From: Antonio Quartulli <antonio@openvpn.net>
To: netdev@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Donald Hunter <donald.hunter@gmail.com>,
Antonio Quartulli <antonio@openvpn.net>,
Shuah Khan <shuah@kernel.org>,
sd@queasysnail.net, ryazanov.s.a@gmail.com,
Andrew Lunn <andrew+netdev@lunn.ch>
Cc: Simon Horman <horms@kernel.org>,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
Xiao Liang <shaw.leon@gmail.com>
Subject: [PATCH net-next v24 03/23] ovpn: add basic interface creation/destruction/management routines
Date: Tue, 18 Mar 2025 02:40:38 +0100 [thread overview]
Message-ID: <20250318-b4-ovpn-v24-3-3ec4ab5c4a77@openvpn.net> (raw)
In-Reply-To: <20250318-b4-ovpn-v24-0-3ec4ab5c4a77@openvpn.net>
Add basic infrastructure for handling ovpn interfaces.
Tested-by: Donald Hunter <donald.hunter@gmail.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
---
Documentation/netlink/specs/rt_link.yaml | 16 ++++++
drivers/net/ovpn/Makefile | 1 +
drivers/net/ovpn/io.c | 22 +++++++
drivers/net/ovpn/io.h | 24 ++++++++
drivers/net/ovpn/main.c | 99 ++++++++++++++++++++++++++++++--
drivers/net/ovpn/ovpnpriv.h | 7 +++
drivers/net/ovpn/proto.h | 38 ++++++++++++
include/uapi/linux/if_link.h | 15 +++++
8 files changed, 217 insertions(+), 5 deletions(-)
diff --git a/Documentation/netlink/specs/rt_link.yaml b/Documentation/netlink/specs/rt_link.yaml
index 31238455f8e9d29531884cad4951391fa47ccfaf..a50d9d7d882e7e4f9de29b2a4e7acc602972f6b3 100644
--- a/Documentation/netlink/specs/rt_link.yaml
+++ b/Documentation/netlink/specs/rt_link.yaml
@@ -938,6 +938,12 @@ definitions:
entries:
- name: none
- name: default
+ -
+ name: ovpn-mode
+ type: enum
+ entries:
+ - p2p
+ - mp
attribute-sets:
-
@@ -2272,6 +2278,13 @@ attribute-sets:
-
name: tailroom
type: u16
+ -
+ name: linkinfo-ovpn-attrs
+ attributes:
+ -
+ name: mode
+ type: u8
+ enum: ovpn-mode
sub-messages:
-
@@ -2322,6 +2335,9 @@ sub-messages:
-
value: netkit
attribute-set: linkinfo-netkit-attrs
+ -
+ value: ovpn
+ attribute-set: linkinfo-ovpn-attrs
-
name: linkinfo-member-data-msg
formats:
diff --git a/drivers/net/ovpn/Makefile b/drivers/net/ovpn/Makefile
index 75ac62bba02937bc49cb2a0dec5ca3cc31a8ee00..0e5f686672fb5052cee5a2c28797b70859514a7f 100644
--- a/drivers/net/ovpn/Makefile
+++ b/drivers/net/ovpn/Makefile
@@ -8,5 +8,6 @@
obj-$(CONFIG_OVPN) := ovpn.o
ovpn-y += main.o
+ovpn-y += io.o
ovpn-y += netlink.o
ovpn-y += netlink-gen.o
diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c
new file mode 100644
index 0000000000000000000000000000000000000000..4b71c38165d7adbb1a2d1a64d27a13b7f76cfbfe
--- /dev/null
+++ b/drivers/net/ovpn/io.c
@@ -0,0 +1,22 @@
+// SPDX-License-Identifier: GPL-2.0
+/* OpenVPN data channel offload
+ *
+ * Copyright (C) 2019-2025 OpenVPN, Inc.
+ *
+ * Author: James Yonan <james@openvpn.net>
+ * Antonio Quartulli <antonio@openvpn.net>
+ */
+
+#include <linux/netdevice.h>
+#include <linux/skbuff.h>
+
+#include "io.h"
+
+/* Send user data to the network
+ */
+netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev)
+{
+ skb_tx_error(skb);
+ kfree_skb(skb);
+ return NET_XMIT_DROP;
+}
diff --git a/drivers/net/ovpn/io.h b/drivers/net/ovpn/io.h
new file mode 100644
index 0000000000000000000000000000000000000000..afea5f81f5628dcb9afda9a78974bbf6f2101c13
--- /dev/null
+++ b/drivers/net/ovpn/io.h
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/* OpenVPN data channel offload
+ *
+ * Copyright (C) 2019-2025 OpenVPN, Inc.
+ *
+ * Author: James Yonan <james@openvpn.net>
+ * Antonio Quartulli <antonio@openvpn.net>
+ */
+
+#ifndef _NET_OVPN_OVPN_H_
+#define _NET_OVPN_OVPN_H_
+
+/* DATA_V2 header size with AEAD encryption */
+#define OVPN_HEAD_ROOM (OVPN_OPCODE_SIZE + OVPN_NONCE_WIRE_SIZE + \
+ 16 /* AEAD TAG length */ + \
+ max(sizeof(struct udphdr), sizeof(struct tcphdr)) +\
+ max(sizeof(struct ipv6hdr), sizeof(struct iphdr)))
+
+/* max padding required by encryption */
+#define OVPN_MAX_PADDING 16
+
+netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev);
+
+#endif /* _NET_OVPN_OVPN_H_ */
diff --git a/drivers/net/ovpn/main.c b/drivers/net/ovpn/main.c
index 28133e7e15e74b8a4a937ed03f70d9f83d7a14c8..b19f1406d87d5a1ed45b00133d642b1ad9f4f6f7 100644
--- a/drivers/net/ovpn/main.c
+++ b/drivers/net/ovpn/main.c
@@ -10,14 +10,28 @@
#include <linux/genetlink.h>
#include <linux/module.h>
#include <linux/netdevice.h>
+#include <linux/inetdevice.h>
+#include <net/ip.h>
#include <net/rtnetlink.h>
-#include <uapi/linux/ovpn.h>
+#include <uapi/linux/if_arp.h>
#include "ovpnpriv.h"
#include "main.h"
#include "netlink.h"
+#include "io.h"
+#include "proto.h"
static const struct net_device_ops ovpn_netdev_ops = {
+ .ndo_start_xmit = ovpn_net_xmit,
+};
+
+static const struct device_type ovpn_type = {
+ .name = OVPN_FAMILY_NAME,
+};
+
+static const struct nla_policy ovpn_policy[IFLA_OVPN_MAX + 1] = {
+ [IFLA_OVPN_MODE] = NLA_POLICY_RANGE(NLA_U8, OVPN_MODE_P2P,
+ OVPN_MODE_MP),
};
/**
@@ -31,44 +45,119 @@ bool ovpn_dev_is_valid(const struct net_device *dev)
return dev->netdev_ops == &ovpn_netdev_ops;
}
+static void ovpn_setup(struct net_device *dev)
+{
+ netdev_features_t feat = NETIF_F_SG | NETIF_F_GSO |
+ NETIF_F_GSO_SOFTWARE | NETIF_F_HIGHDMA;
+
+ dev->needs_free_netdev = true;
+
+ dev->pcpu_stat_type = NETDEV_PCPU_STAT_TSTATS;
+
+ dev->netdev_ops = &ovpn_netdev_ops;
+
+ dev->hard_header_len = 0;
+ dev->addr_len = 0;
+ dev->mtu = ETH_DATA_LEN - OVPN_HEAD_ROOM;
+ dev->min_mtu = IPV4_MIN_MTU;
+ dev->max_mtu = IP_MAX_MTU - OVPN_HEAD_ROOM;
+
+ dev->type = ARPHRD_NONE;
+ dev->flags = IFF_POINTOPOINT | IFF_NOARP;
+ dev->priv_flags |= IFF_NO_QUEUE;
+
+ dev->lltx = true;
+ dev->features |= feat;
+ dev->hw_features |= feat;
+ dev->hw_enc_features |= feat;
+
+ dev->needed_headroom = ALIGN(OVPN_HEAD_ROOM, 4);
+ dev->needed_tailroom = OVPN_MAX_PADDING;
+
+ SET_NETDEV_DEVTYPE(dev, &ovpn_type);
+}
+
static int ovpn_newlink(struct net_device *dev,
struct rtnl_newlink_params *params,
struct netlink_ext_ack *extack)
{
- return -EOPNOTSUPP;
+ struct ovpn_priv *ovpn = netdev_priv(dev);
+ struct nlattr **data = params->data;
+ enum ovpn_mode mode = OVPN_MODE_P2P;
+
+ if (data && data[IFLA_OVPN_MODE]) {
+ mode = nla_get_u8(data[IFLA_OVPN_MODE]);
+ netdev_dbg(dev, "setting device mode: %u\n", mode);
+ }
+
+ ovpn->dev = dev;
+ ovpn->mode = mode;
+
+ /* turn carrier explicitly off after registration, this way state is
+ * clearly defined
+ */
+ netif_carrier_off(dev);
+
+ return register_netdevice(dev);
+}
+
+static int ovpn_fill_info(struct sk_buff *skb, const struct net_device *dev)
+{
+ struct ovpn_priv *ovpn = netdev_priv(dev);
+
+ if (nla_put_u8(skb, IFLA_OVPN_MODE, ovpn->mode))
+ return -EMSGSIZE;
+
+ return 0;
}
static struct rtnl_link_ops ovpn_link_ops = {
.kind = "ovpn",
.netns_refund = false,
+ .priv_size = sizeof(struct ovpn_priv),
+ .setup = ovpn_setup,
+ .policy = ovpn_policy,
+ .maxtype = IFLA_OVPN_MAX,
.newlink = ovpn_newlink,
.dellink = unregister_netdevice_queue,
+ .fill_info = ovpn_fill_info,
};
static int ovpn_netdev_notifier_call(struct notifier_block *nb,
unsigned long state, void *ptr)
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+ struct ovpn_priv *ovpn;
if (!ovpn_dev_is_valid(dev))
return NOTIFY_DONE;
+ ovpn = netdev_priv(dev);
+
switch (state) {
case NETDEV_REGISTER:
- /* add device to internal list for later destruction upon
- * unregistration
- */
+ ovpn->registered = true;
break;
case NETDEV_UNREGISTER:
+ /* twiddle thumbs on netns device moves */
+ if (dev->reg_state != NETREG_UNREGISTERING)
+ break;
+
/* can be delivered multiple times, so check registered flag,
* then destroy the interface
*/
+ if (!ovpn->registered)
+ return NOTIFY_DONE;
+
+ netif_carrier_off(dev);
+ ovpn->registered = false;
break;
case NETDEV_POST_INIT:
case NETDEV_GOING_DOWN:
case NETDEV_DOWN:
case NETDEV_UP:
case NETDEV_PRE_UP:
+ break;
default:
return NOTIFY_DONE;
}
diff --git a/drivers/net/ovpn/ovpnpriv.h b/drivers/net/ovpn/ovpnpriv.h
index f9322536b06d6baa5524de57cd7d69f5ecbbd194..33c2a41edf9b3204e8aebd2679649cb7158f05f2 100644
--- a/drivers/net/ovpn/ovpnpriv.h
+++ b/drivers/net/ovpn/ovpnpriv.h
@@ -10,12 +10,19 @@
#ifndef _NET_OVPN_OVPNSTRUCT_H_
#define _NET_OVPN_OVPNSTRUCT_H_
+#include <uapi/linux/if_link.h>
+#include <uapi/linux/ovpn.h>
+
/**
* struct ovpn_priv - per ovpn interface state
* @dev: the actual netdev representing the tunnel
+ * @registered: whether dev is still registered with netdev or not
+ * @mode: device operation mode (i.e. p2p, mp, ..)
*/
struct ovpn_priv {
struct net_device *dev;
+ bool registered;
+ enum ovpn_mode mode;
};
#endif /* _NET_OVPN_OVPNSTRUCT_H_ */
diff --git a/drivers/net/ovpn/proto.h b/drivers/net/ovpn/proto.h
new file mode 100644
index 0000000000000000000000000000000000000000..5f95a78bebd3702868ffeeab3ea4938e957d568c
--- /dev/null
+++ b/drivers/net/ovpn/proto.h
@@ -0,0 +1,38 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/* OpenVPN data channel offload
+ *
+ * Copyright (C) 2020-2025 OpenVPN, Inc.
+ *
+ * Author: Antonio Quartulli <antonio@openvpn.net>
+ * James Yonan <james@openvpn.net>
+ */
+
+#ifndef _NET_OVPN_PROTO_H_
+#define _NET_OVPN_PROTO_H_
+
+/* When the OpenVPN protocol is ran in AEAD mode, use
+ * the OpenVPN packet ID as the AEAD nonce:
+ *
+ * 00000005 521c3b01 4308c041
+ * [seq # ] [ nonce_tail ]
+ * [ 12-byte full IV ] -> OVPN_NONCE_SIZE
+ * [4-bytes -> OVPN_NONCE_WIRE_SIZE
+ * on wire]
+ */
+
+/* nonce size (96bits) as required by AEAD ciphers */
+#define OVPN_NONCE_SIZE 12
+/* last 8 bytes of AEAD nonce: provided by userspace and usually derived
+ * from key material generated during TLS handshake
+ */
+#define OVPN_NONCE_TAIL_SIZE 8
+
+/* OpenVPN nonce size reduced by 8-byte nonce tail -- this is the
+ * size of the AEAD Associated Data (AD) sent over the wire
+ * and is normally the head of the IV
+ */
+#define OVPN_NONCE_WIRE_SIZE (OVPN_NONCE_SIZE - OVPN_NONCE_TAIL_SIZE)
+
+#define OVPN_OPCODE_SIZE 4 /* DATA_V2 opcode size */
+
+#endif /* _NET_OVPN_PROTO_H_ */
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index 318386cc5b0d19ed6a37734feffb450353dd9440..3ad2d5d9803479a10a6b2cfab2df98ce0f823926 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -1986,4 +1986,19 @@ enum {
#define IFLA_DSA_MAX (__IFLA_DSA_MAX - 1)
+/* OVPN section */
+
+enum ovpn_mode {
+ OVPN_MODE_P2P,
+ OVPN_MODE_MP,
+};
+
+enum {
+ IFLA_OVPN_UNSPEC,
+ IFLA_OVPN_MODE,
+ __IFLA_OVPN_MAX,
+};
+
+#define IFLA_OVPN_MAX (__IFLA_OVPN_MAX - 1)
+
#endif /* _UAPI_LINUX_IF_LINK_H */
--
2.48.1
next prev parent reply other threads:[~2025-03-18 1:41 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-18 1:40 [PATCH net-next v24 00/23] Introducing OpenVPN Data Channel Offload Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 01/23] net: introduce OpenVPN Data Channel Offload (ovpn) Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 02/23] ovpn: add basic netlink support Antonio Quartulli
2025-03-18 1:40 ` Antonio Quartulli [this message]
2025-03-18 1:40 ` [PATCH net-next v24 04/23] ovpn: keep carrier always on for MP interfaces Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 05/23] ovpn: introduce the ovpn_peer object Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 06/23] ovpn: introduce the ovpn_socket object Antonio Quartulli
2025-04-01 13:05 ` Sabrina Dubroca
2025-04-02 23:37 ` Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 07/23] ovpn: implement basic TX path (UDP) Antonio Quartulli
2025-04-01 13:49 ` Sabrina Dubroca
2025-04-02 12:01 ` Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 08/23] ovpn: implement basic RX " Antonio Quartulli
2025-04-01 9:47 ` Sabrina Dubroca
2025-04-02 12:04 ` Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 09/23] ovpn: implement packet processing Antonio Quartulli
2025-03-24 11:02 ` Sabrina Dubroca
2025-03-24 20:53 ` Antonio Quartulli
2025-03-25 9:40 ` Sabrina Dubroca
2025-03-25 2:07 ` Qingfang Deng
2025-03-26 9:41 ` Antonio Quartulli
2025-03-26 10:03 ` Qingfang Deng
2025-03-26 10:22 ` Antonio Quartulli
2025-03-26 12:43 ` Qingfang Deng
2025-03-26 13:54 ` Antonio Quartulli
2025-04-01 9:59 ` Sabrina Dubroca
2025-04-02 12:08 ` Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 10/23] ovpn: store tunnel and transport statistics Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 11/23] ovpn: implement TCP transport Antonio Quartulli
2025-04-01 10:02 ` Sabrina Dubroca
2025-04-02 12:09 ` Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 12/23] skb: implement skb_send_sock_locked_with_flags() Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 13/23] ovpn: add support for MSG_NOSIGNAL in tcp_sendmsg Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 14/23] ovpn: implement multi-peer support Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 15/23] ovpn: implement peer lookup logic Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 16/23] ovpn: implement keepalive mechanism Antonio Quartulli
2025-04-01 12:51 ` Sabrina Dubroca
2025-04-02 12:11 ` Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 17/23] ovpn: add support for updating local or remote UDP endpoint Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 18/23] ovpn: implement peer add/get/dump/delete via netlink Antonio Quartulli
2025-03-24 10:48 ` Sabrina Dubroca
2025-03-24 23:15 ` Antonio Quartulli
2025-03-25 10:56 ` Sabrina Dubroca
2025-03-26 0:41 ` Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 19/23] ovpn: implement key add/get/del/swap " Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 20/23] ovpn: kill key and notify userspace in case of IV exhaustion Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 21/23] ovpn: notify userspace when a peer is deleted Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 22/23] ovpn: add basic ethtool support Antonio Quartulli
2025-03-18 1:40 ` [PATCH net-next v24 23/23] testing/selftests: add test tool and scripts for ovpn module Antonio Quartulli
2025-03-28 9:14 ` [PATCH net-next v24 00/23] Introducing OpenVPN Data Channel Offload Antonio Quartulli
2025-03-31 14:47 ` Sabrina Dubroca
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250318-b4-ovpn-v24-3-3ec4ab5c4a77@openvpn.net \
--to=antonio@openvpn.net \
--cc=andrew+netdev@lunn.ch \
--cc=donald.hunter@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ryazanov.s.a@gmail.com \
--cc=sd@queasysnail.net \
--cc=shaw.leon@gmail.com \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).