ipsec: huge anti-replay window support

[vpp.git] / src / plugins / wireguard / wireguard_if.c

diff --git a/src/plugins/wireguard/wireguard_if.c b/src/plugins/wireguard/wireguard_if.c
index ad8f42c..ee744e7 100644 (file)
--- a/src/plugins/wireguard/wireguard_if.c
+++ b/src/plugins/wireguard/wireguard_if.c
@@ -34,11 +34,15 @@ static index_t *wg_if_index_by_sw_if_index;
 /* vector of interfaces key'd on their UDP port (in network order) */
 index_t **wg_if_indexes_by_port;
 
+/* pool of ratelimit entries */
+static ratelimit_entry_t *wg_ratelimit_pool;
+
 static u8 *
 format_wg_if_name (u8 * s, va_list * args)
 {
   u32 dev_instance = va_arg (*args, u32);
-  return format (s, "wg%d", dev_instance);
+  wg_if_t *wgi = wg_if_get (dev_instance);
+  return format (s, "wg%d", wgi->user_instance);
 }
 
 u8 *
@@ -112,20 +116,20 @@ wg_remote_get (const uint8_t public[NOISE_PUBLIC_KEY_LEN])
 }
 
 static uint32_t
-wg_index_set (noise_remote_t * remote)
+wg_index_set (vlib_main_t *vm, noise_remote_t *remote)
 {
   wg_main_t *wmp = &wg_main;
   u32 rnd_seed = (u32) (vlib_time_now (wmp->vlib_main) * 1e6);
   u32 ret =
-    wg_index_table_add (&wmp->index_table, remote->r_peer_idx, rnd_seed);
+    wg_index_table_add (vm, &wmp->index_table, remote->r_peer_idx, rnd_seed);
   return ret;
 }
 
 static void
-wg_index_drop (uint32_t key)
+wg_index_drop (vlib_main_t *vm, uint32_t key)
 {
   wg_main_t *wmp = &wg_main;
-  wg_index_table_del (&wmp->index_table, key);
+  wg_index_table_del (vm, &wmp->index_table, key);
 }
 
 static clib_error_t *
@@ -152,6 +156,14 @@ wg_if_update_adj (vnet_main_t * vnm, u32 sw_if_index, adj_index_t ai)
 {
   index_t wgii;
 
+  /* Convert any neighbour adjacency that has a next-hop reachable through
+   * the wg interface into a midchain. This is to avoid sending ARP/ND to
+   * resolve the next-hop address via the wg interface. Then, if one of the
+   * peers has matching prefix among allowed prefixes, the midchain will be
+   * updated to the corresponding one.
+   */
+  adj_nbr_midchain_update_rewrite (ai, NULL, NULL, ADJ_FLAG_NONE, NULL);
+
   wgii = wg_if_find_by_sw_if_index (sw_if_index);
   wg_if_peer_walk (wg_if_get (wgii), wg_peer_if_adj_change, &ai);
 }
@@ -278,7 +290,7 @@ wg_if_create (u32 user_instance,
       return VNET_API_ERROR_INVALID_REGISTRATION;
     }
 
-  pool_get (wg_if_pool, wg_if);
+  pool_get_zero (wg_if_pool, wg_if);
 
   /* tunnel index (or instance) */
   u32 t_idx = wg_if - wg_if_pool;
@@ -300,6 +312,7 @@ wg_if_create (u32 user_instance,
 
   wg_if->port = port;
   wg_if->local_idx = local - noise_local_pool;
+  cookie_checker_init (&wg_if->cookie_checker, wg_ratelimit_pool);
   cookie_checker_update (&wg_if->cookie_checker, local->l_public);
 
   hw_if_index = vnet_register_interface (vnm,
@@ -315,6 +328,8 @@ wg_if_create (u32 user_instance,
 
   ip_address_copy (&wg_if->src_ip, src_ip);
   wg_if->sw_if_index = *sw_if_indexp = hi->sw_if_index;
+  vnet_set_interface_l3_output_node (vnm->vlib_main, hi->sw_if_index,
+                                    (u8 *) "tunnel-output");
 
   return 0;
 }
@@ -343,6 +358,8 @@ wg_if_delete (u32 sw_if_index)
   // Remove peers before interface deletion
   wg_if_peer_walk (wg_if, wg_peer_if_delete, NULL);
 
+  hash_free (wg_if->peers);
+
   index_t *ii;
   index_t *ifs = wg_if_indexes_get_by_port (wg_if->port);
   vec_foreach (ii, ifs)
@@ -359,6 +376,9 @@ wg_if_delete (u32 sw_if_index)
       udp_unregister_dst_port (vlib_get_main (), wg_if->port, 0);
     }
 
+  cookie_checker_deinit (&wg_if->cookie_checker);
+
+  vnet_reset_interface_l3_output_node (vnm->vlib_main, sw_if_index);
   vnet_delete_hw_interface (vnm, hw->hw_if_index);
   pool_put_index (noise_local_pool, wg_if->local_idx);
   pool_put (wg_if_pool, wg_if);