Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: fix
After peers roaming support addition, FIB entry tracking stopped
working. For example, it can be observed when an adjacency is stacked on
a FIB entry by the plugin and the FIB entry hasn't got ARP resolution
yet. Once the FIB entry gets ARP resolution, the adjacency is not
re-stacked as it used to. This results in endless ARP requests when a
traffic is sent via the adjacency.
This is broken because the plugin stopped using "midchain delegate" with
peers roaming support addition. The reason is that "midchain delegate"
didn't support stacking on a different FIB entry which is needed when
peer's endpoint changes. Now it is supported there (added in 36892).
With this fix, start using "midchane delegate" again and thus, fix FIB
entry tracking. Also, cover this in tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Iea91f38739ab129e601fd6567b52565dbd649371
|
|
Type: feature
With this change, peers are able to roam between different external
endpoints. Successfully authenticated handshake or data packet that is
received from a new endpoint will cause the peer's endpoint to be
updated accordingly.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ib4eb7dfa3403f3fb9e8bbe19ba6237c4960c764c
|
|
Type: feature
With this change, if being under load a handshake message with both
valid mac1 and mac2 is received, the peer will be rate limited. Cover
this with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Id8d58bb293a7975c3d922c48b4948fd25e20af4b
|
|
Type: feature
With this change:
- if the number of received handshake messages exceeds the limit
calculated based on the peers number, under load state will activate;
- if being under load a handshake message with a valid mac1 is
received, but mac2 is invalid, a cookie reply will be sent.
Also, cover these with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
|
|
Type: feature
Currently, if a handshake message is sent and a cookie message is
received in reply, the cookie message will be ignored. Thus, further
handshake messages will not have valid mac2 and handshake will not be
able to be completed.
With this change, process received cookie messages to be able to
calculate mac2 for further handshake messages sent. Cover this with
tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I6d51459778b7145be7077badec479b2aa85960b9
|
|
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I62f13ee8cb9b86f8106505fd32a03d66c1a73bce
|
|
Type: improvement
When packets were received and processed successfully, increment the
byte/packet counters for the tunnel interface.
Change-Id: I42855607ac6916de641be42aac86c9942cc97140
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
Currently, neighbor adjacencies on a wg interface are converted into a
midchain only if one of the peers has a matching allowed prefix
configured. If create a route that goes through a wg interface but the
next-hop address does not match any allowed prefixes, an ARP/ND request
will try to be sent via the wg interface to resolve the next-hop address
when matching traffic occurs. And sending an ARP request will cause VPP
to crash while copying hardware address of the wg interface which is
NULL. Sending an ND message will not cause VPP to crash but the error
logged will be unclear (no source address).
With this fix, convert all neighbor adjacencies on a wg interface into a
midchain and update tests to cover the case. If there is no matching
allowed prefix configured, traffic going such routes will be dropped
because of "Peer error". No changes if there is matching allowed prefix
configured.
Also, fix getting peer by adjacency index.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I15bc1e1f83de719e97edf3f7210a5359a35bddbd
|
|
Type: improvement
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I446eb86c097d1bf99f05ee47f1c550689d70ced2
|
|
An unexpected packet that shows up on a Wireguard interace
that happens not to have a forwarding peer will cause a
segfault trying to index the vector of peers by adjacency.
Rather than segfaulting, recognize a non-adjacent packet
and drop it instead.
This leaves open the question of what _should_ be
happening to, say, IPv6 multicast packets.
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Type: fix
Fixes: edca1325cf296bd0f5ff422fc12de2ce7a7bad88
Change-Id: Ic0a29e6cf6fe812a4895ec11bedcca86c62e590b
|
|
Just like commit 252647482b24bb3474e8f13bc86100718176832f
did for Wireguard interface keys, prevent stack smashing
the peer keys.
Integer math on 32 bytes of base64 data might yield 33 bytes
of data in some poorly formed user input of private key values.
Rather than smashing the stack (detected) and aborting, simply
allow for the possible yet irrelevant 33-rd byte of data.
Type: fix
Fixes: edca1325cf296bd0f5ff422fc12de2ce7a7bad88
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I9f77b3faaaa01d3123b356c958db60c87238db9c
|
|
- Add peer_index, table_id, and keep-alive.
- Fix some lingering cut-n-paste issues in the API file.
Type: improvement
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I6fc0729ba0268bbcda0248f680979c44e68b6b0c
|
|
Include the user_instance in wireguard interface details.
In addition to dumping all wireguard interface details,
also allow selective dumping of just one interface.
Type: improvement
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: Iaf1093c6ae3eb00a685f34b2e0171285b02fae2b
|
|
Type: fix
Fixed coverity-issue CID 248517.
Originally possible passing null pointer to one function and directly
dereferences it.
This patch fixes the issue by add a new condition to check this
pointer.
Change-Id: If506abaf08c9f003860b641971af291f68613c18
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
|
|
Integer math on 32 bytes of base64 data might yield 33 bytes
of data in some poorly formed user input of private key values.
Rather than smashing the stack (detected) and aborting, simply
allow for the possible yet irrelevant 33-rd byte of data.
Type: fix
Fixes: edca1325cf296bd0f5ff422fc12de2ce7a7bad88
Change-Id: I42acfbf3e8fbb3d517e21c53d4f80459d4800e9d
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Type: fix
Fixed coverity-issue CID 248517.
Originally possibly passing null pointer to one function and
directly dereferences it.
This patch fixes the problem by add a new condition.
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I02fc6fb5d1cfd6138ea4ba2b1946fd8a7ef34d3b
|
|
If the user supplies an instance number when creating a wireguard
interface, it should be used in the device name. If no user-instance
is given, the device instnce (tunnel number) is used.
For example:
vpp# wireguard create instance 17 listen-port 23023 src 1.2.3.4
private-key MDEwMjAzMDQwNTA2MDcwODA5MTAxMTEyMTMxNDE1MTY=
wg17
Type: fix
Fixes: edca1325cf296bd0f5ff422fc12de2ce7a7bad88
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: Ibf51868bf7b4b9e8a3f85557d05667207873bc91
|
|
Type: refactor
IP4 does not depend on TCP (it's the other way around).
This upside down dependency leads to some nasty circular includes when trying to use ip46_address.h in interface.h
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4a1bd21543b08b9c1cf1e5563da738414734a878
|
|
Fixed coverity-issue CID 248456.
Originally passing argument of type "uint64_t *" to function:
"memcopy_s_inline".
This patch fixes the problem by changing type of passing argument and
make a portable assumption.
Type: fix
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I17e4583a05ea1263e4d8a4acc9949454e5fd92c0
|
|
Originally wireguard doesn't support async mode for decryption packets.
This patch add async mode for decryption in wireguard.
In addition, it contains some performance improvement such as
prefetching packet header and reducing the number of current time
function calls.
Type: improvement
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: Ieba6ae0078f3ff140c05b517891afb57232b3b7d
|
|
Originally wireguard doesn't support async mode for encryption packets.
This patch add async mode for encryption in wireguard and also adds
support chacha20-poly1305 algorithm in cryptodev for async handler.
In addition it contains new command line to activate async mode for wireguard:
set wireguard async mode on|off
and also add new command to check active mode for wireguard:
show wireguard mode
Type: improvement
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I141d48b42ee8dbff0112b8542ab5205268089da6
|
|
Originally wireguard does packet by packet encryption and decryption.
This patch adds burst mode for encryption and decryption packets. In
addition, it contains some performance improvement such as prefetching
packet header and reducing the number of current time function calls.
Type: improvement
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I04c7daa9b6dc56cd15c789661a64ec642b35aa3f
|
|
- change 'port' to 'dst-port' to make the input self-explanatory
- add empty spaces to short help
Type: fix
Signed-off-by: Miroslav Miklus <miroslav.miklus@pantheon.tech>
Change-Id: I74c783e6e8629e61b1c100e9355d09cf5e35a750
|
|
Originally handshake process gets pointer to value of index peer.
In the meantime this pointer can be invalid due to resize hash table
for wireguard and passed poison value to another function.
The fixes add local variable to keep index of peer instead of value
from pointer.
Type: fix
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I1b2535c44b4f987d19077c75c778aaa5ed71a457
|
|
Type: fix
Using the adjacency to modify the interface's feature arc doesn't work, since there are potentially more than one adj per-interface.
Instead have the interface, when it is created, register what the end node of the feature arc is. This end node is then also used as the interface's tx node (i.e. it is used as the adjacency's next-node).
rename adj-midhcain-tx as 'tunnel-output', that's a bit more intuitive.
There's also a fix in config string handling to:
1- prevent false sharing of strings when the end node of the arc is different.
2- call registered listeners when the end node is changed
For IPSec the consequences are that one cannot provide per-adjacency behaviour using different end-nodes - this was previously done for the no-SA and an SA with no protection. These cases are no handled in the esp-encrypt node.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: If3a83d03a3000f28820d9a9cb4101d244803d084
|
|
Originally wireguard implementation does memory copy of the whole
packet in encryption and decryption.
This patch removes unnecessary packet copy in wireguard. In addition,
it contains some performance improvement such as prefetching header
and deleting unnecessary lock and unlock for decryption.
Type: improvement
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I1fe8e54d749e6922465341083b448c842e2b670f
|
|
Run 'find src -executable -type f', remove unnecessary executable bits from the
source tree.
Type: refactor
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I070e22c8fb2ef8712bc3ea620727ee5ab3d9a9fb
|
|
Type: improvement
Change-Id: I7e821cce1feae229e1be4baeed249b9cca658135
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I4450b8c8b50a3be8d6a399f6a58bc0e8eb500b28
|
|
we can receive events from peer about its state:
-WIREGUARD_PEER_STATUS_DEAD
-WIREGUARD_PEER_ESTABLISHED
Type: improvement
Change-Id: Ide83fbe2cfafa79ded5bcf3f6a884c26a7583db0
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
|
|
Type: improvement
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: If1a7e82ce163c4c4acaa5acf45ad2b88371396f6
|
|
now we can reuse udp-port for many wireguard interfaces
Type: improvement
Change-Id: I14b5a9dbe917d83300ccb4d6907743d88355e5c5
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
|
|
now we should add routes manually
Type: improvement
Change-Id: I877511a18854efdfad02939267d38a216b2ccec3
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
|
|
The removed code caused the feature to be wrongly removed on the wg
interface.
Type: fix
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
Change-Id: I998e01ec231527128eaeae78bcc7576ac00e5b12
|
|
Type: fix
Originally the decryption doesn't check the hmac for chacha20-poly1305.
This patch fixes the problem by adding flag to crypto op to check hmac.
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I63e06fc011b288b1c9dc1b96a92923f224ef656b
|
|
Type: improvement
Change-Id: I873a99c1258a97ed5ed195b9756e8302f865e7f0
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Mechanical change for patch following this one...
Type: improvement
Change-Id: Iee12f3a8851f35569e6c039494a94fc36e83d20f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
- Generate copyright year and version
instead of using hard-coded data
Type: refactor
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I6058f5025323b3aa483f5df4a2c4371e27b5914e
|
|
VppTestCase now has vpp_worker_count property set to number of workers.
This can be overriden by child classes. Also overriden by
VPP_WORKER_CONFIG variable for legacy reasons.
Type: improvement
Change-Id: Ic328bacb9003ddf9e92815767653bd362aa7f086
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
explicit null dereferenced
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: Id1e4b0e048dbd0a68063c63374172ab6d3653aff
|
|
Type: refactor
This patch refactors the offload flags in vlib_buffer_t.
There are two main reasons behind this refactoring.
First, offload flags are insufficient to represent outer
and inner headers offloads. Second, room for these flags
in first cacheline of vlib_buffer_t is also limited.
This patch introduces a generic offload flag in first
cacheline. And detailed offload flags in 2nd cacheline
of the structure for performance optimization.
Change-Id: Icc363a142fb9208ec7113ab5bbfc8230181f6004
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Change-Id: I645bb0a31b333a6160c74987dddb3fb50ff154d8
Type: improvement
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
Type: docs
Change-Id: Ia541839e1f1ceddfae4579dece43b9cc820702e2
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit de569048a504cf211d80b86882e6781684301790)
|
|
Type: refactor
Change-Id: Ie67dc579e88132ddb1ee4a34cb69f96920101772
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
This allows using GSO with wireguard
Type: fix
Change-Id: Id00a1425f9d9412aca9f259beda55a46bf5595d7
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: feature
Change-Id: Iacb0da8bc738ed400678f9bb40e70e0031c6588e
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Id13f33843b230a1d169560742c4f7b2dc17d8718
|
|
Type: fix
Change-Id: I880bdd55ae5da0b9775a3fb548d44512348a7bc6
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Until the feature is configured. It would make sense to push more of
the feature init code into the newly-added wg_feature_init()
function. This patch fixes a severe hemorrhoid.
Type: improvement
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I87095575363baa41407dd52492159a7b8c2899e7
|
|
Type: style
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I26a19e42076e031ec5399d5ca05cb49fd6fbe1cd
|