summaryrefslogtreecommitdiffstats
path: root/src/plugins/wireguard/wireguard_peer.c
AgeCommit message (Collapse)AuthorFilesLines
2023-01-26wireguard: sending the first handshakeArtem Glazychev1-10/+2
After creating a peer, we send a handshake request. But it's not quite right to call wg_send_keepalive() directly. According to documentation, handshake initiation is sent after (REKEY_TIMEOUT + jitter) ms. Since it's the first one - we don't need to take REKEY_TIMEOUT into account, but we still have jitter. It also makes no sense to immediately send keepalives, because the connection is not created yet. Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I61707e4be79be65abc3396b5f1dbd48ecbf7ba60
2022-12-01wireguard: add atomic mutexGabriel Oginski1-0/+1
The initiate handshake process can be called a numbers times for each peers, then the main VPP thread called by Wireguard starting to allocate memory. This behaviour can lead to out of memory when VPP has a lot of Wireguard tunnels concurrently. This fix add mutex to send only once handshake initiate at time for each peers. Type: fix Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I13b4b2d47021753926d42a38ccadb36a411c5b79
2022-09-27wireguard: stop sending handshakes when wg intf is downAlexander Chernavin1-3/+66
Type: fix Currently, when a wg interface is administratively disabled initially or during operation, handshake packets continue to be sent. Data packets stop being sent because routes pointing to the wg interface will not be used. But data keys remain. With this fix, when a wg interface is administratively disabled during peer creation, avoid connection initialization to the peer. Data keys and timers should be empty at this point. When a wg interface is disabled during operation, disable all peers (i.e. stop all timers, clear data keys, etc.). Thus, state should be identical in both cases. When a wg interface is administratively enabled, enable all peers (i.e. get ready to exchange data packets and initiate a connection). Also, cover these scenarios with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ie9a620077e55d519d21b0abc8c0d3c87b378bca3
2022-08-17wireguard: fix fib entry trackingAlexander Chernavin1-45/+34
Type: fix After peers roaming support addition, FIB entry tracking stopped working. For example, it can be observed when an adjacency is stacked on a FIB entry by the plugin and the FIB entry hasn't got ARP resolution yet. Once the FIB entry gets ARP resolution, the adjacency is not re-stacked as it used to. This results in endless ARP requests when a traffic is sent via the adjacency. This is broken because the plugin stopped using "midchain delegate" with peers roaming support addition. The reason is that "midchain delegate" didn't support stacking on a different FIB entry which is needed when peer's endpoint changes. Now it is supported there (added in 36892). With this fix, start using "midchane delegate" again and thus, fix FIB entry tracking. Also, cover this in tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Iea91f38739ab129e601fd6567b52565dbd649371
2022-08-09wireguard: add peers roaming supportAlexander Chernavin1-23/+102
Type: feature With this change, peers are able to roam between different external endpoints. Successfully authenticated handshake or data packet that is received from a new endpoint will cause the peer's endpoint to be updated accordingly. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ib4eb7dfa3403f3fb9e8bbe19ba6237c4960c764c
2022-08-08wireguard: add dos mitigation supportAlexander Chernavin1-46/+2
Type: feature With this change: - if the number of received handshake messages exceeds the limit calculated based on the peers number, under load state will activate; - if being under load a handshake message with a valid mac1 is received, but mac2 is invalid, a cookie reply will be sent. Also, cover these with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
2021-11-03wireguard: reduce memcopy and prefetch headerGabriel Oginski1-2/+4
Originally wireguard implementation does memory copy of the whole packet in encryption and decryption. This patch removes unnecessary packet copy in wireguard. In addition, it contains some performance improvement such as prefetching header and deleting unnecessary lock and unlock for decryption. Type: improvement Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I1fe8e54d749e6922465341083b448c842e2b670f
2021-10-06wireguard: add events for peerArtem Glazychev1-8/+29
we can receive events from peer about its state: -WIREGUARD_PEER_STATUS_DEAD -WIREGUARD_PEER_ESTABLISHED Type: improvement Change-Id: Ide83fbe2cfafa79ded5bcf3f6a884c26a7583db0 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-10-06wireguard: add ipv6 supportArtem Glazychev1-22/+106
Type: improvement Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: If1a7e82ce163c4c4acaa5acf45ad2b88371396f6
2021-10-04wireguard: use the same udp-port for multi-tunnelArtem Glazychev1-0/+7
now we can reuse udp-port for many wireguard interfaces Type: improvement Change-Id: I14b5a9dbe917d83300ccb4d6907743d88355e5c5 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-09-30wireguard: move adjacency processing from wireguard_peer to wireguard_interfaceArtem Glazychev1-124/+86
now we should add routes manually Type: improvement Change-Id: I877511a18854efdfad02939267d38a216b2ccec3 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-09-23wireguard: fix wg-output-tun feature configurationAloys Augustin1-3/+0
The removed code caused the feature to be wrongly removed on the wg interface. Type: fix Signed-off-by: Aloys Augustin <aloaugus@cisco.com> Change-Id: I998e01ec231527128eaeae78bcc7576ac00e5b12
2021-02-11wireguard: testing alternative timer dispatchMohammed Hawari1-0/+1
Change-Id: I645bb0a31b333a6160c74987dddb3fb50ff154d8 Type: improvement Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
2020-12-14misc: move to new pool_foreach macrosDamjan Marion1-5/+5
Type: refactor Change-Id: Ie67dc579e88132ddb1ee4a34cb69f96920101772 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-09-29wireguard: fix license headersArtem Glazychev1-0/+1
Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: If5cc8894e0d1785dd04ab1e460e017580c9b41ce
2020-09-23wireguard: add handoff nodeArtem Glazychev1-23/+35
All timer and control plane functions happen from main thread Type: fix Change-Id: I4fc333c644485cd17e6f426493feef91688d9b24 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2020-09-14wireguard: increase FIB source priorityNeale Ranns1-2/+7
Type: fix Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Icc1c458474d357c7d9b3b4df1897500de0c314a1
2020-09-12wireguard: Fix for tunnel encapNeale Ranns1-3/+4
Type: fix add UT for sneding handshale init and transport packets Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Iab1ed8864c666d5a0ae0b2364a9ca4de3c8770dc
2020-09-09wireguard: initial implementation of wireguard protocolArtem Glazychev1-0/+418
Type: feature The main information about plugin you can see in README.md vpp# wireguard ? wireguard create wireguard create listen-port <port> private-key <key> src <IP> [generate-key] wireguard delete wireguard delete <interface> wireguard peer add wireguard peer add <wg_int> public-key <pub_key_other>endpoint <ip4_dst> allowed-ip <prefix>dst-port [port_dst] persistent-keepalive [keepalive_interval] wireguard peer remove wireguard peer remove <index> Change-Id: I85eb0bfc033ccfb2045696398d8a108b1c64b8d9 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Jim Thompson <jim@netgate.com> Signed-off-by: Neale Ranns <nranns@cisco.com> Signed-off-by: Damjan Marion <damarion@cisco.com>