/* vector of interfaces key'd on their UDP port (in network order) */
index_t **wg_if_indexes_by_port;
+/* pool of ratelimit entries */
+static ratelimit_entry_t *wg_ratelimit_pool;
+
static u8 *
format_wg_if_name (u8 * s, va_list * args)
{
u32 dev_instance = va_arg (*args, u32);
- return format (s, "wg%d", dev_instance);
+ wg_if_t *wgi = wg_if_get (dev_instance);
+ return format (s, "wg%d", wgi->user_instance);
}
u8 *
noise_local_t *local = noise_local_get (wgi->local_idx);
u8 key[NOISE_KEY_LEN_BASE64];
-
s = format (s, "[%d] %U src:%U port:%d",
wgii,
format_vnet_sw_if_index_name, vnet_get_main (),
{
index_t wgii;
+ /* Convert any neighbour adjacency that has a next-hop reachable through
+ * the wg interface into a midchain. This is to avoid sending ARP/ND to
+ * resolve the next-hop address via the wg interface. Then, if one of the
+ * peers has matching prefix among allowed prefixes, the midchain will be
+ * updated to the corresponding one.
+ */
+ adj_nbr_midchain_update_rewrite (ai, NULL, NULL, ADJ_FLAG_NONE, NULL);
+
wgii = wg_if_find_by_sw_if_index (sw_if_index);
wg_if_peer_walk (wg_if_get (wgii), wg_peer_if_adj_change, &ai);
}
return VNET_API_ERROR_INVALID_REGISTRATION;
}
- pool_get (wg_if_pool, wg_if);
+ pool_get_zero (wg_if_pool, wg_if);
/* tunnel index (or instance) */
u32 t_idx = wg_if - wg_if_pool;
vec_validate_init_empty (wg_if_indexes_by_port, port, NULL);
if (vec_len (wg_if_indexes_by_port[port]) == 0)
- udp_register_dst_port (vlib_get_main (), port, wg_input_node.index, 1);
+ {
+ udp_register_dst_port (vlib_get_main (), port, wg4_input_node.index,
+ UDP_IP4);
+ udp_register_dst_port (vlib_get_main (), port, wg6_input_node.index,
+ UDP_IP6);
+ }
vec_add1 (wg_if_indexes_by_port[port], t_idx);
wg_if->port = port;
wg_if->local_idx = local - noise_local_pool;
+ cookie_checker_init (&wg_if->cookie_checker, wg_ratelimit_pool);
cookie_checker_update (&wg_if->cookie_checker, local->l_public);
hw_if_index = vnet_register_interface (vnm,
ip_address_copy (&wg_if->src_ip, src_ip);
wg_if->sw_if_index = *sw_if_indexp = hi->sw_if_index;
+ vnet_set_interface_l3_output_node (vnm->vlib_main, hi->sw_if_index,
+ (u8 *) "tunnel-output");
return 0;
}
// Remove peers before interface deletion
wg_if_peer_walk (wg_if, wg_peer_if_delete, NULL);
+ hash_free (wg_if->peers);
+
index_t *ii;
index_t *ifs = wg_if_indexes_get_by_port (wg_if->port);
vec_foreach (ii, ifs)
}
}
if (vec_len (ifs) == 0)
- udp_unregister_dst_port (vlib_get_main (), wg_if->port, 1);
+ {
+ udp_unregister_dst_port (vlib_get_main (), wg_if->port, 1);
+ udp_unregister_dst_port (vlib_get_main (), wg_if->port, 0);
+ }
+ cookie_checker_deinit (&wg_if->cookie_checker);
+
+ vnet_reset_interface_l3_output_node (vnm->vlib_main, sw_if_index);
vnet_delete_hw_interface (vnm, hw->hw_if_index);
pool_put_index (noise_local_pool, wg_if->local_idx);
pool_put (wg_if_pool, wg_if);
hash_set (wgi->peers, peeri, peeri);
if (1 == hash_elts (wgi->peers))
- vnet_feature_enable_disable ("ip4-output", "wg-output-tun",
- wgi->sw_if_index, 1, 0, 0);
+ {
+ vnet_feature_enable_disable ("ip4-output", "wg4-output-tun",
+ wgi->sw_if_index, 1, 0, 0);
+ vnet_feature_enable_disable ("ip6-output", "wg6-output-tun",
+ wgi->sw_if_index, 1, 0, 0);
+ }
}
void
hash_unset (wgi->peers, peeri);
if (0 == hash_elts (wgi->peers))
- vnet_feature_enable_disable ("ip4-output", "wg-output-tun",
- wgi->sw_if_index, 0, 0, 0);
+ {
+ vnet_feature_enable_disable ("ip4-output", "wg4-output-tun",
+ wgi->sw_if_index, 0, 0, 0);
+ vnet_feature_enable_disable ("ip6-output", "wg6-output-tun",
+ wgi->sw_if_index, 0, 0, 0);
+ }
}
void
Code Review / vpp.git / blobdiff