summaryrefslogtreecommitdiffhomepage
path: root/src
AgeCommit message (Collapse)Author
2017-10-02debug: add better insert targetJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02peer: remove from RCU lists when the kref is zeroJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02timers: ensure safe timer removalJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02receive: do not consider netfilter drop a real dropJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02peer: ensure that lookup tables are added lastJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02netlink: switch from ioctl to netlink for configurationJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-26receive: mark function staticJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-25queueing: more standard init/uninit namesJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-24tools: use key_is_zero for comparing to zerosJason A. Donenfeld
Maybe an attacker on the system could use the infoleak in /proc to gauge how long a wg(8) process takes to complete and determine the number of leading zeros. This is somewhat ridiculous, but it's possible somebody somewhere might at somepoint care in the future, so alright. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-24config: do not reset device portJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-24timers: convert to use netif_runningJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-24netns: disable rp_filter for final testJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-19queueing: rename cpumask functionJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-19queueing: clean up worthless helperJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-19peer: rearrange structsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-19device: properly arrange structsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-19send: don't take uninitialized lockJason A. Donenfeld
Packets is a local, which means we need to use the functions that don't take a spinlock, since otherwise we'll be using a spinlock in an undefined state. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-19queueing: no need to memzero structJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-19receive: use netif_receive_skb instead of netif_rxJason A. Donenfeld
netif_rx queues things up to a per-cpu backlog, whereas netif_receive_skb immediately delivers the packet to the underlying network device and mostly never fails. In the event where decrypting packets is actually happening faster than the networking subsystem receive them -- like with 65k packets with UDPv6 in `make test-qemu` -- then this backlog fills up and we wind up dropping some packets. This is fine and not all together terrible, but it does raise the question of why we bothered spending CPU cycles decrypting those packets if they were just going to be dropped anyway. So, moving from netif_rx to netif_receive_skb means that whatever time netif_receive_skb needs winds up slowing down the dequeuing of decryption packets, which in turn means the decryption receive queue fills up sooner, so that we drop packets before decryption, rather than after, thus saving precious CPU cycles. Potential downsides of this include not keeping the cache hot, or not inundating the network subsystem with as many packets per second as possible, but in preliminary benchmarks, no difference has yet been observed. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-18version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-18compat: support RHEL 7.4Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-18queue: entirely rework parallel systemJason A. Donenfeld
This removes our dependency on padata and moves to a different mode of multiprocessing that is more efficient. This began as Samuel Holland's GSoC project and was gradually reworked/redesigned/rebased into this present commit, which is a combination of his initial contribution and my subsequent rewriting and redesigning. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-16compat: ensure we can build without compat.hJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-16qemu: enable debug info for debug qemuJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-16send: no need to check for NULL since ref is validJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-15timers: styleJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-15routingtable: satisfy sparseJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-15socket: satisfy sparseJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-11device: IFF_NO_QUEUE is a private flag, not a public oneJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-07version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-07compat: fix padata to work with 4.13Jason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-23socket: improve reply-to-src algorithmJason A. Donenfeld
We store the destination IP of incoming packets as the source IP of outgoing packets. When we send outgoing packets, we then ask the routing table for which interface to use and which source address, given our inputs of the destination address and a suggested source address. This all is good and fine, since it means we'll successfully reply using the correct source address, correlating with the destination address for incoming packets. However, what happens when default routes change? Or when interface IP addresses change? Prior to this commit, after getting the response from the routing table of the source address, destination address, and interface, we would then make sure that the source address actually belonged to the outbound interface. If it didn't, we'd reset our source address to zero and re-ask the routing table, in which case the routing table would then give us the default IP address for sending that packet. This worked mostly fine for most purposes, but there was a problem: what if WireGuard legitimately accepted an inbound packet on a default interface using an IP of another interface? In this case, falling back to asking for the default source IP was not a good strategy, since it'd nearly always mean we'd fail to reply using the right source. So, this commit changes the algorithm slightly. Rather than falling back to using the default IP if the preferred source IP doesn't belong to the outbound interface, we have two checks: we make sure that the source IP address belongs to _some_ interface on the system, no matter which one (so long as it's within the network namespace), and we check whether or not the interface of an incoming packet matches the returned interface for the outbound traffic. If both these conditions are true, then we proceed with using this source IP address. If not, we fall back to the default IP address. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-10version: bump snapshotJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-08hashtables: if we have an index match, don't search further everJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-08hashtables: allow up to 2^{20} peers per interfaceJason A. Donenfeld
This allows for nearly 1 million peers per interface, which should be more than enough. If needed later, this number could easily be increased beyond this. We also increase the size of the hashtables to accommodate this upper bound. In the future, it might be smart to dynamically expand the hashtable instead of this hard coded compromise value between small systems and large systems. Ongoing work includes figuring out the most optimal scheme for these hashtables and for the insertion to mask their order from timing inference. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-06compat: support grsecurity with our compat padata implementationJason A. Donenfeld
Some SMP kernels don't have PADATA enabled, which means we actually ship our own copy of it, lifted right out of the kernel. This is completely insane and stupid, but so it goes with really grotesque "compat/" layers such as this one. What this amounts to is having to make this upstream file compile on all kernels back to 3.10. Ouch. It also means making it compile with whatever other kernels people are using, such as Grsecurity. This patch _should_ make this part of the compat layer work with Grsecurity, but unfortunately I really have no way of knowing, since I don't actually have access to their source code. I assume, though, if this doesn't work, I'll receive more complaints and will take another stab in the dark. The general situation saddens me, as I really liked that project and wish I could still play with it. Alas. Fortunately this entire problem with padata will go away, anyway, when we stop using padata, and move to a better form of multicore processing. But for now, we add this to work around the issue. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-05timers: do not send out double keepaliveJason A. Donenfeld
It's possible that a persistent keepalive that comes before a normal keepalive will not invalidate the normal keepalive, and then we'll needlessly send two keepalives. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-04noise: infer initiator or not from handshake stateJason A. Donenfeld
Suggested-by: Mathias Hall-Andersen <mathias@hall-andersen.dk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-04timers: rename confusingly named functions and variablesJason A. Donenfeld
Suggested-by: Mathias Hall-Andersen <mathias@hall-andersen.dk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-04receive: move lastminute guard into timer eventJason A. Donenfeld
Suggested-by: Mathias Hall-Andersen <mathias@hall-andersen.dk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-03netns: work around linux 3.10 issuesJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-03netns: explictly test reply to sender routingJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-02routingtable: unbloat BUG()Jason A. Donenfeld
Really isn't necessary. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-02blake2s: satisfy sparseJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-02selftest: more checking in ratelimiterJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-01recieve: pskb_trim already checks lengthJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-01receive: single line if styleJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-28socket: move print function from compatJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-28compat: get rid of warnings on frankenkernelsJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-28recieve: cleanup variable usageJason A. Donenfeld
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>