From ce91af8ad27e5ddef1e1f8316129bfcaa3de9ef6 Mon Sep 17 00:00:00 2001 From: Alexander Chernavin Date: Wed, 20 Jul 2022 12:43:42 +0000 Subject: wireguard: add dos mitigation support Type: feature With this change: - if the number of received handshake messages exceeds the limit calculated based on the peers number, under load state will activate; - if being under load a handshake message with a valid mac1 is received, but mac2 is invalid, a cookie reply will be sent. Also, cover these with tests. Signed-off-by: Alexander Chernavin Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717 --- src/plugins/wireguard/wireguard_if.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'src/plugins/wireguard/wireguard_if.c') diff --git a/src/plugins/wireguard/wireguard_if.c b/src/plugins/wireguard/wireguard_if.c index fd123471a8c..c4199d23354 100644 --- a/src/plugins/wireguard/wireguard_if.c +++ b/src/plugins/wireguard/wireguard_if.c @@ -287,7 +287,7 @@ wg_if_create (u32 user_instance, return VNET_API_ERROR_INVALID_REGISTRATION; } - pool_get (wg_if_pool, wg_if); + pool_get_zero (wg_if_pool, wg_if); /* tunnel index (or instance) */ u32 t_idx = wg_if - wg_if_pool; @@ -354,6 +354,8 @@ wg_if_delete (u32 sw_if_index) // Remove peers before interface deletion wg_if_peer_walk (wg_if, wg_peer_if_delete, NULL); + hash_free (wg_if->peers); + index_t *ii; index_t *ifs = wg_if_indexes_get_by_port (wg_if->port); vec_foreach (ii, ifs) -- cgit 1.2.3-korg