X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fwireguard%2Fwireguard_peer.c;h=589f71272f6d6989c848dcb516758bca46f4b124;hb=ce91af8ad;hp=5e2011b401ed2dcc13599d7609fde4e36166ba7e;hpb=de3caf37c64431c199fe649256b268010ce6a4f3;p=vpp.git

diff --git a/src/plugins/wireguard/wireguard_peer.c b/src/plugins/wireguard/wireguard_peer.c
index 5e2011b401e..589f71272f6 100644
--- a/src/plugins/wireguard/wireguard_peer.c
+++ b/src/plugins/wireguard/wireguard_peer.c
@@ -22,6 +22,7 @@
 #include <wireguard/wireguard_key.h>
 #include <wireguard/wireguard_send.h>
 #include <wireguard/wireguard.h>
+#include <vnet/tunnel/tunnel_dp.h>
 
 wg_peer_t *wg_peer_pool;
 
@@ -45,7 +46,10 @@ wg_peer_endpoint_init (wg_peer_endpoint_t *ep, const ip46_address_t *addr,
 static void
 wg_peer_clear (vlib_main_t * vm, wg_peer_t * peer)
 {
+  index_t perri = peer - wg_peer_pool;
   wg_timers_stop (peer);
+  wg_peer_update_flags (perri, WG_PEER_ESTABLISHED, false);
+  wg_peer_update_flags (perri, WG_PEER_STATUS_DEAD, true);
   for (int i = 0; i < WG_N_TIMERS; i++)
     {
       peer->timers[i] = ~0;
@@ -79,7 +83,6 @@ wg_peer_clear (vlib_main_t * vm, wg_peer_t * peer)
   peer->new_handshake_interval_tick = 0;
   peer->rehandshake_interval_tick = 0;
   peer->timer_need_another_keepalive = false;
-  peer->is_dead = true;
   vec_free (peer->allowed_ips);
   vec_free (peer->adj_indices);
 }
@@ -87,45 +90,26 @@ wg_peer_clear (vlib_main_t * vm, wg_peer_t * peer)
 static void
 wg_peer_init (vlib_main_t * vm, wg_peer_t * peer)
 {
+  peer->api_client_by_client_index = hash_create (0, sizeof (u32));
+  peer->api_clients = NULL;
   wg_peer_clear (vm, peer);
 }
 
-static u8 *
-wg_peer_build_rewrite (const wg_peer_t * peer)
-{
-  // v4 only for now
-  ip4_udp_header_t *hdr;
-  u8 *rewrite = NULL;
-
-  vec_validate (rewrite, sizeof (*hdr) - 1);
-  hdr = (ip4_udp_header_t *) rewrite;
-
-  hdr->ip4.ip_version_and_header_length = 0x45;
-  hdr->ip4.ttl = 64;
-  hdr->ip4.src_address = peer->src.addr.ip4;
-  hdr->ip4.dst_address = peer->dst.addr.ip4;
-  hdr->ip4.protocol = IP_PROTOCOL_UDP;
-  hdr->ip4.checksum = ip4_header_checksum (&hdr->ip4);
-
-  hdr->udp.src_port = clib_host_to_net_u16 (peer->src.port);
-  hdr->udp.dst_port = clib_host_to_net_u16 (peer->dst.port);
-  hdr->udp.checksum = 0;
-
-  return (rewrite);
-}
-
 static void
 wg_peer_adj_stack (wg_peer_t *peer, adj_index_t ai)
 {
   ip_adjacency_t *adj;
   u32 sw_if_index;
   wg_if_t *wgi;
+  fib_protocol_t fib_proto;
 
   if (!adj_is_valid (ai))
     return;
 
   adj = adj_get (ai);
   sw_if_index = adj->rewrite_header.sw_if_index;
+  u8 is_ip4 = ip46_address_is_ip4 (&peer->src.addr);
+  fib_proto = is_ip4 ? FIB_PROTOCOL_IP4 : FIB_PROTOCOL_IP6;
 
   wgi = wg_if_get (wg_if_find_by_sw_if_index (sw_if_index));
 
@@ -140,19 +124,76 @@ wg_peer_adj_stack (wg_peer_t *peer, adj_index_t ai)
     {
       /* *INDENT-OFF* */
       fib_prefix_t dst = {
-        .fp_len = 32,
-        .fp_proto = FIB_PROTOCOL_IP4,
-        .fp_addr = peer->dst.addr,
+	.fp_len = is_ip4 ? 32 : 128,
+	.fp_proto = fib_proto,
+	.fp_addr = peer->dst.addr,
       };
       /* *INDENT-ON* */
       u32 fib_index;
 
-      fib_index = fib_table_find (FIB_PROTOCOL_IP4, peer->table_id);
+      fib_index = fib_table_find (fib_proto, peer->table_id);
 
       adj_midchain_delegate_stack (ai, fib_index, &dst);
     }
 }
 
+static void
+wg_peer_66_fixup (vlib_main_t *vm, const ip_adjacency_t *adj, vlib_buffer_t *b,
+		  const void *data)
+{
+  u8 iph_offset = 0;
+  ip6_header_t *ip6_out;
+  ip6_header_t *ip6_in;
+
+  /* Must set locally originated otherwise we're not allowed to
+     fragment the packet later */
+  b->flags |= VNET_BUFFER_F_LOCALLY_ORIGINATED;
+
+  ip6_out = vlib_buffer_get_current (b);
+  iph_offset = vnet_buffer (b)->ip.save_rewrite_length;
+  ip6_in = vlib_buffer_get_current (b) + iph_offset;
+
+  ip6_out->ip_version_traffic_class_and_flow_label =
+    ip6_in->ip_version_traffic_class_and_flow_label;
+}
+
+static void
+wg_peer_46_fixup (vlib_main_t *vm, const ip_adjacency_t *adj, vlib_buffer_t *b,
+		  const void *data)
+{
+  u8 iph_offset = 0;
+  ip6_header_t *ip6_out;
+  ip4_header_t *ip4_in;
+
+  /* Must set locally originated otherwise we're not allowed to
+     fragment the packet later */
+  b->flags |= VNET_BUFFER_F_LOCALLY_ORIGINATED;
+
+  ip6_out = vlib_buffer_get_current (b);
+  iph_offset = vnet_buffer (b)->ip.save_rewrite_length;
+  ip4_in = vlib_buffer_get_current (b) + iph_offset;
+
+  u32 vtcfl = 0x6 << 28;
+  vtcfl |= ip4_in->tos << 20;
+  vtcfl |= vnet_buffer (b)->ip.flow_hash & 0x000fffff;
+
+  ip6_out->ip_version_traffic_class_and_flow_label =
+    clib_host_to_net_u32 (vtcfl);
+}
+
+static adj_midchain_fixup_t
+wg_peer_get_fixup (wg_peer_t *peer, vnet_link_t lt)
+{
+  if (!ip46_address_is_ip4 (&peer->dst.addr))
+    {
+      if (lt == VNET_LINK_IP4)
+	return (wg_peer_46_fixup);
+      if (lt == VNET_LINK_IP6)
+	return (wg_peer_66_fixup);
+    }
+  return (NULL);
+}
+
 walk_rc_t
 wg_peer_if_admin_state_change (index_t peeri, void *data)
 {
@@ -170,6 +211,7 @@ walk_rc_t
 wg_peer_if_adj_change (index_t peeri, void *data)
 {
   adj_index_t *adj_index = data;
+  adj_midchain_fixup_t fixup;
   ip_adjacency_t *adj;
   wg_peer_t *peer;
   fib_prefix_t *allowed_ip;
@@ -179,15 +221,16 @@ wg_peer_if_adj_change (index_t peeri, void *data)
   peer = wg_peer_get (peeri);
   vec_foreach (allowed_ip, peer->allowed_ips)
     {
-      if (fib_prefix_is_cover_addr_4 (allowed_ip,
-				      &adj->sub_type.nbr.next_hop.ip4))
+      if (fib_prefix_is_cover_addr_46 (allowed_ip,
+				       &adj->sub_type.nbr.next_hop))
 	{
 	  vec_add1 (peer->adj_indices, *adj_index);
 	  vec_validate_init_empty (wg_peer_by_adj_index, *adj_index,
 				   INDEX_INVALID);
 	  wg_peer_by_adj_index[*adj_index] = peer - wg_peer_pool;
 
-	  adj_nbr_midchain_update_rewrite (*adj_index, NULL, NULL,
+	  fixup = wg_peer_get_fixup (peer, adj_get_link_type (*adj_index));
+	  adj_nbr_midchain_update_rewrite (*adj_index, fixup, NULL,
 					   ADJ_FLAG_MIDCHAIN_IP_STACK,
 					   vec_dup (peer->rewrite));
 
@@ -207,12 +250,20 @@ wg_peer_adj_walk (adj_index_t ai, void *data)
 	   ADJ_WALK_RC_STOP;
 }
 
+walk_rc_t
+wg_peer_if_delete (index_t peeri, void *data)
+{
+  wg_peer_remove (peeri);
+  return (WALK_CONTINUE);
+}
+
 static int
 wg_peer_fill (vlib_main_t *vm, wg_peer_t *peer, u32 table_id,
 	      const ip46_address_t *dst, u16 port,
 	      u16 persistent_keepalive_interval,
 	      const fib_prefix_t *allowed_ips, u32 wg_sw_if_index)
 {
+  index_t perri = peer - wg_peer_pool;
   wg_peer_endpoint_init (&peer->dst, dst, port);
 
   peer->table_id = table_id;
@@ -220,7 +271,7 @@ wg_peer_fill (vlib_main_t *vm, wg_peer_t *peer, u32 table_id,
   peer->timer_wheel = &wg_main.timer_wheel;
   peer->persistent_keepalive_interval = persistent_keepalive_interval;
   peer->last_sent_handshake = vlib_time_now (vm) - (REKEY_TIMEOUT + 1);
-  peer->is_dead = false;
+  wg_peer_update_flags (perri, WG_PEER_STATUS_DEAD, false);
 
   const wg_if_t *wgi = wg_if_get (wg_if_find_by_sw_if_index (wg_sw_if_index));
 
@@ -229,7 +280,10 @@ wg_peer_fill (vlib_main_t *vm, wg_peer_t *peer, u32 table_id,
 
   ip_address_to_46 (&wgi->src_ip, &peer->src.addr);
   peer->src.port = wgi->port;
-  peer->rewrite = wg_peer_build_rewrite (peer);
+
+  u8 is_ip4 = ip46_address_is_ip4 (&peer->dst.addr);
+  peer->rewrite = wg_build_rewrite (&peer->src.addr, peer->src.port,
+				    &peer->dst.addr, peer->dst.port, is_ip4);
 
   u32 ii;
   vec_validate (peer->allowed_ips, vec_len (allowed_ips) - 1);
@@ -238,7 +292,6 @@ wg_peer_fill (vlib_main_t *vm, wg_peer_t *peer, u32 table_id,
     peer->allowed_ips[ii] = allowed_ips[ii];
   }
 
-  index_t perri = peer - wg_peer_pool;
   fib_protocol_t proto;
   FOR_EACH_FIB_IP_PROTOCOL (proto)
   {
@@ -247,6 +300,19 @@ wg_peer_fill (vlib_main_t *vm, wg_peer_t *peer, u32 table_id,
   return (0);
 }
 
+void
+wg_peer_update_flags (index_t peeri, wg_peer_flags flag, bool add_del)
+{
+  wg_peer_t *peer = wg_peer_get (peeri);
+  if ((add_del && (peer->flags & flag)) || (!add_del && !(peer->flags & flag)))
+    {
+      return;
+    }
+
+  peer->flags ^= flag;
+  wg_api_peer_event (peeri, peer->flags);
+}
+
 int
 wg_peer_add (u32 tun_sw_if_index, const u8 public_key[NOISE_PUBLIC_KEY_LEN],
 	     u32 table_id, const ip46_address_t *endpoint,
@@ -297,6 +363,7 @@ wg_peer_add (u32 tun_sw_if_index, const u8 public_key[NOISE_PUBLIC_KEY_LEN],
 		     wg_if->local_idx);
   cookie_maker_init (&peer->cookie_maker, public_key);
 
+  wg_send_handshake (vm, peer, false);
   if (peer->persistent_keepalive_interval != 0)
     {
       wg_send_keepalive (vm, peer);
@@ -368,14 +435,17 @@ format_wg_peer (u8 * s, va_list * va)
   peer = wg_peer_get (peeri);
   key_to_base64 (peer->remote.r_public, NOISE_PUBLIC_KEY_LEN, key);
 
-  s = format (s, "[%d] endpoint:[%U->%U] %U keep-alive:%d", peeri,
-	      format_wg_peer_endpoint, &peer->src, format_wg_peer_endpoint,
-	      &peer->dst, format_vnet_sw_if_index_name, vnet_get_main (),
-	      peer->wg_sw_if_index, peer->persistent_keepalive_interval);
+  s = format (
+    s,
+    "[%d] endpoint:[%U->%U] %U keep-alive:%d flags: %d, api-clients count: %d",
+    peeri, format_wg_peer_endpoint, &peer->src, format_wg_peer_endpoint,
+    &peer->dst, format_vnet_sw_if_index_name, vnet_get_main (),
+    peer->wg_sw_if_index, peer->persistent_keepalive_interval, peer->flags,
+    pool_elts (peer->api_clients));
   s = format (s, "\n  adj:");
   vec_foreach (adj_index, peer->adj_indices)
     {
-      s = format (s, " %d", adj_index);
+      s = format (s, " %d", *adj_index);
     }
   s = format (s, "\n  key:%=s %U", key, format_hex_bytes,
 	      peer->remote.r_public, NOISE_PUBLIC_KEY_LEN);