From: Antonio Quartulli <antonio@openvpn.net>
To: netdev@vger.kernel.org
Cc: Jakub Kicinski <kuba@kernel.org>,
Sergey Ryazanov <ryazanov.s.a@gmail.com>,
Antonio Quartulli <antonio@openvpn.net>
Subject: [PATCH net-next 0/1] Introducing OpenVPN Data Channel Offload
Date: Sat, 6 Jan 2024 22:57:39 +0100 [thread overview]
Message-ID: <20240106215740.14770-1-antonio@openvpn.net> (raw)
Hi all!
After several months of work, I am finally
sending a new version of the OpenVPN Data Channel Offload kernel
module (aka `ovpn`) for official review.
The OpenVPN community has since long been interested in moving the fast path
to kernel space. `ovpn` finally helps achieving this goal.
`ovpn` is essentialy a device driver that allows creating a virtual
network interface to handle the OpenVPN data channel. Any traffic
entering the interface is encrypted, encapsulated and sent to the
appropriate destination.
`ovpn` requires OpenVPN in userspace
to run along its side in order to be properly configured and maintained
during its life cycle.
The `ovpn` interface can be created/destroyed and then
configured via Netlink API.
Specifically OpenVPN in userspace will:
* create the `ovpn` interface
* establish the connection with one or more peers
* perform TLS handshake and negotiate any protocol parameter
* configure the `ovpn` interface with peer data (ip/port, keys, etc.)
* handle any subsequent control channel communication
I'd like to point out the control channel is fully handles in userspace.
The idea is to keep the `ovpn` kernel module as simple as possible and
let userspace handle all the non-data (non-fast-path) features.
NOTE: some of you may already know `ovpn-dco` the out-of-tree predecessor
of `ovpn`. However, be aware that the two are not API compatible and
therefore OpenVPN 2.6 will not work with this new `ovpn` module.
More adjustments are required.
If you want to test the `ovpn` kernel module, for the time being you can
use the testing tool `ovpn-cli` available here:
https://github.com/OpenVPN/ovpn-dco/tree/master/tests
The `ovpn` code can also be built as out-of-tree module and its code is
available here https://github.com/OpenVPN/ovpn-dco (currently in the dev
branch).
For more technical details please refer to the actual patch commit message.
Please note that the patch touches also a few files outside of the
ovpn-dco folder.
Specifically it adds a new macro named NLA_POLICY_MAX_LEN to net/netlink.h
and also adds a new constant named UDP_ENCAP_OVPNINUDP to linux/udp.h.
I tend to agree that a unique large patch is harder to review, but
splitting the code into several paches proved to be quite cumbersome,
therefore I prefered to not do it. I believe the code can still be
reviewed file by file, despite in the same patch.
** KNOWN ISSUE:
Upon module unloading something is not torn down correctly and sometimes
new packets hit dangling netdev pointers. This problem did not exist
when the RTNL API was implemented (before interface handling was moved
to Netlink). I was hoping to get some feedback from the netdev community
on anything that may look wrong.
Any comment, concern or statement will be appreciated!
Thanks a lot!!
Best Regards,
Antonio Quartulli
OpenVPN Inc.
---
Antonio Quartulli (1):
net: introduce OpenVPN Data Channel Offload (ovpn)
MAINTAINERS | 8 +
drivers/net/Kconfig | 13 +
drivers/net/Makefile | 1 +
drivers/net/ovpn/Makefile | 21 +
drivers/net/ovpn/addr.h | 41 ++
drivers/net/ovpn/bind.c | 62 ++
drivers/net/ovpn/bind.h | 69 ++
drivers/net/ovpn/crypto.c | 154 +++++
drivers/net/ovpn/crypto.h | 144 +++++
drivers/net/ovpn/crypto_aead.c | 367 +++++++++++
drivers/net/ovpn/crypto_aead.h | 27 +
drivers/net/ovpn/io.c | 579 +++++++++++++++++
drivers/net/ovpn/io.h | 43 ++
drivers/net/ovpn/main.c | 307 +++++++++
drivers/net/ovpn/main.h | 39 ++
drivers/net/ovpn/netlink.c | 1072 ++++++++++++++++++++++++++++++++
drivers/net/ovpn/netlink.h | 23 +
drivers/net/ovpn/ovpnstruct.h | 65 ++
drivers/net/ovpn/peer.c | 928 +++++++++++++++++++++++++++
drivers/net/ovpn/peer.h | 175 ++++++
drivers/net/ovpn/pktid.c | 127 ++++
drivers/net/ovpn/pktid.h | 116 ++++
drivers/net/ovpn/proto.h | 101 +++
drivers/net/ovpn/rcu.h | 20 +
drivers/net/ovpn/skb.h | 51 ++
drivers/net/ovpn/sock.c | 144 +++++
drivers/net/ovpn/sock.h | 59 ++
drivers/net/ovpn/stats.c | 20 +
drivers/net/ovpn/stats.h | 67 ++
drivers/net/ovpn/tcp.c | 473 ++++++++++++++
drivers/net/ovpn/tcp.h | 41 ++
drivers/net/ovpn/udp.c | 357 +++++++++++
drivers/net/ovpn/udp.h | 25 +
include/uapi/linux/ovpn.h | 174 ++++++
include/uapi/linux/udp.h | 1 +
35 files changed, 5914 insertions(+)
create mode 100644 drivers/net/ovpn/Makefile
create mode 100644 drivers/net/ovpn/addr.h
create mode 100644 drivers/net/ovpn/bind.c
create mode 100644 drivers/net/ovpn/bind.h
create mode 100644 drivers/net/ovpn/crypto.c
create mode 100644 drivers/net/ovpn/crypto.h
create mode 100644 drivers/net/ovpn/crypto_aead.c
create mode 100644 drivers/net/ovpn/crypto_aead.h
create mode 100644 drivers/net/ovpn/io.c
create mode 100644 drivers/net/ovpn/io.h
create mode 100644 drivers/net/ovpn/main.c
create mode 100644 drivers/net/ovpn/main.h
create mode 100644 drivers/net/ovpn/netlink.c
create mode 100644 drivers/net/ovpn/netlink.h
create mode 100644 drivers/net/ovpn/ovpnstruct.h
create mode 100644 drivers/net/ovpn/peer.c
create mode 100644 drivers/net/ovpn/peer.h
create mode 100644 drivers/net/ovpn/pktid.c
create mode 100644 drivers/net/ovpn/pktid.h
create mode 100644 drivers/net/ovpn/proto.h
create mode 100644 drivers/net/ovpn/rcu.h
create mode 100644 drivers/net/ovpn/skb.h
create mode 100644 drivers/net/ovpn/sock.c
create mode 100644 drivers/net/ovpn/sock.h
create mode 100644 drivers/net/ovpn/stats.c
create mode 100644 drivers/net/ovpn/stats.h
create mode 100644 drivers/net/ovpn/tcp.c
create mode 100644 drivers/net/ovpn/tcp.h
create mode 100644 drivers/net/ovpn/udp.c
create mode 100644 drivers/net/ovpn/udp.h
create mode 100644 include/uapi/linux/ovpn.h
--
2.41.0
next reply other threads:[~2024-01-06 22:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-06 21:57 Antonio Quartulli [this message]
2024-01-06 21:57 ` [PATCH net-next 1/1] net: introduce OpenVPN Data Channel Offload (ovpn) Antonio Quartulli
2024-01-07 9:38 ` kernel test robot
2024-01-07 13:54 ` kernel test robot
2024-01-07 15:42 ` kernel test robot
2024-01-06 22:29 ` [PATCH net-next 0/1] Introducing OpenVPN Data Channel Offload Sergey Ryazanov
2024-01-07 23:32 ` Antonio Quartulli
2024-01-08 1:42 ` Sergey Ryazanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240106215740.14770-1-antonio@openvpn.net \
--to=antonio@openvpn.net \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=ryazanov.s.a@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).