opensourcemirror
/
WireGuard
mirror of https://git.zx2c4.com/WireGuard
1
0
Fork 0
Code Issues Releases Wiki Activity
WireGuard/src/socket.c

480 lines
13 KiB
C
Raw Blame History

/* Copyright 2015-2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */
#include "wireguard.h"
#include "socket.h"
#include "packets.h"
#include "messages.h"
#include <linux/net.h>
#include <linux/if_vlan.h>
#include <linux/if_ether.h>
#include <net/udp_tunnel.h>
#include <net/ipv6.h>
int socket_addr_from_skb(struct sockaddr_storage *sockaddr, struct sk_buff *skb)
{
struct iphdr *ip4;
struct ipv6hdr *ip6;
struct udphdr *udp;
struct sockaddr_in *addr4;
struct sockaddr_in6 *addr6;
addr4 = (struct sockaddr_in *)sockaddr;
addr6 = (struct sockaddr_in6 *)sockaddr;
ip4 = ip_hdr(skb);
ip6 = ipv6_hdr(skb);
udp = udp_hdr(skb);
if (ip4->version == 4) {
addr4->sin_family = AF_INET;
addr4->sin_port = udp->source;
addr4->sin_addr.s_addr = ip4->saddr;
} else if (ip4->version == 6) {
addr6->sin6_family = AF_INET6;
addr6->sin6_port = udp->source;
addr6->sin6_addr = ip6->saddr;
addr6->sin6_scope_id = ipv6_iface_scope_id(&ip6->saddr, skb->skb_iif);
/* TODO: addr6->sin6_flowinfo */
} else
return -EINVAL;
return 0;
}
static inline struct dst_entry *route(struct wireguard_device *wg, struct flowi4 *fl4, struct flowi6 *fl6, struct sockaddr_storage *addr, struct sock *sock4, struct sock *sock6)
{
struct dst_entry *dst = ERR_PTR(-EAFNOSUPPORT);
if (addr->ss_family == AF_INET) {
struct rtable *rt;
struct sockaddr_in *sin4 = (struct sockaddr_in *)addr;
if (unlikely(!sock4))
return ERR_PTR(-ENONET);
memset(fl4, 0, sizeof(struct flowi4));
fl4->daddr = sin4->sin_addr.s_addr;
fl4->fl4_dport = sin4->sin_port;
fl4->fl4_sport = htons(wg->incoming_port);
fl4->flowi4_proto = IPPROTO_UDP;
security_sk_classify_flow(sock4, flowi4_to_flowi(fl4));
rt = ip_route_output_flow(sock_net(sock4), fl4, sock4);
if (unlikely(IS_ERR(rt)))
dst = ERR_PTR(PTR_ERR(rt));
dst = &rt->dst;
} else if (addr->ss_family == AF_INET6) {
int ret;
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr;
if (unlikely(!sock6))
return ERR_PTR(-ENONET);
memset(fl6, 0, sizeof(struct flowi6));
fl6->daddr = sin6->sin6_addr;
fl6->fl6_dport = sin6->sin6_port;
fl6->fl6_sport = htons(wg->incoming_port);
fl6->flowi6_oif = sin6->sin6_scope_id;
fl6->flowi6_proto = IPPROTO_UDP;
/* TODO: addr6->sin6_flowinfo */
security_sk_classify_flow(sock6, flowi6_to_flowi(fl6));
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0)
ret = ipv6_stub->ipv6_dst_lookup(sock_net(sock6), sock6, &dst, fl6);
#else
ret = ipv6_stub->ipv6_dst_lookup(sock6, &dst, fl6);
#endif
if (unlikely(ret))
dst = ERR_PTR(ret);
}
return dst;
}
static inline int send(struct net_device *dev, struct sk_buff *skb, struct dst_entry *dst, struct flowi4 *fl4, struct flowi6 *fl6, struct sockaddr_storage *addr, struct sock *sock4, struct sock *sock6, u8 dscp)
{
int ret = -EAFNOSUPPORT;
skb->next = skb->prev = NULL;
skb->dev = dev;
if (addr->ss_family == AF_INET) {
if (unlikely(!sock4)) {
ret = -ENONET;
goto err;
}
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 5, 0)
ret = udp_tunnel_xmit_skb((struct rtable *)dst, sock4, skb,
fl4->saddr, fl4->daddr,
dscp, ip4_dst_hoplimit(dst), 0,
fl4->fl4_sport, fl4->fl4_dport,
false, false);
iptunnel_xmit_stats(ret, &dev->stats, dev->tstats);
return ret > 0 ? 0 : -ECOMM;
#else
udp_tunnel_xmit_skb((struct rtable *)dst, sock4, skb,
fl4->saddr, fl4->daddr,
dscp, ip4_dst_hoplimit(dst), 0,
fl4->fl4_sport, fl4->fl4_dport,
false, false);
return 0;
#endif
} else if (addr->ss_family == AF_INET6) {
if (unlikely(!sock6)) {
ret = -ENONET;
goto err;
}
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 5, 0)
return udp_tunnel6_xmit_skb(dst, sock6, skb, dev,
&fl6->saddr, &fl6->daddr,
dscp, ip6_dst_hoplimit(dst),
fl6->fl6_sport, fl6->fl6_dport,
false) == 0 ? 0 : -ECOMM;
#elif LINUX_VERSION_CODE < KERNEL_VERSION(4, 6, 0)
udp_tunnel6_xmit_skb(dst, sock6, skb, dev,
&fl6->saddr, &fl6->daddr,
dscp, ip6_dst_hoplimit(dst),
fl6->fl6_sport, fl6->fl6_dport,
false);
return 0;
#else
udp_tunnel6_xmit_skb(dst, sock6, skb, dev,
&fl6->saddr, &fl6->daddr,
dscp, ip6_dst_hoplimit(dst), 0,
fl6->fl6_sport, fl6->fl6_dport,
false);
return 0;
#endif
}
err:
kfree_skb(skb);
dst_release(dst);
return ret;
}
static inline void __socket_set_peer_dst(struct wireguard_peer *peer)
{
struct dst_entry *old_dst, *new_dst;
lockdep_assert_held(&peer->endpoint_lock);
old_dst = peer->endpoint_dst;
peer->endpoint_dst = NULL;
wmb();
if (old_dst)
dst_release(old_dst);
rcu_read_lock();
new_dst = route(peer->device, &peer->endpoint_flow.fl4, &peer->endpoint_flow.fl6, &peer->endpoint_addr, rcu_dereference(peer->device->sock4), rcu_dereference(peer->device->sock6));
rcu_read_unlock();
if (likely(!IS_ERR(new_dst))) {
peer->endpoint_dst = new_dst;
wmb();
}
}
void socket_set_peer_dst(struct wireguard_peer *peer)
{
write_lock_bh(&peer->endpoint_lock);
__socket_set_peer_dst(peer);
write_unlock_bh(&peer->endpoint_lock);
}
void socket_set_peer_addr(struct wireguard_peer *peer, struct sockaddr_storage *sockaddr)
{
if (sockaddr->ss_family == AF_INET) {
read_lock_bh(&peer->endpoint_lock);
if (!memcmp(sockaddr, &peer->endpoint_addr, sizeof(struct sockaddr_in)))
goto out;
read_unlock_bh(&peer->endpoint_lock);
write_lock_bh(&peer->endpoint_lock);
memcpy(&peer->endpoint_addr, sockaddr, sizeof(struct sockaddr_in));
} else if (sockaddr->ss_family == AF_INET6) {
read_lock_bh(&peer->endpoint_lock);
if (!memcmp(sockaddr, &peer->endpoint_addr, sizeof(struct sockaddr_in6)))
goto out;
read_unlock_bh(&peer->endpoint_lock);
write_lock_bh(&peer->endpoint_lock);
memcpy(&peer->endpoint_addr, sockaddr, sizeof(struct sockaddr_in6));
} else
return;
__socket_set_peer_dst(peer);
write_unlock_bh(&peer->endpoint_lock);
return;
out:
read_unlock_bh(&peer->endpoint_lock);
}
static inline struct dst_entry *peer_dst_get(struct wireguard_peer *peer)
{
struct dst_entry *dst = NULL;
read_lock_bh(&peer->endpoint_lock);
if (!peer->endpoint_dst || (peer->endpoint_dst->obsolete && !peer->endpoint_dst->ops->check(peer->endpoint_dst, 0))) {
read_unlock_bh(&peer->endpoint_lock);
socket_set_peer_dst(peer);
read_lock_bh(&peer->endpoint_lock);
if (!peer->endpoint_dst)
goto out;
}
if (!atomic_inc_not_zero(&peer->endpoint_dst->__refcnt))
goto out;
dst = peer->endpoint_dst;
out:
read_unlock_bh(&peer->endpoint_lock);
return dst;
}
int socket_send_skb_to_peer(struct wireguard_peer *peer, struct sk_buff *skb, u8 dscp)
{
struct net_device *dev = netdev_pub(peer->device);
struct dst_entry *dst;
size_t skb_len = skb->len;
int ret = 0;
dst = peer_dst_get(peer);
if (unlikely(!dst)) {
net_dbg_ratelimited("No route to %pISpfsc for peer %Lu\n", &peer->endpoint_addr, peer->internal_id);
kfree_skb(skb);
return -EHOSTUNREACH;
} else if (unlikely(dst->dev == dev)) {
net_dbg_ratelimited("Avoiding routing loop to %pISpfsc for peer %Lu\n", &peer->endpoint_addr, peer->internal_id);
kfree_skb(skb);
return -ELOOP;
}
rcu_read_lock();
read_lock_bh(&peer->endpoint_lock);
ret = send(dev, skb, dst, &peer->endpoint_flow.fl4, &peer->endpoint_flow.fl6, &peer->endpoint_addr, rcu_dereference(peer->device->sock4), rcu_dereference(peer->device->sock6), dscp);
if (!ret)
peer->tx_bytes += skb_len;
read_unlock_bh(&peer->endpoint_lock);
rcu_read_unlock();
return ret;
}
int socket_send_buffer_to_peer(struct wireguard_peer *peer, void *buffer, size_t len, u8 dscp)
{
struct sk_buff *skb = alloc_skb(len + SKB_HEADER_LEN, GFP_ATOMIC);
if (!skb)
return -ENOMEM;
skb_reserve(skb, SKB_HEADER_LEN);
memcpy(skb_put(skb, len), buffer, len);
return socket_send_skb_to_peer(peer, skb, dscp);
}
static int send_to_sockaddr(struct sk_buff *skb, struct wireguard_device *wg, struct sockaddr_storage *addr, struct sock *sock4, struct sock *sock6)
{
struct dst_entry *dst;
struct net_device *dev = netdev_pub(wg);
union {
struct flowi4 fl4;
struct flowi6 fl6;
} fl;
dst = route(wg, &fl.fl4, &fl.fl6, addr, sock4, sock6);
if (IS_ERR(dst)) {
net_dbg_ratelimited("No route to %pISpfsc\n", addr);
kfree_skb(skb);
return PTR_ERR(dst);
} else if (unlikely(dst->dev == netdev_pub(wg))) {
net_dbg_ratelimited("Avoiding routing loop to %pISpfsc\n", addr);
dst_release(dst);
kfree_skb(skb);
return -ELOOP;
}
return send(dev, skb, dst, &fl.fl4, &fl.fl6, addr, sock4, sock6, 0);
}
int socket_send_buffer_as_reply_to_skb(struct sk_buff *in_skb, void *out_buffer, size_t len, struct wireguard_device *wg)
{
int ret = 0;
struct sk_buff *skb;
struct sockaddr_storage addr = { 0 };
if (unlikely(!in_skb))
return -EINVAL;
ret = socket_addr_from_skb(&addr, in_skb);
if (ret < 0)
return ret;
skb = alloc_skb(len + SKB_HEADER_LEN, GFP_ATOMIC);
if (!skb)
return -ENOMEM;
skb_reserve(skb, SKB_HEADER_LEN);
memcpy(skb_put(skb, len), out_buffer, len);
rcu_read_lock();
ret = send_to_sockaddr(skb, wg, &addr, rcu_dereference(wg->sock4), rcu_dereference(wg->sock6));
rcu_read_unlock();
return ret;
}
static int receive(struct sock *sk, struct sk_buff *skb)
{
struct wireguard_device *wg;
if (unlikely(!sk))
goto err;
wg = sk->sk_user_data;
if (unlikely(!wg))
goto err;
packet_receive(wg, skb);
return 0;
err:
kfree_skb(skb);
return 0;
}
/* Generates a default port from the interface name.
* wg0 --> 51820
* wg1 --> 51821
* wg2 --> 51822
* wg100 --> 51920
* wg60000 --> 46285
* blahbla --> 51820
* 50 --> 51870
*/
static uint16_t generate_default_incoming_port(struct wireguard_device *wg)
{
uint16_t port = 51820;
unsigned long parsed;
char *name, *digit_begin;
size_t len;
ASSERT_RTNL();
name = netdev_pub(wg)->name;
len = strlen(name);
if (!len)
return port;
digit_begin = name + len - 1;
while (digit_begin >= name) {
if (*digit_begin >= '0' && *digit_begin <= '9')
--digit_begin;
else
break;
}
++digit_begin;
if (!*digit_begin)
return port;
if (!kstrtoul(digit_begin, 10, &parsed))
port += parsed;
if (!port)
++port;
return port;
}
static inline void sock_free(struct sock *sock)
{
if (unlikely(!sock))
return;
sk_clear_memalloc(sock);
udp_tunnel_sock_release(sock->sk_socket);
}
static inline void set_sock_opts(struct socket *sock)
{
sock->sk->sk_allocation = GFP_ATOMIC;
sock->sk->sk_sndbuf = INT_MAX;
sk_set_memalloc(sock->sk);
}
int socket_init(struct wireguard_device *wg)
{
struct udp_port_cfg port4 = {
.family = AF_INET,
.local_ip.s_addr = htonl(INADDR_ANY),
.use_udp_checksums = true
};
struct udp_port_cfg port6 = {
.family = AF_INET6,
.local_ip6 = IN6ADDR_ANY_INIT,
.use_udp6_tx_checksums = true,
.use_udp6_rx_checksums = true,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0)
.ipv6_v6only = true
#endif
};
struct udp_tunnel_sock_cfg cfg = {
.sk_user_data = wg,
.encap_type = 1,
.encap_rcv = receive
};
int ret = 0;
struct socket *new4 = NULL, *new6 = NULL;
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 3, 0)
int old_bindv6only;
#endif
mutex_lock(&wg->socket_update_lock);
if (rcu_dereference_protected(wg->sock4, lockdep_is_held(&wg->socket_update_lock)) ||
rcu_dereference_protected(wg->sock6, lockdep_is_held(&wg->socket_update_lock))) {
ret = -EADDRINUSE;
goto out;
}
if (!wg->incoming_port)
wg->incoming_port = generate_default_incoming_port(wg);
port4.local_udp_port = port6.local_udp_port = htons(wg->incoming_port);
ret = udp_sock_create(wg->creating_net, &port4, &new4);
if (ret < 0) {
pr_err("Could not create outgoing IPv4 socket\n");
goto out;
}
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 3, 0)
/* Since udp_port_cfg only learned of ipv6_v6only in 4.3, we do this horrible
* hack here and set the sysctl variable temporarily to something that will
* set the right option for us in sock_create. It's super racey! */
old_bindv6only = wg->creating_net->ipv6.sysctl.bindv6only;
wg->creating_net->ipv6.sysctl.bindv6only = 1;
#endif
ret = udp_sock_create(wg->creating_net, &port6, &new6);
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 3, 0)
wg->creating_net->ipv6.sysctl.bindv6only = old_bindv6only;
#endif
if (ret < 0) {
pr_err("Could not create outgoing IPv6 socket\n");
udp_tunnel_sock_release(new4);
goto out;
}
set_sock_opts(new4);
set_sock_opts(new6);
setup_udp_tunnel_sock(wg->creating_net, new4, &cfg);
setup_udp_tunnel_sock(wg->creating_net, new6, &cfg);
rcu_assign_pointer(wg->sock4, new4->sk);
rcu_assign_pointer(wg->sock6, new6->sk);
out:
mutex_unlock(&wg->socket_update_lock);
return ret;
}
void socket_uninit(struct wireguard_device *wg)
{
struct sock *old4, *old6;
mutex_lock(&wg->socket_update_lock);
old4 = rcu_dereference_protected(wg->sock4, lockdep_is_held(&wg->socket_update_lock));
old6 = rcu_dereference_protected(wg->sock6, lockdep_is_held(&wg->socket_update_lock));
rcu_assign_pointer(wg->sock4, NULL);
rcu_assign_pointer(wg->sock6, NULL);
mutex_unlock(&wg->socket_update_lock);
synchronize_rcu();
sock_free(old4);
sock_free(old6);
}
Reference in New Issue View Git Blame Copy Permalink