tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ovpn: add support for asymmetric peer IDs

In order to support the multipeer architecture, upon connection setup
each side of a tunnel advertises a unique ID that the other side must
include in packets sent to them. Therefore when transmitting a packet, a
peer inserts the recipient's advertised ID for that specific tunnel into
the peer ID field. When receiving a packet, a peer expects to find its
own unique receive ID for that specific tunnel in the peer ID field.

Add support for the TX peer ID and embed it into transmitting packets.
If no TX peer ID is specified, fallback to using the same peer ID both
for RX and TX in order to be compatible with the non-multipeer compliant
peers.

Cc: horms@kernel.org
Cc: donald.hunter@gmail.com
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>

authored by

Ralf Lici and committed by
Antonio Quartulli 2e570a51 77de28cd

+50 -11
+16 -1
Documentation/netlink/specs/ovpn.yaml
··· 43 43 type: u32 44 44 doc: >- 45 45 The unique ID of the peer in the device context. To be used to 46 - identify peers during operations for a specific device 46 + identify peers during operations for a specific device. 47 + Also used to match packets received from this peer. 47 48 checks: 48 49 max: 0xFFFFFF 49 50 - ··· 161 160 name: link-tx-packets 162 161 type: uint 163 162 doc: Number of packets transmitted at the transport level 163 + - 164 + name: tx-id 165 + type: u32 166 + doc: >- 167 + The ID value used when transmitting packets to this peer. This 168 + way outgoing packets can have a different ID than incoming ones. 169 + Useful in multipeer-to-multipeer connections, where each peer 170 + will advertise the tx-id to be used on the link. 171 + checks: 172 + max: 0xFFFFFF 164 173 - 165 174 name: peer-new-input 166 175 subset-of: peer ··· 199 188 name: keepalive-interval 200 189 - 201 190 name: keepalive-timeout 191 + - 192 + name: tx-id 202 193 - 203 194 name: peer-set-input 204 195 subset-of: peer ··· 227 214 name: keepalive-interval 228 215 - 229 216 name: keepalive-timeout 217 + - 218 + name: tx-id 230 219 - 231 220 name: peer-del-input 232 221 subset-of: peer
+1 -1
drivers/net/ovpn/crypto_aead.c
··· 122 122 memcpy(skb->data, iv, OVPN_NONCE_WIRE_SIZE); 123 123 124 124 /* add packet op as head of additional data */ 125 - op = ovpn_opcode_compose(OVPN_DATA_V2, ks->key_id, peer->id); 125 + op = ovpn_opcode_compose(OVPN_DATA_V2, ks->key_id, peer->tx_id); 126 126 __skb_push(skb, OVPN_OPCODE_SIZE); 127 127 BUILD_BUG_ON(sizeof(op) != OVPN_OPCODE_SIZE); 128 128 *((__force __be32 *)skb->data) = htonl(op);
+12 -2
drivers/net/ovpn/netlink.c
··· 305 305 dst_cache_reset(&peer->dst_cache); 306 306 } 307 307 308 + /* In a multipeer-to-multipeer setup we may have asymmetric peer IDs, 309 + * that is peer->id might be different from peer->tx_id. 310 + */ 311 + if (attrs[OVPN_A_PEER_TX_ID]) 312 + peer->tx_id = nla_get_u32(attrs[OVPN_A_PEER_TX_ID]); 313 + 308 314 if (attrs[OVPN_A_PEER_VPN_IPV4]) { 309 315 rehash = true; 310 316 peer->vpn_addrs.ipv4.s_addr = ··· 332 326 } 333 327 334 328 netdev_dbg(peer->ovpn->dev, 335 - "modify peer id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n", 336 - peer->id, &ss, 329 + "modify peer id=%u tx_id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n", 330 + peer->id, peer->tx_id, &ss, 337 331 &peer->vpn_addrs.ipv4.s_addr, &peer->vpn_addrs.ipv6); 338 332 339 333 spin_unlock_bh(&peer->lock); ··· 379 373 } 380 374 381 375 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]); 376 + 382 377 peer = ovpn_peer_new(ovpn, peer_id); 383 378 if (IS_ERR(peer)) { 384 379 NL_SET_ERR_MSG_FMT_MOD(info->extack, ··· 577 570 rcu_read_unlock(); 578 571 579 572 if (nla_put_u32(skb, OVPN_A_PEER_ID, peer->id)) 573 + goto err; 574 + 575 + if (nla_put_u32(skb, OVPN_A_PEER_TX_ID, peer->tx_id)) 580 576 goto err; 581 577 582 578 if (peer->vpn_addrs.ipv4.s_addr != htonl(INADDR_ANY))
+4
drivers/net/ovpn/peer.c
··· 99 99 if (!peer) 100 100 return ERR_PTR(-ENOMEM); 101 101 102 + /* in the default case TX and RX IDs are the same. 103 + * the user may set a different TX ID via netlink 104 + */ 102 105 peer->id = id; 106 + peer->tx_id = id; 103 107 peer->ovpn = ovpn; 104 108 105 109 peer->vpn_addrs.ipv4.s_addr = htonl(INADDR_ANY);
+3 -1
drivers/net/ovpn/peer.h
··· 21 21 * struct ovpn_peer - the main remote peer object 22 22 * @ovpn: main openvpn instance this peer belongs to 23 23 * @dev_tracker: reference tracker for associated dev 24 - * @id: unique identifier 24 + * @id: unique identifier, used to match incoming packets 25 + * @tx_id: identifier to be used in TX packets 25 26 * @vpn_addrs: IP addresses assigned over the tunnel 26 27 * @vpn_addrs.ipv4: IPv4 assigned to peer on the tunnel 27 28 * @vpn_addrs.ipv6: IPv6 assigned to peer on the tunnel ··· 65 64 struct ovpn_priv *ovpn; 66 65 netdevice_tracker dev_tracker; 67 66 u32 id; 67 + u32 tx_id; 68 68 struct { 69 69 struct in_addr ipv4; 70 70 struct in6_addr ipv6;
+1
include/uapi/linux/ovpn.h
··· 55 55 OVPN_A_PEER_LINK_TX_BYTES, 56 56 OVPN_A_PEER_LINK_RX_PACKETS, 57 57 OVPN_A_PEER_LINK_TX_PACKETS, 58 + OVPN_A_PEER_TX_ID, 58 59 59 60 __OVPN_A_PEER_MAX, 60 61 OVPN_A_PEER_MAX = (__OVPN_A_PEER_MAX - 1)