X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fwireguard%2Fwireguard_peer.c;h=922ca8cdae5f114baaa7e1d5f5c48720b860f8f2;hb=fee9853a4;hp=30adea82647a6ef125ea80db786d2f2df3782149;hpb=a26b0d11e91e9abca6220e50f0240ab6ae09c6d3;p=vpp.git diff --git a/src/plugins/wireguard/wireguard_peer.c b/src/plugins/wireguard/wireguard_peer.c old mode 100755 new mode 100644 index 30adea82647..922ca8cdae5 --- a/src/plugins/wireguard/wireguard_peer.c +++ b/src/plugins/wireguard/wireguard_peer.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2020 Doc.ai and/or its affiliates. + * Copyright (c) 2020 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -15,23 +16,19 @@ #include #include +#include #include #include #include #include #include #include +#include -static fib_source_t wg_fib_source; +wg_peer_t *wg_peer_pool; index_t *wg_peer_by_adj_index; -wg_peer_t * -wg_peer_get (index_t peeri) -{ - return (pool_elt_at_index (wg_main.peers, peeri)); -} - static void wg_peer_endpoint_reset (wg_peer_endpoint_t * ep) { @@ -40,49 +37,26 @@ wg_peer_endpoint_reset (wg_peer_endpoint_t * ep) } static void -wg_peer_endpoint_init (wg_peer_endpoint_t * ep, - const ip46_address_t * addr, u16 port) +wg_peer_endpoint_init (wg_peer_endpoint_t *ep, const ip46_address_t *addr, + u16 port) { ip46_address_copy (&ep->addr, addr); ep->port = port; } -static void -wg_peer_fib_flush (wg_peer_t * peer) -{ - wg_peer_allowed_ip_t *allowed_ip; - - vec_foreach (allowed_ip, peer->allowed_ips) - { - fib_table_entry_delete_index (allowed_ip->fib_entry_index, wg_fib_source); - allowed_ip->fib_entry_index = FIB_NODE_INDEX_INVALID; - } -} - -static void -wg_peer_fib_populate (wg_peer_t * peer, u32 fib_index) -{ - wg_peer_allowed_ip_t *allowed_ip; - - vec_foreach (allowed_ip, peer->allowed_ips) - { - allowed_ip->fib_entry_index = - fib_table_entry_path_add (fib_index, - &allowed_ip->prefix, - wg_fib_source, - FIB_ENTRY_FLAG_NONE, - fib_proto_to_dpo (allowed_ip-> - prefix.fp_proto), - &peer->dst.addr, peer->wg_sw_if_index, ~0, 1, - NULL, FIB_ROUTE_PATH_FLAG_NONE); - } -} - static void wg_peer_clear (vlib_main_t * vm, wg_peer_t * peer) { + index_t perri = peer - wg_peer_pool; wg_timers_stop (peer); - noise_remote_clear (vm, &peer->remote); + wg_peer_update_flags (perri, WG_PEER_ESTABLISHED, false); + wg_peer_update_flags (perri, WG_PEER_STATUS_DEAD, true); + for (int i = 0; i < WG_N_TIMERS; i++) + { + peer->timers[i] = ~0; + peer->timers_dispatched[i] = 0; + } + peer->last_sent_handshake = vlib_time_now (vm) - (REKEY_TIMEOUT + 1); clib_memset (&peer->cookie_maker, 0, sizeof (peer->cookie_maker)); @@ -90,125 +64,228 @@ wg_peer_clear (vlib_main_t * vm, wg_peer_t * peer) wg_peer_endpoint_reset (&peer->src); wg_peer_endpoint_reset (&peer->dst); - if (INDEX_INVALID != peer->adj_index) + wg_peer_adj_t *peer_adj; + vec_foreach (peer_adj, peer->adjs) { - adj_unlock (peer->adj_index); - wg_peer_by_adj_index[peer->adj_index] = INDEX_INVALID; + wg_peer_by_adj_index[peer_adj->adj_index] = INDEX_INVALID; + if (FIB_NODE_INDEX_INVALID != peer_adj->fib_entry_index) + fib_entry_untrack (peer_adj->fib_entry_index, peer_adj->sibling_index); + if (adj_is_valid (peer_adj->adj_index)) + adj_nbr_midchain_unstack (peer_adj->adj_index); } - wg_peer_fib_flush (peer); - - peer->adj_index = INDEX_INVALID; + peer->input_thread_index = ~0; + peer->output_thread_index = ~0; + peer->timer_wheel = 0; peer->persistent_keepalive_interval = 0; peer->timer_handshake_attempts = 0; + peer->last_sent_packet = 0; + peer->last_received_packet = 0; + peer->session_derived = 0; + peer->rehandshake_started = 0; + peer->new_handshake_interval_tick = 0; + peer->rehandshake_interval_tick = 0; peer->timer_need_another_keepalive = false; - peer->is_dead = true; + vec_free (peer->rewrite); vec_free (peer->allowed_ips); + vec_free (peer->adjs); } static void wg_peer_init (vlib_main_t * vm, wg_peer_t * peer) { - wg_timers_init (peer, vlib_time_now (vm)); + peer->api_client_by_client_index = hash_create (0, sizeof (u32)); + peer->api_clients = NULL; wg_peer_clear (vm, peer); } -static u8 * -wg_peer_build_rewrite (const wg_peer_t * peer) -{ - // v4 only for now - ip4_udp_header_t *hdr; - u8 *rewrite = NULL; - - vec_validate (rewrite, sizeof (*hdr) - 1); - hdr = (ip4_udp_header_t *) rewrite; - - hdr->ip4.ip_version_and_header_length = 0x45; - hdr->ip4.ttl = 64; - hdr->ip4.src_address = peer->src.addr.ip4; - hdr->ip4.dst_address = peer->dst.addr.ip4; - hdr->ip4.protocol = IP_PROTOCOL_UDP; - hdr->ip4.checksum = ip4_header_checksum (&hdr->ip4); - - hdr->udp.src_port = clib_host_to_net_u16 (peer->src.port); - hdr->udp.dst_port = clib_host_to_net_u16 (peer->dst.port); - hdr->udp.checksum = 0; - - return (rewrite); -} - static void -wg_peer_adj_stack (wg_peer_t * peer) +wg_peer_adj_stack (wg_peer_t *peer, wg_peer_adj_t *peer_adj) { ip_adjacency_t *adj; u32 sw_if_index; wg_if_t *wgi; + fib_protocol_t fib_proto; + + if (!adj_is_valid (peer_adj->adj_index)) + return; - adj = adj_get (peer->adj_index); + adj = adj_get (peer_adj->adj_index); sw_if_index = adj->rewrite_header.sw_if_index; + u8 is_ip4 = ip46_address_is_ip4 (&peer->src.addr); + fib_proto = is_ip4 ? FIB_PROTOCOL_IP4 : FIB_PROTOCOL_IP6; wgi = wg_if_get (wg_if_find_by_sw_if_index (sw_if_index)); if (!wgi) return; - if (!vnet_sw_interface_is_admin_up (vnet_get_main (), wgi->sw_if_index)) + if (!vnet_sw_interface_is_admin_up (vnet_get_main (), wgi->sw_if_index) || + !wg_peer_can_send (peer)) { - adj_midchain_delegate_unstack (peer->adj_index); + adj_nbr_midchain_unstack (peer_adj->adj_index); } else { /* *INDENT-OFF* */ fib_prefix_t dst = { - .fp_len = 32, - .fp_proto = FIB_PROTOCOL_IP4, - .fp_addr = peer->dst.addr, + .fp_len = is_ip4 ? 32 : 128, + .fp_proto = fib_proto, + .fp_addr = peer->dst.addr, }; /* *INDENT-ON* */ u32 fib_index; - fib_index = fib_table_find (FIB_PROTOCOL_IP4, peer->table_id); + fib_index = fib_table_find (fib_proto, peer->table_id); + peer_adj->fib_entry_index = + fib_entry_track (fib_index, &dst, FIB_NODE_TYPE_ADJ, + peer_adj->adj_index, &peer_adj->sibling_index); - adj_midchain_delegate_stack (peer->adj_index, fib_index, &dst); + adj_nbr_midchain_stack_on_fib_entry ( + peer_adj->adj_index, peer_adj->fib_entry_index, + fib_forw_chain_type_from_fib_proto (dst.fp_proto)); } } -walk_rc_t -wg_peer_if_admin_state_change (wg_if_t * wgi, index_t peeri, void *data) +static void +wg_peer_66_fixup (vlib_main_t *vm, const ip_adjacency_t *adj, vlib_buffer_t *b, + const void *data) +{ + u8 iph_offset = 0; + ip6_header_t *ip6_out; + ip6_header_t *ip6_in; + + /* Must set locally originated otherwise we're not allowed to + fragment the packet later */ + b->flags |= VNET_BUFFER_F_LOCALLY_ORIGINATED; + + ip6_out = vlib_buffer_get_current (b); + iph_offset = vnet_buffer (b)->ip.save_rewrite_length; + ip6_in = vlib_buffer_get_current (b) + iph_offset; + + ip6_out->ip_version_traffic_class_and_flow_label = + ip6_in->ip_version_traffic_class_and_flow_label; +} + +static void +wg_peer_46_fixup (vlib_main_t *vm, const ip_adjacency_t *adj, vlib_buffer_t *b, + const void *data) +{ + u8 iph_offset = 0; + ip6_header_t *ip6_out; + ip4_header_t *ip4_in; + + /* Must set locally originated otherwise we're not allowed to + fragment the packet later */ + b->flags |= VNET_BUFFER_F_LOCALLY_ORIGINATED; + + ip6_out = vlib_buffer_get_current (b); + iph_offset = vnet_buffer (b)->ip.save_rewrite_length; + ip4_in = vlib_buffer_get_current (b) + iph_offset; + + u32 vtcfl = 0x6 << 28; + vtcfl |= ip4_in->tos << 20; + vtcfl |= vnet_buffer (b)->ip.flow_hash & 0x000fffff; + + ip6_out->ip_version_traffic_class_and_flow_label = + clib_host_to_net_u32 (vtcfl); +} + +static adj_midchain_fixup_t +wg_peer_get_fixup (wg_peer_t *peer, vnet_link_t lt) { - wg_peer_adj_stack (wg_peer_get (peeri)); + if (!ip46_address_is_ip4 (&peer->dst.addr)) + { + if (lt == VNET_LINK_IP4) + return (wg_peer_46_fixup); + if (lt == VNET_LINK_IP6) + return (wg_peer_66_fixup); + } + return (NULL); +} +walk_rc_t +wg_peer_if_admin_state_change (index_t peeri, void *data) +{ + wg_peer_t *peer; + wg_peer_adj_t *peer_adj; + peer = wg_peer_get (peeri); + vec_foreach (peer_adj, peer->adjs) + { + wg_peer_adj_stack (peer, peer_adj); + } return (WALK_CONTINUE); } walk_rc_t -wg_peer_if_table_change (wg_if_t * wgi, index_t peeri, void *data) +wg_peer_if_adj_change (index_t peeri, void *data) { - wg_peer_table_bind_ctx_t *ctx = data; + adj_index_t *adj_index = data; + adj_midchain_fixup_t fixup; + ip_adjacency_t *adj; wg_peer_t *peer; + fib_prefix_t *allowed_ip; + wg_peer_adj_t *peer_adj; + + adj = adj_get (*adj_index); peer = wg_peer_get (peeri); + vec_foreach (allowed_ip, peer->allowed_ips) + { + if (fib_prefix_is_cover_addr_46 (allowed_ip, + &adj->sub_type.nbr.next_hop)) + { + vec_add2 (peer->adjs, peer_adj, 1); + peer_adj->adj_index = *adj_index; + peer_adj->fib_entry_index = FIB_NODE_INDEX_INVALID; + peer_adj->sibling_index = ~0; + + vec_validate_init_empty (wg_peer_by_adj_index, *adj_index, + INDEX_INVALID); + wg_peer_by_adj_index[*adj_index] = peeri; + + fixup = wg_peer_get_fixup (peer, adj_get_link_type (*adj_index)); + adj_nbr_midchain_update_rewrite (*adj_index, fixup, NULL, + ADJ_FLAG_MIDCHAIN_IP_STACK, + vec_dup (peer->rewrite)); + + wg_peer_adj_stack (peer, peer_adj); + return (WALK_STOP); + } + } - wg_peer_fib_flush (peer); - wg_peer_fib_populate (peer, ctx->new_fib_index); + return (WALK_CONTINUE); +} +adj_walk_rc_t +wg_peer_adj_walk (adj_index_t ai, void *data) +{ + return wg_peer_if_adj_change ((*(index_t *) (data)), &ai) == WALK_CONTINUE ? + ADJ_WALK_RC_CONTINUE : + ADJ_WALK_RC_STOP; +} + +walk_rc_t +wg_peer_if_delete (index_t peeri, void *data) +{ + wg_peer_remove (peeri); return (WALK_CONTINUE); } static int -wg_peer_fill (vlib_main_t * vm, wg_peer_t * peer, - u32 table_id, - const ip46_address_t * dst, - u16 port, +wg_peer_fill (vlib_main_t *vm, wg_peer_t *peer, u32 table_id, + const ip46_address_t *dst, u16 port, u16 persistent_keepalive_interval, - const fib_prefix_t * allowed_ips, u32 wg_sw_if_index) + const fib_prefix_t *allowed_ips, u32 wg_sw_if_index) { + index_t perri = peer - wg_peer_pool; wg_peer_endpoint_init (&peer->dst, dst, port); peer->table_id = table_id; - peer->persistent_keepalive_interval = persistent_keepalive_interval; peer->wg_sw_if_index = wg_sw_if_index; + peer->timer_wheel = &wg_main.timer_wheel; + peer->persistent_keepalive_interval = persistent_keepalive_interval; peer->last_sent_handshake = vlib_time_now (vm) - (REKEY_TIMEOUT + 1); - peer->is_dead = false; + wg_peer_update_flags (perri, WG_PEER_STATUS_DEAD, false); const wg_if_t *wgi = wg_if_get (wg_if_find_by_sw_if_index (wg_sw_if_index)); @@ -218,53 +295,108 @@ wg_peer_fill (vlib_main_t * vm, wg_peer_t * peer, ip_address_to_46 (&wgi->src_ip, &peer->src.addr); peer->src.port = wgi->port; - /* - * and an adjacency for the endpoint address in the overlay - * on the wg interface - */ - peer->rewrite = wg_peer_build_rewrite (peer); - - peer->adj_index = adj_nbr_add_or_lock (FIB_PROTOCOL_IP4, - VNET_LINK_IP4, - &peer->dst.addr, wgi->sw_if_index); - - vec_validate_init_empty (wg_peer_by_adj_index, - peer->adj_index, INDEX_INVALID); - wg_peer_by_adj_index[peer->adj_index] = peer - wg_main.peers; - - adj_nbr_midchain_update_rewrite (peer->adj_index, - NULL, - NULL, - ADJ_FLAG_MIDCHAIN_IP_STACK, - vec_dup (peer->rewrite)); - wg_peer_adj_stack (peer); - - /* - * add a route in the overlay to each of the allowed-ips - */ - u32 ii; + u8 is_ip4 = ip46_address_is_ip4 (&peer->dst.addr); + peer->rewrite = wg_build_rewrite (&peer->src.addr, peer->src.port, + &peer->dst.addr, peer->dst.port, is_ip4); + u32 ii; vec_validate (peer->allowed_ips, vec_len (allowed_ips) - 1); - vec_foreach_index (ii, allowed_ips) { - peer->allowed_ips[ii].prefix = allowed_ips[ii]; + peer->allowed_ips[ii] = allowed_ips[ii]; } - wg_peer_fib_populate (peer, - fib_table_get_index_for_sw_if_index - (FIB_PROTOCOL_IP4, peer->wg_sw_if_index)); - + fib_protocol_t proto; + FOR_EACH_FIB_IP_PROTOCOL (proto) + { + adj_nbr_walk (wg_sw_if_index, proto, wg_peer_adj_walk, &perri); + } return (0); } +void +wg_peer_update_flags (index_t peeri, wg_peer_flags flag, bool add_del) +{ + wg_peer_t *peer = wg_peer_get (peeri); + if ((add_del && (peer->flags & flag)) || (!add_del && !(peer->flags & flag))) + { + return; + } + + peer->flags ^= flag; + wg_api_peer_event (peeri, peer->flags); +} + +void +wg_peer_update_endpoint (index_t peeri, const ip46_address_t *addr, u16 port) +{ + wg_peer_t *peer = wg_peer_get (peeri); + + if (ip46_address_is_equal (&peer->dst.addr, addr) && peer->dst.port == port) + return; + + wg_peer_endpoint_init (&peer->dst, addr, port); + + u8 is_ip4 = ip46_address_is_ip4 (&peer->dst.addr); + vec_free (peer->rewrite); + peer->rewrite = wg_build_rewrite (&peer->src.addr, peer->src.port, + &peer->dst.addr, peer->dst.port, is_ip4); + + wg_peer_adj_t *peer_adj; + vec_foreach (peer_adj, peer->adjs) + { + if (FIB_NODE_INDEX_INVALID != peer_adj->fib_entry_index) + { + fib_entry_untrack (peer_adj->fib_entry_index, + peer_adj->sibling_index); + peer_adj->fib_entry_index = FIB_NODE_INDEX_INVALID; + peer_adj->sibling_index = ~0; + } + + if (adj_is_valid (peer_adj->adj_index)) + { + adj_midchain_fixup_t fixup = + wg_peer_get_fixup (peer, adj_get_link_type (peer_adj->adj_index)); + adj_nbr_midchain_update_rewrite (peer_adj->adj_index, fixup, NULL, + ADJ_FLAG_MIDCHAIN_IP_STACK, + vec_dup (peer->rewrite)); + wg_peer_adj_stack (peer, peer_adj); + } + } +} + +typedef struct wg_peer_upd_ep_args_t_ +{ + index_t peeri; + ip46_address_t addr; + u16 port; +} wg_peer_upd_ep_args_t; + +static void +wg_peer_update_endpoint_thread_fn (wg_peer_upd_ep_args_t *args) +{ + wg_peer_update_endpoint (args->peeri, &args->addr, args->port); +} + +void +wg_peer_update_endpoint_from_mt (index_t peeri, const ip46_address_t *addr, + u16 port) +{ + wg_peer_upd_ep_args_t args = { + .peeri = peeri, + .port = port, + }; + + ip46_address_copy (&args.addr, addr); + vlib_rpc_call_main_thread (wg_peer_update_endpoint_thread_fn, (u8 *) &args, + sizeof (args)); +} + int -wg_peer_add (u32 tun_sw_if_index, - const u8 public_key[NOISE_PUBLIC_KEY_LEN], - u32 table_id, - const ip46_address_t * endpoint, - const fib_prefix_t * allowed_ips, - u16 port, u16 persistent_keepalive, u32 * peer_index) +wg_peer_add (u32 tun_sw_if_index, const u8 public_key[NOISE_PUBLIC_KEY_LEN], + u32 table_id, const ip46_address_t *endpoint, + const fib_prefix_t *allowed_ips, u16 port, + u16 persistent_keepalive, u32 *peer_index) { wg_if_t *wg_if; wg_peer_t *peer; @@ -280,19 +412,19 @@ wg_peer_add (u32 tun_sw_if_index, return (VNET_API_ERROR_INVALID_SW_IF_INDEX); /* *INDENT-OFF* */ - pool_foreach (peer, wg_main.peers, - ({ + pool_foreach (peer, wg_peer_pool) + { if (!memcmp (peer->remote.r_public, public_key, NOISE_PUBLIC_KEY_LEN)) { return (VNET_API_ERROR_ENTRY_ALREADY_EXISTS); } - })); + } /* *INDENT-ON* */ - if (pool_elts (wg_main.peers) > MAX_PEERS) + if (pool_elts (wg_peer_pool) > MAX_PEERS) return (VNET_API_ERROR_LIMIT_EXCEEDED); - pool_get (wg_main.peers, peer); + pool_get_zero (wg_peer_pool, peer); wg_peer_init (vm, peer); @@ -302,20 +434,21 @@ wg_peer_add (u32 tun_sw_if_index, if (rv) { wg_peer_clear (vm, peer); - pool_put (wg_main.peers, peer); + pool_put (wg_peer_pool, peer); return (rv); } - noise_remote_init (&peer->remote, peer - wg_main.peers, public_key, - &wg_if->local); + noise_remote_init (&peer->remote, peer - wg_peer_pool, public_key, + wg_if->local_idx); cookie_maker_init (&peer->cookie_maker, public_key); + wg_send_handshake (vm, peer, false); if (peer->persistent_keepalive_interval != 0) { wg_send_keepalive (vm, peer); } - *peer_index = peer - wg_main.peers; + *peer_index = peer - wg_peer_pool; wg_if_peer_add (wg_if, *peer_index); return (0); @@ -328,34 +461,34 @@ wg_peer_remove (index_t peeri) wg_peer_t *peer = NULL; wg_if_t *wgi; - if (pool_is_free_index (wmp->peers, peeri)) + if (pool_is_free_index (wg_peer_pool, peeri)) return VNET_API_ERROR_NO_SUCH_ENTRY; - peer = pool_elt_at_index (wmp->peers, peeri); + peer = pool_elt_at_index (wg_peer_pool, peeri); wgi = wg_if_get (wg_if_find_by_sw_if_index (peer->wg_sw_if_index)); wg_if_peer_remove (wgi, peeri); - vnet_feature_enable_disable ("ip4-output", "wg-output-tun", - peer->wg_sw_if_index, 0, 0, 0); + noise_remote_clear (wmp->vlib_main, &peer->remote); wg_peer_clear (wmp->vlib_main, peer); - pool_put (wmp->peers, peer); + pool_put (wg_peer_pool, peer); return (0); } -void +index_t wg_peer_walk (wg_peer_walk_cb_t fn, void *data) { index_t peeri; /* *INDENT-OFF* */ - pool_foreach_index(peeri, wg_main.peers, + pool_foreach_index (peeri, wg_peer_pool) { if (WALK_STOP == fn(peeri, data)) - break; - }); + return peeri; + } /* *INDENT-ON* */ + return INDEX_INVALID; } static u8 * @@ -363,8 +496,8 @@ format_wg_peer_endpoint (u8 * s, va_list * args) { wg_peer_endpoint_t *ep = va_arg (*args, wg_peer_endpoint_t *); - s = format (s, "%U:%d", - format_ip46_address, &ep->addr, IP46_TYPE_ANY, ep->port); + s = format (s, "%U:%d", format_ip46_address, &ep->addr, IP46_TYPE_ANY, + ep->port); return (s); } @@ -373,48 +506,37 @@ u8 * format_wg_peer (u8 * s, va_list * va) { index_t peeri = va_arg (*va, index_t); - wg_peer_allowed_ip_t *allowed_ip; + fib_prefix_t *allowed_ip; u8 key[NOISE_KEY_LEN_BASE64]; wg_peer_t *peer; + wg_peer_adj_t *peer_adj; peer = wg_peer_get (peeri); key_to_base64 (peer->remote.r_public, NOISE_PUBLIC_KEY_LEN, key); - s = format (s, "[%d] endpoint:[%U->%U] %U keep-alive:%d adj:%d", - peeri, - format_wg_peer_endpoint, &peer->src, - format_wg_peer_endpoint, &peer->dst, - format_vnet_sw_if_index_name, vnet_get_main (), - peer->wg_sw_if_index, - peer->persistent_keepalive_interval, peer->adj_index); - s = format (s, "\n key:%=s %U", - key, format_hex_bytes, peer->remote.r_public, - NOISE_PUBLIC_KEY_LEN); + s = format ( + s, + "[%d] endpoint:[%U->%U] %U keep-alive:%d flags: %d, api-clients count: %d", + peeri, format_wg_peer_endpoint, &peer->src, format_wg_peer_endpoint, + &peer->dst, format_vnet_sw_if_index_name, vnet_get_main (), + peer->wg_sw_if_index, peer->persistent_keepalive_interval, peer->flags, + pool_elts (peer->api_clients)); + s = format (s, "\n adj:"); + vec_foreach (peer_adj, peer->adjs) + { + s = format (s, " %d", peer_adj->adj_index); + } + s = format (s, "\n key:%=s %U", key, format_hex_bytes, + peer->remote.r_public, NOISE_PUBLIC_KEY_LEN); s = format (s, "\n allowed-ips:"); vec_foreach (allowed_ip, peer->allowed_ips) { - s = format (s, " %U", format_fib_prefix, &allowed_ip->prefix); + s = format (s, " %U", format_fib_prefix, allowed_ip); } return s; } -static clib_error_t * -wg_peer_module_init (vlib_main_t * vm) -{ - /* - * use a priority better than interface source, so that - * if the same subnet is added to the wg interface and is - * used as an allowed IP, then the wireguard soueced prefix - * wins and traffic is routed to the endpoint rather than dropped - */ - wg_fib_source = fib_source_allocate ("wireguard", 0x2, FIB_SOURCE_BH_API); - - return (NULL); -} - -VLIB_INIT_FUNCTION (wg_peer_module_init); - /* * fd.io coding-style-patch-verification: ON *