46 deletions
diff --git a/src/plugins/wireguard/wireguard_peer.c b/src/plugins/wireguard/wireguard_peer.c
index f5fbc3c178c..589f71272f6 100644
--- a/src/plugins/wireguard/wireguard_peer.c
+++ b/src/plugins/wireguard/wireguard_peer.c
@@ -95,51 +95,6 @@ wg_peer_init (vlib_main_t * vm, wg_peer_t * peer)
wg_peer_clear (vm, peer);
}
-static u8 *
-wg_peer_build_rewrite (const wg_peer_t *peer, u8 is_ip4)
-{
- u8 *rewrite = NULL;
- if (is_ip4)
- {
- ip4_udp_header_t *hdr;
-
- /* reserve space for ip4, udp and wireguard headers */
- vec_validate (rewrite, sizeof (ip4_udp_wg_header_t) - 1);
- hdr = (ip4_udp_header_t *) rewrite;
-
- hdr->ip4.ip_version_and_header_length = 0x45;
- hdr->ip4.ttl = 64;
- hdr->ip4.src_address = peer->src.addr.ip4;
- hdr->ip4.dst_address = peer->dst.addr.ip4;
- hdr->ip4.protocol = IP_PROTOCOL_UDP;
- hdr->ip4.checksum = ip4_header_checksum (&hdr->ip4);
-
- hdr->udp.src_port = clib_host_to_net_u16 (peer->src.port);
- hdr->udp.dst_port = clib_host_to_net_u16 (peer->dst.port);
- hdr->udp.checksum = 0;
- }
- else
- {
- ip6_udp_header_t *hdr;
-
- /* reserve space for ip6, udp and wireguard headers */
- vec_validate (rewrite, sizeof (ip6_udp_wg_header_t) - 1);
- hdr = (ip6_udp_header_t *) rewrite;
-
- hdr->ip6.ip_version_traffic_class_and_flow_label = 0x60;
- ip6_address_copy (&hdr->ip6.src_address, &peer->src.addr.ip6);
- ip6_address_copy (&hdr->ip6.dst_address, &peer->dst.addr.ip6);
- hdr->ip6.protocol = IP_PROTOCOL_UDP;
- hdr->ip6.hop_limit = 64;
-
- hdr->udp.src_port = clib_host_to_net_u16 (peer->src.port);
- hdr->udp.dst_port = clib_host_to_net_u16 (peer->dst.port);
- hdr->udp.checksum = 0;
- }
-
- return (rewrite);
-}
-
static void
wg_peer_adj_stack (wg_peer_t *peer, adj_index_t ai)
{
@@ -327,7 +282,8 @@ wg_peer_fill (vlib_main_t *vm, wg_peer_t *peer, u32 table_id,
peer->src.port = wgi->port;
u8 is_ip4 = ip46_address_is_ip4 (&peer->dst.addr);
- peer->rewrite = wg_peer_build_rewrite (peer, is_ip4);
+ peer->rewrite = wg_build_rewrite (&peer->src.addr, peer->src.port,
+ &peer->dst.addr, peer->dst.port, is_ip4);
u32 ii;
vec_validate (peer->allowed_ips, vec_len (allowed_ips) - 1);