summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorAlexander Chernavin <achernavin@netgate.com>2022-07-20 12:43:42 +0000
committerFan Zhang <roy.fan.zhang@intel.com>2022-08-08 14:24:06 +0000
commitce91af8ad27e5ddef1e1f8316129bfcaa3de9ef6 (patch)
tree42fa54977a8b413e43d7b03f27ce8a256ad8f109 /src
parent03aae9637922023dd77955cb15caafb7ce309200 (diff)
wireguard: add dos mitigation support
Type: feature With this change: - if the number of received handshake messages exceeds the limit calculated based on the peers number, under load state will activate; - if being under load a handshake message with a valid mac1 is received, but mac2 is invalid, a cookie reply will be sent. Also, cover these with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
Diffstat (limited to 'src')
-rw-r--r--src/plugins/wireguard/wireguard_chachapoly.c30
-rw-r--r--src/plugins/wireguard/wireguard_chachapoly.h5
-rw-r--r--src/plugins/wireguard/wireguard_cookie.c19
-rw-r--r--src/plugins/wireguard/wireguard_cookie.h5
-rw-r--r--src/plugins/wireguard/wireguard_if.c4
-rw-r--r--src/plugins/wireguard/wireguard_if.h42
-rw-r--r--src/plugins/wireguard/wireguard_input.c30
-rw-r--r--src/plugins/wireguard/wireguard_peer.c48
-rw-r--r--src/plugins/wireguard/wireguard_send.c98
-rw-r--r--src/plugins/wireguard/wireguard_send.h7
10 files changed, 224 insertions, 64 deletions
diff --git a/src/plugins/wireguard/wireguard_chachapoly.c b/src/plugins/wireguard/wireguard_chachapoly.c
index 961b43f100d..0dd7908d2e2 100644
--- a/src/plugins/wireguard/wireguard_chachapoly.c
+++ b/src/plugins/wireguard/wireguard_chachapoly.c
@@ -61,6 +61,36 @@ wg_chacha20poly1305_calc (vlib_main_t *vm, u8 *src, u32 src_len, u8 *dst,
return (op->status == VNET_CRYPTO_OP_STATUS_COMPLETED);
}
+void
+wg_xchacha20poly1305_encrypt (vlib_main_t *vm, u8 *src, u32 src_len, u8 *dst,
+ u8 *aad, u32 aad_len,
+ u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
+ u8 key[CHACHA20POLY1305_KEY_SIZE])
+{
+ int i;
+ u32 derived_key[CHACHA20POLY1305_KEY_SIZE / sizeof (u32)];
+ u64 h_nonce;
+
+ clib_memcpy (&h_nonce, nonce + 16, sizeof (h_nonce));
+ h_nonce = le64toh (h_nonce);
+ hchacha20 (derived_key, nonce, key);
+
+ for (i = 0; i < (sizeof (derived_key) / sizeof (derived_key[0])); i++)
+ (derived_key[i]) = htole32 ((derived_key[i]));
+
+ uint32_t key_idx;
+
+ key_idx =
+ vnet_crypto_key_add (vm, VNET_CRYPTO_ALG_CHACHA20_POLY1305,
+ (uint8_t *) derived_key, CHACHA20POLY1305_KEY_SIZE);
+
+ wg_chacha20poly1305_calc (vm, src, src_len, dst, aad, aad_len, h_nonce,
+ VNET_CRYPTO_OP_CHACHA20_POLY1305_ENC, key_idx);
+
+ vnet_crypto_key_del (vm, key_idx);
+ wg_secure_zero_memory (derived_key, CHACHA20POLY1305_KEY_SIZE);
+}
+
bool
wg_xchacha20poly1305_decrypt (vlib_main_t *vm, u8 *src, u32 src_len, u8 *dst,
u8 *aad, u32 aad_len,
diff --git a/src/plugins/wireguard/wireguard_chachapoly.h b/src/plugins/wireguard/wireguard_chachapoly.h
index 803774cafe1..f09b2c8dd9d 100644
--- a/src/plugins/wireguard/wireguard_chachapoly.h
+++ b/src/plugins/wireguard/wireguard_chachapoly.h
@@ -27,6 +27,11 @@ bool wg_chacha20poly1305_calc (vlib_main_t *vm, u8 *src, u32 src_len, u8 *dst,
vnet_crypto_op_id_t op_id,
vnet_crypto_key_index_t key_index);
+void wg_xchacha20poly1305_encrypt (vlib_main_t *vm, u8 *src, u32 src_len,
+ u8 *dst, u8 *aad, u32 aad_len,
+ u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
+ u8 key[CHACHA20POLY1305_KEY_SIZE]);
+
bool wg_xchacha20poly1305_decrypt (vlib_main_t *vm, u8 *src, u32 src_len,
u8 *dst, u8 *aad, u32 aad_len,
u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
diff --git a/src/plugins/wireguard/wireguard_cookie.c b/src/plugins/wireguard/wireguard_cookie.c
index 47e8784566f..595b8770e56 100644
--- a/src/plugins/wireguard/wireguard_cookie.c
+++ b/src/plugins/wireguard/wireguard_cookie.c
@@ -58,6 +58,25 @@ cookie_checker_update (cookie_checker_t * cc, uint8_t key[COOKIE_INPUT_SIZE])
}
}
+void
+cookie_checker_create_payload (vlib_main_t *vm, cookie_checker_t *cc,
+ message_macs_t *cm,
+ uint8_t nonce[COOKIE_NONCE_SIZE],
+ uint8_t ecookie[COOKIE_ENCRYPTED_SIZE],
+ ip46_address_t *ip, u16 udp_port)
+{
+ uint8_t cookie[COOKIE_COOKIE_SIZE];
+
+ cookie_checker_make_cookie (vm, cc, cookie, ip, udp_port);
+ RAND_bytes (nonce, COOKIE_NONCE_SIZE);
+
+ wg_xchacha20poly1305_encrypt (vm, cookie, COOKIE_COOKIE_SIZE, ecookie,
+ cm->mac1, COOKIE_MAC_SIZE, nonce,
+ cc->cc_cookie_key);
+
+ wg_secure_zero_memory (cookie, sizeof (cookie));
+}
+
bool
cookie_maker_consume_payload (vlib_main_t *vm, cookie_maker_t *cp,
uint8_t nonce[COOKIE_NONCE_SIZE],
diff --git a/src/plugins/wireguard/wireguard_cookie.h b/src/plugins/wireguard/wireguard_cookie.h
index e4bea90f854..9298ece8db5 100644
--- a/src/plugins/wireguard/wireguard_cookie.h
+++ b/src/plugins/wireguard/wireguard_cookie.h
@@ -82,6 +82,11 @@ typedef struct cookie_checker
void cookie_maker_init (cookie_maker_t *, const uint8_t[COOKIE_INPUT_SIZE]);
void cookie_checker_update (cookie_checker_t *, uint8_t[COOKIE_INPUT_SIZE]);
+void cookie_checker_create_payload (vlib_main_t *vm, cookie_checker_t *cc,
+ message_macs_t *cm,
+ uint8_t nonce[COOKIE_NONCE_SIZE],
+ uint8_t ecookie[COOKIE_ENCRYPTED_SIZE],
+ ip46_address_t *ip, u16 udp_port);
bool cookie_maker_consume_payload (vlib_main_t *vm, cookie_maker_t *cp,
uint8_t nonce[COOKIE_NONCE_SIZE],
uint8_t ecookie[COOKIE_ENCRYPTED_SIZE]);
diff --git a/src/plugins/wireguard/wireguard_if.c b/src/plugins/wireguard/wireguard_if.c
index fd123471a8c..c4199d23354 100644
--- a/src/plugins/wireguard/wireguard_if.c
+++ b/src/plugins/wireguard/wireguard_if.c
@@ -287,7 +287,7 @@ wg_if_create (u32 user_instance,
return VNET_API_ERROR_INVALID_REGISTRATION;
}
- pool_get (wg_if_pool, wg_if);
+ pool_get_zero (wg_if_pool, wg_if);
/* tunnel index (or instance) */
u32 t_idx = wg_if - wg_if_pool;
@@ -354,6 +354,8 @@ wg_if_delete (u32 sw_if_index)
// Remove peers before interface deletion
wg_if_peer_walk (wg_if, wg_peer_if_delete, NULL);
+ hash_free (wg_if->peers);
+
index_t *ii;
index_t *ifs = wg_if_indexes_get_by_port (wg_if->port);
vec_foreach (ii, ifs)
diff --git a/src/plugins/wireguard/wireguard_if.h b/src/plugins/wireguard/wireguard_if.h
index 0a042cb2d9b..2a6ab8e4be5 100644
--- a/src/plugins/wireguard/wireguard_if.h
+++ b/src/plugins/wireguard/wireguard_if.h
@@ -36,6 +36,10 @@ typedef struct wg_if_t_
/* hash table of peers on this link */
uword *peers;
+
+ /* Under load params */
+ f64 handshake_counting_end;
+ u32 handshake_num;
} wg_if_t;
@@ -81,6 +85,44 @@ wg_if_indexes_get_by_port (u16 port)
return (wg_if_indexes_by_port[port]);
}
+#define HANDSHAKE_COUNTING_INTERVAL 0.5
+#define UNDER_LOAD_INTERVAL 1.0
+#define HANDSHAKE_NUM_PER_PEER_UNTIL_UNDER_LOAD 40
+
+static_always_inline bool
+wg_if_is_under_load (vlib_main_t *vm, wg_if_t *wgi)
+{
+ static f64 wg_under_load_end;
+ f64 now = vlib_time_now (vm);
+ u32 num_until_under_load =
+ hash_elts (wgi->peers) * HANDSHAKE_NUM_PER_PEER_UNTIL_UNDER_LOAD;
+
+ if (wgi->handshake_counting_end < now)
+ {
+ wgi->handshake_counting_end = now + HANDSHAKE_COUNTING_INTERVAL;
+ wgi->handshake_num = 0;
+ }
+ wgi->handshake_num++;
+
+ if (wgi->handshake_num >= num_until_under_load)
+ {
+ wg_under_load_end = now + UNDER_LOAD_INTERVAL;
+ return true;
+ }
+
+ if (wg_under_load_end > now)
+ {
+ return true;
+ }
+
+ return false;
+}
+
+static_always_inline void
+wg_if_dec_handshake_num (wg_if_t *wgi)
+{
+ wgi->handshake_num--;
+}
#endif
diff --git a/src/plugins/wireguard/wireguard_input.c b/src/plugins/wireguard/wireguard_input.c
index ef60d50c3da..3f546cc494f 100644
--- a/src/plugins/wireguard/wireguard_input.c
+++ b/src/plugins/wireguard/wireguard_input.c
@@ -32,6 +32,7 @@
_ (HANDSHAKE_SEND, "Failed while sending Handshake") \
_ (HANDSHAKE_RECEIVE, "Failed while receiving Handshake") \
_ (COOKIE_DECRYPTION, "Failed during Cookie decryption") \
+ _ (COOKIE_SEND, "Failed during sending Cookie") \
_ (TOO_BIG, "Packet too big") \
_ (UNDEFINED, "Undefined error") \
_ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)")
@@ -173,7 +174,6 @@ wg_handshake_process (vlib_main_t *vm, wg_main_t *wmp, vlib_buffer_t *b,
u16 udp_dst_port = clib_host_to_net_u16 (uhd->dst_port);;
message_header_t *header = current_b_data;
- under_load = false;
if (PREDICT_FALSE (header->type == MESSAGE_HANDSHAKE_COOKIE))
{
@@ -211,11 +211,13 @@ wg_handshake_process (vlib_main_t *vm, wg_main_t *wmp, vlib_buffer_t *b,
if (NULL == wg_if)
continue;
+ under_load = wg_if_is_under_load (vm, wg_if);
mac_state = cookie_checker_validate_macs (
vm, &wg_if->cookie_checker, macs, current_b_data, len, under_load,
&src_ip, udp_src_port);
if (mac_state == INVALID_MAC)
{
+ wg_if_dec_handshake_num (wg_if);
wg_if = NULL;
continue;
}
@@ -241,8 +243,16 @@ wg_handshake_process (vlib_main_t *vm, wg_main_t *wmp, vlib_buffer_t *b,
if (packet_needs_cookie)
{
- // TODO: Add processing
+
+ if (!wg_send_handshake_cookie (vm, message->sender_index,
+ &wg_if->cookie_checker, macs,
+ &ip_addr_46 (&wg_if->src_ip),
+ wg_if->port, &src_ip, udp_src_port))
+ return WG_INPUT_ERROR_COOKIE_SEND;
+
+ return WG_INPUT_ERROR_NONE;
}
+
noise_remote_t *rp;
if (noise_consume_initiation
(vm, noise_local_get (wg_if->local_idx), &rp,
@@ -271,6 +281,18 @@ wg_handshake_process (vlib_main_t *vm, wg_main_t *wmp, vlib_buffer_t *b,
case MESSAGE_HANDSHAKE_RESPONSE:
{
message_handshake_response_t *resp = current_b_data;
+
+ if (packet_needs_cookie)
+ {
+ if (!wg_send_handshake_cookie (vm, resp->sender_index,
+ &wg_if->cookie_checker, macs,
+ &ip_addr_46 (&wg_if->src_ip),
+ wg_if->port, &src_ip, udp_src_port))
+ return WG_INPUT_ERROR_COOKIE_SEND;
+
+ return WG_INPUT_ERROR_NONE;
+ }
+
index_t peeri = INDEX_INVALID;
u32 *entry =
wg_index_table_lookup (&wmp->index_table, resp->receiver_index);
@@ -292,10 +314,6 @@ wg_handshake_process (vlib_main_t *vm, wg_main_t *wmp, vlib_buffer_t *b,
{
return WG_INPUT_ERROR_PEER;
}
- if (packet_needs_cookie)
- {
- // TODO: Add processing
- }
// set_peer_address (peer, ip4_src, udp_src_port);
if (noise_remote_begin_session (vm, &peer->remote))
diff --git a/src/plugins/wireguard/wireguard_peer.c b/src/plugins/wireguard/wireguard_peer.c
index f5fbc3c178c..589f71272f6 100644
--- a/src/plugins/wireguard/wireguard_peer.c
+++ b/src/plugins/wireguard/wireguard_peer.c
@@ -95,51 +95,6 @@ wg_peer_init (vlib_main_t * vm, wg_peer_t * peer)
wg_peer_clear (vm, peer);
}
-static u8 *
-wg_peer_build_rewrite (const wg_peer_t *peer, u8 is_ip4)
-{
- u8 *rewrite = NULL;
- if (is_ip4)
- {
- ip4_udp_header_t *hdr;
-
- /* reserve space for ip4, udp and wireguard headers */
- vec_validate (rewrite, sizeof (ip4_udp_wg_header_t) - 1);
- hdr = (ip4_udp_header_t *) rewrite;
-
- hdr->ip4.ip_version_and_header_length = 0x45;
- hdr->ip4.ttl = 64;
- hdr->ip4.src_address = peer->src.addr.ip4;
- hdr->ip4.dst_address = peer->dst.addr.ip4;
- hdr->ip4.protocol = IP_PROTOCOL_UDP;
- hdr->ip4.checksum = ip4_header_checksum (&hdr->ip4);
-
- hdr->udp.src_port = clib_host_to_net_u16 (peer->src.port);
- hdr->udp.dst_port = clib_host_to_net_u16 (peer->dst.port);
- hdr->udp.checksum = 0;
- }
- else
- {
- ip6_udp_header_t *hdr;
-
- /* reserve space for ip6, udp and wireguard headers */
- vec_validate (rewrite, sizeof (ip6_udp_wg_header_t) - 1);
- hdr = (ip6_udp_header_t *) rewrite;
-
- hdr->ip6.ip_version_traffic_class_and_flow_label = 0x60;
- ip6_address_copy (&hdr->ip6.src_address, &peer->src.addr.ip6);
- ip6_address_copy (&hdr->ip6.dst_address, &peer->dst.addr.ip6);
- hdr->ip6.protocol = IP_PROTOCOL_UDP;
- hdr->ip6.hop_limit = 64;
-
- hdr->udp.src_port = clib_host_to_net_u16 (peer->src.port);
- hdr->udp.dst_port = clib_host_to_net_u16 (peer->dst.port);
- hdr->udp.checksum = 0;
- }
-
- return (rewrite);
-}
-
static void
wg_peer_adj_stack (wg_peer_t *peer, adj_index_t ai)
{
@@ -327,7 +282,8 @@ wg_peer_fill (vlib_main_t *vm, wg_peer_t *peer, u32 table_id,
peer->src.port = wgi->port;
u8 is_ip4 = ip46_address_is_ip4 (&peer->dst.addr);
- peer->rewrite = wg_peer_build_rewrite (peer, is_ip4);
+ peer->rewrite = wg_build_rewrite (&peer->src.addr, peer->src.port,
+ &peer->dst.addr, peer->dst.port, is_ip4);
u32 ii;
vec_validate (peer->allowed_ips, vec_len (allowed_ips) - 1);
diff --git a/src/plugins/wireguard/wireguard_send.c b/src/plugins/wireguard/wireguard_send.c
index 53692f074da..509fe70c777 100644
--- a/src/plugins/wireguard/wireguard_send.c
+++ b/src/plugins/wireguard/wireguard_send.c
@@ -41,7 +41,7 @@ ip46_enqueue_packet (vlib_main_t *vm, u32 bi0, int is_ip4)
}
static void
-wg_buffer_prepend_rewrite (vlib_buffer_t *b0, const wg_peer_t *peer, u8 is_ip4)
+wg_buffer_prepend_rewrite (vlib_buffer_t *b0, const u8 *rewrite, u8 is_ip4)
{
if (is_ip4)
{
@@ -52,7 +52,7 @@ wg_buffer_prepend_rewrite (vlib_buffer_t *b0, const wg_peer_t *peer, u8 is_ip4)
hdr4 = vlib_buffer_get_current (b0);
/* copy only ip4 and udp header; wireguard header not needed */
- clib_memcpy (hdr4, peer->rewrite, sizeof (ip4_udp_header_t));
+ clib_memcpy (hdr4, rewrite, sizeof (ip4_udp_header_t));
hdr4->udp.length =
clib_host_to_net_u16 (b0->current_length - sizeof (ip4_header_t));
@@ -68,7 +68,7 @@ wg_buffer_prepend_rewrite (vlib_buffer_t *b0, const wg_peer_t *peer, u8 is_ip4)
hdr6 = vlib_buffer_get_current (b0);
/* copy only ip6 and udp header; wireguard header not needed */
- clib_memcpy (hdr6, peer->rewrite, sizeof (ip6_udp_header_t));
+ clib_memcpy (hdr6, rewrite, sizeof (ip6_udp_header_t));
hdr6->udp.length =
clib_host_to_net_u16 (b0->current_length - sizeof (ip6_header_t));
@@ -78,7 +78,7 @@ wg_buffer_prepend_rewrite (vlib_buffer_t *b0, const wg_peer_t *peer, u8 is_ip4)
}
static bool
-wg_create_buffer (vlib_main_t *vm, const wg_peer_t *peer, const u8 *packet,
+wg_create_buffer (vlib_main_t *vm, const u8 *rewrite, const u8 *packet,
u32 packet_len, u32 *bi, u8 is_ip4)
{
u32 n_buf0 = 0;
@@ -95,11 +95,57 @@ wg_create_buffer (vlib_main_t *vm, const wg_peer_t *peer, const u8 *packet,
b0->current_length = packet_len;
- wg_buffer_prepend_rewrite (b0, peer, is_ip4);
+ wg_buffer_prepend_rewrite (b0, rewrite, is_ip4);
return true;
}
+u8 *
+wg_build_rewrite (ip46_address_t *src_addr, u16 src_port,
+ ip46_address_t *dst_addr, u16 dst_port, u8 is_ip4)
+{
+ u8 *rewrite = NULL;
+ if (is_ip4)
+ {
+ ip4_udp_header_t *hdr;
+
+ /* reserve space for ip4, udp and wireguard headers */
+ vec_validate (rewrite, sizeof (ip4_udp_wg_header_t) - 1);
+ hdr = (ip4_udp_header_t *) rewrite;
+
+ hdr->ip4.ip_version_and_header_length = 0x45;
+ hdr->ip4.ttl = 64;
+ hdr->ip4.src_address = src_addr->ip4;
+ hdr->ip4.dst_address = dst_addr->ip4;
+ hdr->ip4.protocol = IP_PROTOCOL_UDP;
+ hdr->ip4.checksum = ip4_header_checksum (&hdr->ip4);
+
+ hdr->udp.src_port = clib_host_to_net_u16 (src_port);
+ hdr->udp.dst_port = clib_host_to_net_u16 (dst_port);
+ hdr->udp.checksum = 0;
+ }
+ else
+ {
+ ip6_udp_header_t *hdr;
+
+ /* reserve space for ip6, udp and wireguard headers */
+ vec_validate (rewrite, sizeof (ip6_udp_wg_header_t) - 1);
+ hdr = (ip6_udp_header_t *) rewrite;
+
+ hdr->ip6.ip_version_traffic_class_and_flow_label = 0x60;
+ ip6_address_copy (&hdr->ip6.src_address, &src_addr->ip6);
+ ip6_address_copy (&hdr->ip6.dst_address, &dst_addr->ip6);
+ hdr->ip6.protocol = IP_PROTOCOL_UDP;
+ hdr->ip6.hop_limit = 64;
+
+ hdr->udp.src_port = clib_host_to_net_u16 (src_port);
+ hdr->udp.dst_port = clib_host_to_net_u16 (dst_port);
+ hdr->udp.checksum = 0;
+ }
+
+ return (rewrite);
+}
+
bool
wg_send_handshake (vlib_main_t * vm, wg_peer_t * peer, bool is_retry)
{
@@ -135,8 +181,8 @@ wg_send_handshake (vlib_main_t * vm, wg_peer_t * peer, bool is_retry)
u8 is_ip4 = ip46_address_is_ip4 (&peer->dst.addr);
u32 bi0 = 0;
- if (!wg_create_buffer (vm, peer, (u8 *) &packet, sizeof (packet), &bi0,
- is_ip4))
+ if (!wg_create_buffer (vm, peer->rewrite, (u8 *) &packet, sizeof (packet),
+ &bi0, is_ip4))
return false;
ip46_enqueue_packet (vm, bi0, is_ip4);
@@ -211,8 +257,8 @@ wg_send_keepalive (vlib_main_t * vm, wg_peer_t * peer)
u8 is_ip4 = ip46_address_is_ip4 (&peer->dst.addr);
packet->header.type = MESSAGE_DATA;
- if (!wg_create_buffer (vm, peer, (u8 *) packet, size_of_packet, &bi0,
- is_ip4))
+ if (!wg_create_buffer (vm, peer->rewrite, (u8 *) packet, size_of_packet,
+ &bi0, is_ip4))
{
ret = false;
goto out;
@@ -252,8 +298,8 @@ wg_send_handshake_response (vlib_main_t * vm, wg_peer_t * peer)
u32 bi0 = 0;
u8 is_ip4 = ip46_address_is_ip4 (&peer->dst.addr);
- if (!wg_create_buffer (vm, peer, (u8 *) &packet, sizeof (packet),
- &bi0, is_ip4))
+ if (!wg_create_buffer (vm, peer->rewrite, (u8 *) &packet,
+ sizeof (packet), &bi0, is_ip4))
return false;
ip46_enqueue_packet (vm, bi0, is_ip4);
@@ -264,6 +310,36 @@ wg_send_handshake_response (vlib_main_t * vm, wg_peer_t * peer)
return false;
}
+bool
+wg_send_handshake_cookie (vlib_main_t *vm, u32 sender_index,
+ cookie_checker_t *cookie_checker,
+ message_macs_t *macs, ip46_address_t *wg_if_addr,
+ u16 wg_if_port, ip46_address_t *remote_addr,
+ u16 remote_port)
+{
+ message_handshake_cookie_t packet;
+ u8 *rewrite;
+
+ packet.header.type = MESSAGE_HANDSHAKE_COOKIE;
+ packet.receiver_index = sender_index;
+
+ cookie_checker_create_payload (vm, cookie_checker, macs, packet.nonce,
+ packet.encrypted_cookie, remote_addr,
+ remote_port);
+
+ u32 bi0 = 0;
+ u8 is_ip4 = ip46_address_is_ip4 (remote_addr);
+ rewrite = wg_build_rewrite (wg_if_addr, wg_if_port, remote_addr, remote_port,
+ is_ip4);
+ if (!wg_create_buffer (vm, rewrite, (u8 *) &packet, sizeof (packet), &bi0,
+ is_ip4))
+ return false;
+
+ ip46_enqueue_packet (vm, bi0, is_ip4);
+
+ return true;
+}
+
/*
* fd.io coding-style-patch-verification: ON
*
diff --git a/src/plugins/wireguard/wireguard_send.h b/src/plugins/wireguard/wireguard_send.h
index 9575b84b659..419783a5db2 100644
--- a/src/plugins/wireguard/wireguard_send.h
+++ b/src/plugins/wireguard/wireguard_send.h
@@ -19,10 +19,17 @@
#include <wireguard/wireguard_peer.h>
+u8 *wg_build_rewrite (ip46_address_t *src_addr, u16 src_port,
+ ip46_address_t *dst_addr, u16 dst_port, u8 is_ip4);
bool wg_send_keepalive (vlib_main_t * vm, wg_peer_t * peer);
bool wg_send_handshake (vlib_main_t * vm, wg_peer_t * peer, bool is_retry);
void wg_send_handshake_from_mt (u32 peer_index, bool is_retry);
bool wg_send_handshake_response (vlib_main_t * vm, wg_peer_t * peer);
+bool wg_send_handshake_cookie (vlib_main_t *vm, u32 sender_index,
+ cookie_checker_t *cookie_checker,
+ message_macs_t *macs,
+ ip46_address_t *wg_if_addr, u16 wg_if_port,
+ ip46_address_t *remote_addr, u16 remote_port);
always_inline void
ip4_header_set_len_w_chksum (ip4_header_t * ip4, u16 len)