diff options
| author |   Artem Glazychev <artem.glazychev@xored.com> | 2022-10-25 18:48:40 +0700 |
|---|---|---|
| committer |   Fan Zhang <fanzhang.oss@gmail.com> | 2022-11-29 14:15:00 +0000 |
| commit | b9e391e7b08ed8f6f32401eae5d6525aab904737 (patch) | |
| tree | 627fb55cfa24d47a0a643813d43f5977172d8831 /src | |
| parent | 3f885f97f0bb812296cb549acd3c4b8fc17de0c9 (diff) | |
wireguard: compute checksum for outer ipv6 header
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I477e92712e441c91789afdf9be389d967acfa799
Diffstat (limited to 'src')
| -rw-r--r-- | src/plugins/wireguard/wireguard_output_tun.c | 31 | ||||
| -rw-r--r-- | src/plugins/wireguard/wireguard_send.c | 12 |
2 files changed, 41 insertions, 2 deletions
diff --git a/src/plugins/wireguard/wireguard_output_tun.c b/src/plugins/wireguard/wireguard_output_tun.c index d1b1d6bb8f0..f613d6c0c16 100644 --- a/src/plugins/wireguard/wireguard_output_tun.c +++ b/src/plugins/wireguard/wireguard_output_tun.c @@ -307,6 +307,22 @@ error: return ret; } +static_always_inline void +wg_calc_checksum (vlib_main_t *vm, vlib_buffer_t *b) +{ + int bogus = 0; + u8 ip_ver_out = (*((u8 *) vlib_buffer_get_current (b)) >> 4); + + /* IPv6 UDP checksum is mandatory */ + if (ip_ver_out == 6) + { + ip6_header_t *ip6 = + (ip6_header_t *) ((u8 *) vlib_buffer_get_current (b)); + udp_header_t *udp = ip6_next_header (ip6); + udp->checksum = ip6_tcp_udp_icmp_compute_checksum (vm, b, ip6, &bogus); + } +} + /* is_ip4 - inner header flag */ always_inline uword wg_output_tun_inline (vlib_main_t *vm, vlib_node_runtime_t *node, @@ -555,6 +571,14 @@ wg_output_tun_inline (vlib_main_t *vm, vlib_node_runtime_t *node, /* wg-output-process-ops */ wg_output_process_ops (vm, node, ptd->crypto_ops, sync_bufs, nexts, drop_next); + + int n_left_from_sync_bufs = n_sync; + while (n_left_from_sync_bufs > 0) + { + n_left_from_sync_bufs--; + wg_calc_checksum (vm, sync_bufs[n_left_from_sync_bufs]); + } + vlib_buffer_enqueue_to_next (vm, node, sync_bi, nexts, n_sync); } if (n_async) @@ -627,6 +651,11 @@ wg_output_tun_post (vlib_main_t *vm, vlib_node_runtime_t *node, next[2] = (wg_post_data (b[2]))->next_index; next[3] = (wg_post_data (b[3]))->next_index; + wg_calc_checksum (vm, b[0]); + wg_calc_checksum (vm, b[1]); + wg_calc_checksum (vm, b[2]); + wg_calc_checksum (vm, b[3]); + if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE)) { if (b[0]->flags & VLIB_BUFFER_IS_TRACED) @@ -671,6 +700,8 @@ wg_output_tun_post (vlib_main_t *vm, vlib_node_runtime_t *node, while (n_left > 0) { + wg_calc_checksum (vm, b[0]); + next[0] = (wg_post_data (b[0]))->next_index; if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) && (b[0]->flags & VLIB_BUFFER_IS_TRACED))) diff --git a/src/plugins/wireguard/wireguard_send.c b/src/plugins/wireguard/wireguard_send.c index adfa5cac3de..72fa11034bf 100644 --- a/src/plugins/wireguard/wireguard_send.c +++ b/src/plugins/wireguard/wireguard_send.c @@ -41,7 +41,8 @@ ip46_enqueue_packet (vlib_main_t *vm, u32 bi0, int is_ip4) } static void -wg_buffer_prepend_rewrite (vlib_buffer_t *b0, const u8 *rewrite, u8 is_ip4) +wg_buffer_prepend_rewrite (vlib_main_t *vm, vlib_buffer_t *b0, + const u8 *rewrite, u8 is_ip4) { if (is_ip4) { @@ -72,6 +73,13 @@ wg_buffer_prepend_rewrite (vlib_buffer_t *b0, const u8 *rewrite, u8 is_ip4) hdr6->ip6.payload_length = hdr6->udp.length = clib_host_to_net_u16 (b0->current_length - sizeof (ip6_header_t)); + + /* IPv6 UDP checksum is mandatory */ + int bogus = 0; + ip6_header_t *ip6_0 = &(hdr6->ip6); + hdr6->udp.checksum = + ip6_tcp_udp_icmp_compute_checksum (vm, b0, ip6_0, &bogus); + ASSERT (bogus == 0); } } @@ -93,7 +101,7 @@ wg_create_buffer (vlib_main_t *vm, const u8 *rewrite, const u8 *packet, b0->current_length = packet_len; - wg_buffer_prepend_rewrite (b0, rewrite, is_ip4); + wg_buffer_prepend_rewrite (vm, b0, rewrite, is_ip4); return true; } |