diff options
| author |   Alexander Chernavin <achernavin@netgate.com> | 2022-07-20 12:43:42 +0000 |
|---|---|---|
| committer |   Fan Zhang <roy.fan.zhang@intel.com> | 2022-08-08 14:24:06 +0000 |
| commit | ce91af8ad27e5ddef1e1f8316129bfcaa3de9ef6 (patch) | |
| tree | 42fa54977a8b413e43d7b03f27ce8a256ad8f109 /src/plugins/wireguard/wireguard_send.h | |
| parent | 03aae9637922023dd77955cb15caafb7ce309200 (diff) | |
wireguard: add dos mitigation support
Type: feature
With this change:
- if the number of received handshake messages exceeds the limit
calculated based on the peers number, under load state will activate;
- if being under load a handshake message with a valid mac1 is
received, but mac2 is invalid, a cookie reply will be sent.
Also, cover these with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
Diffstat (limited to 'src/plugins/wireguard/wireguard_send.h')
| -rw-r--r-- | src/plugins/wireguard/wireguard_send.h | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/plugins/wireguard/wireguard_send.h b/src/plugins/wireguard/wireguard_send.h index 9575b84b659..419783a5db2 100644 --- a/src/plugins/wireguard/wireguard_send.h +++ b/src/plugins/wireguard/wireguard_send.h @@ -19,10 +19,17 @@ #include <wireguard/wireguard_peer.h> +u8 *wg_build_rewrite (ip46_address_t *src_addr, u16 src_port, + ip46_address_t *dst_addr, u16 dst_port, u8 is_ip4); bool wg_send_keepalive (vlib_main_t * vm, wg_peer_t * peer); bool wg_send_handshake (vlib_main_t * vm, wg_peer_t * peer, bool is_retry); void wg_send_handshake_from_mt (u32 peer_index, bool is_retry); bool wg_send_handshake_response (vlib_main_t * vm, wg_peer_t * peer); +bool wg_send_handshake_cookie (vlib_main_t *vm, u32 sender_index, + cookie_checker_t *cookie_checker, + message_macs_t *macs, + ip46_address_t *wg_if_addr, u16 wg_if_port, + ip46_address_t *remote_addr, u16 remote_port); always_inline void ip4_header_set_len_w_chksum (ip4_header_t * ip4, u16 len) |