summaryrefslogtreecommitdiffhomepage
path: root/src/compat
AgeCommit message (Collapse)Author
2017-09-18compat: support RHEL 7.4Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-18queue: entirely rework parallel systemJason A. Donenfeld
This removes our dependency on padata and moves to a different mode of multiprocessing that is more efficient. This began as Samuel Holland's GSoC project and was gradually reworked/redesigned/rebased into this present commit, which is a combination of his initial contribution and my subsequent rewriting and redesigning. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-07compat: fix padata to work with 4.13Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-23socket: improve reply-to-src algorithmJason A. Donenfeld
We store the destination IP of incoming packets as the source IP of outgoing packets. When we send outgoing packets, we then ask the routing table for which interface to use and which source address, given our inputs of the destination address and a suggested source address. This all is good and fine, since it means we'll successfully reply using the correct source address, correlating with the destination address for incoming packets. However, what happens when default routes change? Or when interface IP addresses change? Prior to this commit, after getting the response from the routing table of the source address, destination address, and interface, we would then make sure that the source address actually belonged to the outbound interface. If it didn't, we'd reset our source address to zero and re-ask the routing table, in which case the routing table would then give us the default IP address for sending that packet. This worked mostly fine for most purposes, but there was a problem: what if WireGuard legitimately accepted an inbound packet on a default interface using an IP of another interface? In this case, falling back to asking for the default source IP was not a good strategy, since it'd nearly always mean we'd fail to reply using the right source. So, this commit changes the algorithm slightly. Rather than falling back to using the default IP if the preferred source IP doesn't belong to the outbound interface, we have two checks: we make sure that the source IP address belongs to _some_ interface on the system, no matter which one (so long as it's within the network namespace), and we check whether or not the interface of an incoming packet matches the returned interface for the outbound traffic. If both these conditions are true, then we proceed with using this source IP address. If not, we fall back to the default IP address. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-06compat: support grsecurity with our compat padata implementationJason A. Donenfeld
Some SMP kernels don't have PADATA enabled, which means we actually ship our own copy of it, lifted right out of the kernel. This is completely insane and stupid, but so it goes with really grotesque "compat/" layers such as this one. What this amounts to is having to make this upstream file compile on all kernels back to 3.10. Ouch. It also means making it compile with whatever other kernels people are using, such as Grsecurity. This patch _should_ make this part of the compat layer work with Grsecurity, but unfortunately I really have no way of knowing, since I don't actually have access to their source code. I assume, though, if this doesn't work, I'll receive more complaints and will take another stab in the dark. The general situation saddens me, as I really liked that project and wish I could still play with it. Alas. Fortunately this entire problem with padata will go away, anyway, when we stop using padata, and move to a better form of multicore processing. But for now, we add this to work around the issue. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-28socket: move print function from compatJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-28compat: get rid of warnings on frankenkernelsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-27compat: work around odd kernels that backport kv[mz]allocJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-20global: use pointer to net_deviceJason A. Donenfeld
DaveM prefers it to be this way per [1]. [1] http://www.spinics.net/lists/netdev/msg443992.html Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-20device: support 4.13's extact newlink paramJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-07compat: work around odd kernels that backport kvfreeJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-06device: cleanup register_netdev logicJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-04ratelimiter: use kvzalloc for hash table allocationJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-03compat: workaround Ubuntu 16.10 kernel weirdnessJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-03compat: support OpenSUSE's backportsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-28compat: support Ubuntu 14.04Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-28compat: support EL7.3Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-28compat: do not export symbols unnecessarilyJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-26device: remove icmp conntrack hacksJason A. Donenfeld
This logic belongs upstream. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-26compat: clean up cruftJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-26socket: verify saddr belongs to interfaceJason A. Donenfeld
This helps "unstick" stuck source addresses, when changing routes dynamically. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-26ratelimiter: rewrite from scratchJason A. Donenfeld
This not only removes the depenency on x_tables, but it also gives us much better performance and memory usage. Now, systems are able to have millions of WireGuard interfaces, without having to worry about a thundering herd of garbage collection. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-12random: wait for random bytes when generating nonces and ephemeralsJason A. Donenfeld
We can let userspace configure wireguard interfaces before the RNG is fully initialized, since what we mostly care about is having good randomness for ephemerals and xchacha nonces. By deferring the wait to actually asking for the randomness, we give a lot more opportunity for gathering entropy. This won't cover entropy for hash table secrets or cookie secrets (which rotate anyway), but those have far less catastrophic failure modes, so ensuring good randomness for elliptic curve points and nonces should be sufficient. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-08config: ensure the RNG is initialized before settingJason A. Donenfeld
It's possible that get_random_bytes() will return bad randomness if it hasn't been seeded. This patch makes configuration block until the RNG is properly initialized. Reference: http://www.openwall.com/lists/kernel-hardening/2017/06/02/2 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-01compat: remove padata hotplug codeJason A. Donenfeld
It's different on different kernel versions, and we're not using it anyway, so it's easiest to just get rid of it, rather than having another ifdef maze. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-31debug: print interface name in dmesgJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-31compat: remove warning for < 4.1Jason A. Donenfeld
It still is sort of experimental, I suppose, especially this part in the udp_tunnel drop-in: skb_orphan(skb); sk_mem_reclaim(sk); It seems like sometimes this won't do what we want, but it's hard to diagnose exactly what's happening. In any case, nobody paid attention to that warning anyway, so let's just get rid of it. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-30style: spaces after for loopsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-30compat: ship padata if kernel doesn't have itJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17compat: remember to call iptunnel_xmit_statsJason A. Donenfeld
Upstream's 039f50629b7f860f36644ed1f34b27da9aa62f43 only came in 4.5 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17compat: use real crypto_memneqJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17compat: work around ubnt offloadingJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-04compat: ssse3 supportJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-24compat: use existing iptunnel_xmit function for statsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-21compat: work on old 3.10Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-19tools: side channel resistant base64Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-09compat: warn on < 4.1Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-09compat: careful with destructorsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-09compat: support 3.10Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-09compat: support 3.12Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-09compat: support 3.14Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-09compat: support 3.16Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-03-27compat: allow create-patch to work on debian-based buildsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-03-19blake2s: add AVX implementationJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-03-19hashtables: get_random_int is now more secure, so expose directlyJason A. Donenfeld
On 4.11, get_random_u32 now either uses chacha or rdrand, rather than the horrible former MD5 construction, so we feel more comfortable exposing RNG output directly. On older kernels, we fall back to something a bit disgusting. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-02-27compat: use maybe_unused macro over gcc-specificJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-02-27data: transition to skb_reset_tc for 4.11Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-02-23socket: do not try to create v6 socket when disabledJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-02-13compat: backport siphash & dst_cache from mainlineJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>