Age | Commit message (Collapse) | Author | Files | Lines |
|
We cannot confidently say that if we have received and processed
the handshake_initiation message, then the connection has been established.
Because we also send a response.
The fact that the connection is established can only be considered if a keepalive packet was received.
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I61731916071990f28cdebcd1d0e4d302fa1dee15
|
|
After creating a peer, we send a handshake request. But it's not quite right
to call wg_send_keepalive() directly.
According to documentation, handshake initiation is sent after (REKEY_TIMEOUT + jitter) ms.
Since it's the first one - we don't need to take REKEY_TIMEOUT into account,
but we still have jitter.
It also makes no sense to immediately send keepalives,
because the connection is not created yet.
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I61707e4be79be65abc3396b5f1dbd48ecbf7ba60
|
|
Type: fix
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I477e92712e441c91789afdf9be389d967acfa799
|
|
Type: test
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I3a53d57e42f4c1f5ba0de6d2b181c7f2ad083a3a
|
|
Type: test
"test_wg_handshake_ratelimiting_multi_peer" has been unstable recently
because the test strongly relies on execution speed. Currently, the test
triggers ratelimiting for peer 1 and sends handshake initiations from
peer 1 and 2 mixed up. After that, the test expects that all handshake
initiations for peer 1 are ratelimited and a handshake response for peer
2 is received.
Ratelimiting is based on the token bucket algorithm. The more time
passes between triggering ratelimiting for peer 1 and sending a mixture
of handshake initiations from peer 1 and 2, the more tokens will be
added into the bucket for peer 1. Depending on delays between these
steps, the number of tokens might be enough to process handshake
initiations from peer 1 while they are expected to be rejected due to
ratelimiting.
With this change, these two steps are combined into one and the logic
modified. The test triggers ratelimiting for both peer 1 and 2. Packets
that trigger ratelimiting and that are to be rejected are sent in one
batch that is going to reduce delays between packet processing. Also,
verify that number of rejected handshake messages is in expected range
instead of verifying the exact number as it still may slightly vary.
Also, this should finish making the wireguard tests stable on Ubuntu
22.04 and Debian 11.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I3407d15abe1356dde23a241ac3650e84401c9802
|
|
Type: fix
Currently, when a wg interface is administratively disabled initially or
during operation, handshake packets continue to be sent. Data packets
stop being sent because routes pointing to the wg interface will not be
used. But data keys remain.
With this fix, when a wg interface is administratively disabled during
peer creation, avoid connection initialization to the peer. Data keys
and timers should be empty at this point. When a wg interface is
disabled during operation, disable all peers (i.e. stop all timers,
clear data keys, etc.). Thus, state should be identical in both cases.
When a wg interface is administratively enabled, enable all peers (i.e.
get ready to exchange data packets and initiate a connection). Also,
cover these scenarios with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ie9a620077e55d519d21b0abc8c0d3c87b378bca3
|
|
Type: fix
As per the protocol:
A handshake initiation is retried after "REKEY_TIMEOUT + jitter" ms,
if a response has not been received...
Currently, if retransmit handshake timer is started, it will trigger
after "REKEY_TIMEOUT + jitter" ms and will try to send a handshake
initiation via wg_send_handshake() given that no responses have been
received. wg_send_handshake() will verify that time stored in
REKEY_TIMEOUT has passed since last handshake initiation sending and if
has, will send a handshake initiation. Time when a handshake initiation
was last sent is stored in last_sent_handshake.
The problem is that last_sent_handshake is not only updated in
wg_send_handshake() when sending handshake initiations but also in
wg_send_handshake_response() when sending handshake responses. When
retransmit handshake timer triggers and a handshake response has been
sent recently, a handshake initiation will not be sent because for
wg_send_handshake() it will look like that time stored in REKEY_TIMEOUT
has not passed yet. Also, the timer will not be restarted.
wg_send_handshake_response() must not update last_sent_handshake,
because this time is used only when sending handshake intitiations. And
the protocol does not say that handshake initiation retransmission and
handshake response sending (i.e. replying to authenticated handshake
initiations) must coordinate.
With this fix, stop updating last_sent_handshake in
wg_send_handshake_response().
Also, this fixes tests that used to wait for "REKEY_TIMEOUT + 1" seconds
and did not receive any handshake initiations. Then they fail.
Also, long-running tests that send wrong packets and do not expect
anything in reply may now receive handshake intiations, consider them as
replies to the wrond packets, and fail. Those are updated to filter out
handshake initiations in such verifications. Moreover, after sending
wrong packets, error counters are already inspected there to confirm
packet processing was unsuccessful.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I43c428c97ce06cb8a79d239453cb5f6d1ed609d6
|
|
Type: test
Change-Id: I7b2314a731c83b3dcd69c999edb8ebed53839724
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Type: fix
After peers roaming support addition, FIB entry tracking stopped
working. For example, it can be observed when an adjacency is stacked on
a FIB entry by the plugin and the FIB entry hasn't got ARP resolution
yet. Once the FIB entry gets ARP resolution, the adjacency is not
re-stacked as it used to. This results in endless ARP requests when a
traffic is sent via the adjacency.
This is broken because the plugin stopped using "midchain delegate" with
peers roaming support addition. The reason is that "midchain delegate"
didn't support stacking on a different FIB entry which is needed when
peer's endpoint changes. Now it is supported there (added in 36892).
With this fix, start using "midchane delegate" again and thus, fix FIB
entry tracking. Also, cover this in tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Iea91f38739ab129e601fd6567b52565dbd649371
|
|
Type: feature
With this change, peers are able to roam between different external
endpoints. Successfully authenticated handshake or data packet that is
received from a new endpoint will cause the peer's endpoint to be
updated accordingly.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ib4eb7dfa3403f3fb9e8bbe19ba6237c4960c764c
|
|
Type: feature
With this change, if being under load a handshake message with both
valid mac1 and mac2 is received, the peer will be rate limited. Cover
this with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Id8d58bb293a7975c3d922c48b4948fd25e20af4b
|
|
Type: feature
With this change:
- if the number of received handshake messages exceeds the limit
calculated based on the peers number, under load state will activate;
- if being under load a handshake message with a valid mac1 is
received, but mac2 is invalid, a cookie reply will be sent.
Also, cover these with tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
|
|
Type: feature
Currently, if a handshake message is sent and a cookie message is
received in reply, the cookie message will be ignored. Thus, further
handshake messages will not have valid mac2 and handshake will not be
able to be completed.
With this change, process received cookie messages to be able to
calculate mac2 for further handshake messages sent. Cover this with
tests.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I6d51459778b7145be7077badec479b2aa85960b9
|
|
Type: fix
Currently, neighbor adjacencies on a wg interface are converted into a
midchain only if one of the peers has a matching allowed prefix
configured. If create a route that goes through a wg interface but the
next-hop address does not match any allowed prefixes, an ARP/ND request
will try to be sent via the wg interface to resolve the next-hop address
when matching traffic occurs. And sending an ARP request will cause VPP
to crash while copying hardware address of the wg interface which is
NULL. Sending an ND message will not cause VPP to crash but the error
logged will be unclear (no source address).
With this fix, convert all neighbor adjacencies on a wg interface into a
midchain and update tests to cover the case. If there is no matching
allowed prefix configured, traffic going such routes will be dropped
because of "Peer error". No changes if there is matching allowed prefix
configured.
Also, fix getting peer by adjacency index.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I15bc1e1f83de719e97edf3f7210a5359a35bddbd
|
|
Drop pycodestyle for code style checking in favor of black. Black is
much faster, stable PEP8 compliant code style checker offering also
automatic formatting. It aims to be very stable and produce smallest
diffs. It's used by many small and big projects.
Running checkstyle with black takes a few seconds with a terse output.
Thus, test-checkstyle-diff is no longer necessary.
Expand scope of checkstyle to all python files in the repo, replacing
test-checkstyle with checkstyle-python.
Also, fixstyle-python is now available for automatic style formatting.
Note: python virtualenv has been consolidated in test/Makefile,
test/requirements*.txt which will eventually be moved to a central
location. This is required to simply the automated generation of
docker executor images in the CI.
Type: improvement
Change-Id: I022a326603485f58585e879ac0f697fceefbc9c8
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Run 'find src -executable -type f', remove unnecessary executable bits from the
source tree.
Type: refactor
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I070e22c8fb2ef8712bc3ea620727ee5ab3d9a9fb
|
|
we can receive events from peer about its state:
-WIREGUARD_PEER_STATUS_DEAD
-WIREGUARD_PEER_ESTABLISHED
Type: improvement
Change-Id: Ide83fbe2cfafa79ded5bcf3f6a884c26a7583db0
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
|
|
Type: improvement
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: If1a7e82ce163c4c4acaa5acf45ad2b88371396f6
|
|
now we can reuse udp-port for many wireguard interfaces
Type: improvement
Change-Id: I14b5a9dbe917d83300ccb4d6907743d88355e5c5
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
|
|
now we should add routes manually
Type: improvement
Change-Id: I877511a18854efdfad02939267d38a216b2ccec3
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
|
|
- Generate copyright year and version
instead of using hard-coded data
Type: refactor
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I6058f5025323b3aa483f5df4a2c4371e27b5914e
|