diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/messages.h | 2 | ||||
| -rw-r--r-- | src/queueing.h | 10 | ||||
| -rw-r--r-- | src/receive.c | 2 | ||||
| -rw-r--r-- | src/send.c | 7 |
4 files changed, 17 insertions, 4 deletions
diff --git a/src/messages.h b/src/messages.h index f415cdd..1d1ed18 100644 --- a/src/messages.h +++ b/src/messages.h @@ -32,7 +32,7 @@ enum cookie_values { }; enum counter_values { - COUNTER_BITS_TOTAL = 2048, + COUNTER_BITS_TOTAL = 8192, COUNTER_REDUNDANT_BITS = BITS_PER_LONG, COUNTER_WINDOW_SIZE = COUNTER_BITS_TOTAL - COUNTER_REDUNDANT_BITS }; diff --git a/src/queueing.h b/src/queueing.h index fe6e5c9..ebad8d2 100644 --- a/src/queueing.h +++ b/src/queueing.h @@ -87,15 +87,23 @@ static inline bool wg_check_packet_protocol(struct sk_buff *skb) return real_protocol && skb->protocol == real_protocol; } -static inline void wg_reset_packet(struct sk_buff *skb) +static inline void wg_reset_packet(struct sk_buff *skb, bool encapsulating) { const int pfmemalloc = skb->pfmemalloc; + u8 l4_hash = skb->l4_hash; + u8 sw_hash = skb->sw_hash; + u32 hash = skb->hash; skb_scrub_packet(skb, true); memset(&skb->headers_start, 0, offsetof(struct sk_buff, headers_end) - offsetof(struct sk_buff, headers_start)); skb->pfmemalloc = pfmemalloc; + if (encapsulating) { + skb->l4_hash = l4_hash; + skb->sw_hash = sw_hash; + skb->hash = hash; + } skb->queue_mapping = 0; skb->nohdr = 0; skb->peeked = 0; diff --git a/src/receive.c b/src/receive.c index c60d2ff..4585e7c 100644 --- a/src/receive.c +++ b/src/receive.c @@ -488,7 +488,7 @@ int wg_packet_rx_poll(struct napi_struct *napi, int budget) if (unlikely(wg_socket_endpoint_from_skb(&endpoint, skb))) goto next; - wg_reset_packet(skb); + wg_reset_packet(skb, false); wg_packet_consume_data_done(peer, skb, &endpoint); free = false; @@ -169,6 +169,11 @@ static bool encrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair, struct sk_buff *trailer; int num_frags; + /* Force hash calculation before encryption so that flow analysis is + * consistent over the inner packet. + */ + skb_get_hash(skb); + /* Calculate lengths. */ padding_len = calculate_skb_padding(skb); trailer_len = padding_len + noise_encrypted_len(0); @@ -301,7 +306,7 @@ void wg_packet_encrypt_worker(struct work_struct *work) if (likely(encrypt_packet(skb, PACKET_CB(first)->keypair, &simd_context))) { - wg_reset_packet(skb); + wg_reset_packet(skb, true); } else { state = PACKET_STATE_DEAD; break; |