From: Antonio Quartulli <antonio@openvpn.net>
To: netdev@vger.kernel.org
Cc: kuba@kernel.org, ryazanov.s.a@gmail.com, pabeni@redhat.com,
edumazet@google.com, andrew@lunn.ch, sd@queasysnail.net,
Antonio Quartulli <antonio@openvpn.net>
Subject: [PATCH net-next v4 19/25] ovpn: add support for peer floating
Date: Mon, 24 Jun 2024 13:31:16 +0200 [thread overview]
Message-ID: <20240624113122.12732-20-antonio@openvpn.net> (raw)
In-Reply-To: <20240624113122.12732-1-antonio@openvpn.net>
A peer connected via UDP may change its IP address without reconnecting
(float).
Add support for detecting and updating the new peer IP/port in case of
floating.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
---
drivers/net/ovpn/io.c | 4 ++
drivers/net/ovpn/peer.c | 114 ++++++++++++++++++++++++++++++++++++++--
drivers/net/ovpn/peer.h | 2 +
3 files changed, 117 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c
index 9188afe0f47e..4c6a50f3f0d0 100644
--- a/drivers/net/ovpn/io.c
+++ b/drivers/net/ovpn/io.c
@@ -120,6 +120,10 @@ void ovpn_decrypt_post(struct sk_buff *skb, int ret)
ovpn_peer_keepalive_recv_reset(peer);
if (peer->sock->sock->sk->sk_protocol == IPPROTO_UDP) {
+ /* check if this peer changed it's IP address and update
+ * state
+ */
+ ovpn_peer_float(peer, skb);
/* update source endpoint for this peer */
ovpn_peer_update_local_endpoint(peer, skb);
}
diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c
index ec3064438753..c07d148c52b4 100644
--- a/drivers/net/ovpn/peer.c
+++ b/drivers/net/ovpn/peer.c
@@ -126,6 +126,117 @@ struct ovpn_peer *ovpn_peer_new(struct ovpn_struct *ovpn, u32 id)
return peer;
}
+/**
+ * ovpn_peer_reset_sockaddr - recreate binding for peer
+ * @peer: peer to recreate the binding for
+ * @ss: sockaddr to use as remote endpoint for the binding
+ * @local_ip: local IP for the binding
+ *
+ * Return: 0 on success or a negative error code otherwise
+ */
+static int ovpn_peer_reset_sockaddr(struct ovpn_peer *peer,
+ const struct sockaddr_storage *ss,
+ const u8 *local_ip)
+{
+ struct ovpn_bind *bind;
+ size_t ip_len;
+
+ /* create new ovpn_bind object */
+ bind = ovpn_bind_from_sockaddr(ss);
+ if (IS_ERR(bind))
+ return PTR_ERR(bind);
+
+ if (local_ip) {
+ if (ss->ss_family == AF_INET) {
+ ip_len = sizeof(struct in_addr);
+ } else if (ss->ss_family == AF_INET6) {
+ ip_len = sizeof(struct in6_addr);
+ } else {
+ netdev_dbg(peer->ovpn->dev, "%s: invalid family for remote endpoint\n",
+ __func__);
+ kfree(bind);
+ return -EINVAL;
+ }
+
+ memcpy(&bind->local, local_ip, ip_len);
+ }
+
+ /* set binding */
+ ovpn_bind_reset(peer, bind);
+
+ return 0;
+}
+
+#define ovpn_get_hash_head(_tbl, _key, _key_len) \
+ (&(_tbl)[jhash(_key, _key_len, 0) % HASH_SIZE(_tbl)]) \
+
+/**
+ * ovpn_peer_float - update remote endpoint for peer
+ * @peer: peer to update the remote endpoint for
+ * @skb: incoming packet to retrieve the source address (remote) from
+ */
+void ovpn_peer_float(struct ovpn_peer *peer, struct sk_buff *skb)
+{
+ struct sockaddr_storage ss;
+ const u8 *local_ip = NULL;
+ struct sockaddr_in6 *sa6;
+ struct sockaddr_in *sa;
+ struct ovpn_bind *bind;
+ sa_family_t family;
+ size_t salen;
+
+ rcu_read_lock();
+ bind = rcu_dereference(peer->bind);
+ if (unlikely(!bind))
+ goto unlock;
+
+ if (likely(ovpn_bind_skb_src_match(bind, skb)))
+ goto unlock;
+
+ family = skb_protocol_to_family(skb);
+
+ if (bind->sa.in4.sin_family == family)
+ local_ip = (u8 *)&bind->local;
+
+ switch (family) {
+ case AF_INET:
+ sa = (struct sockaddr_in *)&ss;
+ sa->sin_family = AF_INET;
+ sa->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ sa->sin_port = udp_hdr(skb)->source;
+ salen = sizeof(*sa);
+ break;
+ case AF_INET6:
+ sa6 = (struct sockaddr_in6 *)&ss;
+ sa6->sin6_family = AF_INET6;
+ sa6->sin6_addr = ipv6_hdr(skb)->saddr;
+ sa6->sin6_port = udp_hdr(skb)->source;
+ sa6->sin6_scope_id = ipv6_iface_scope_id(&ipv6_hdr(skb)->saddr,
+ skb->skb_iif);
+ salen = sizeof(*sa6);
+ break;
+ default:
+ goto unlock;
+ }
+
+ netdev_dbg(peer->ovpn->dev, "%s: peer %d floated to %pIScp", __func__,
+ peer->id, &ss);
+ ovpn_peer_reset_sockaddr(peer, (struct sockaddr_storage *)&ss,
+ local_ip);
+
+ spin_lock_bh(&peer->ovpn->peers->lock);
+ /* remove old hashing */
+ hlist_del_init_rcu(&peer->hash_entry_transp_addr);
+ /* re-add with new transport address */
+ hlist_add_head_rcu(&peer->hash_entry_transp_addr,
+ ovpn_get_hash_head(peer->ovpn->peers->by_transp_addr,
+ &ss, salen));
+ spin_unlock_bh(&peer->ovpn->peers->lock);
+
+unlock:
+ rcu_read_unlock();
+}
+
/**
* ovpn_peer_timer_delete_all - killall keepalive timers
* @peer: peer for which timers should be killed
@@ -231,9 +342,6 @@ static struct in6_addr ovpn_nexthop_from_skb6(struct sk_buff *skb)
return rt->rt6i_gateway;
}
-#define ovpn_get_hash_head(_tbl, _key, _key_len) \
- (&(_tbl)[jhash(_key, _key_len, 0) % HASH_SIZE(_tbl)]) \
-
/**
* ovpn_peer_get_by_vpn_addr4 - retrieve peer by its VPN IPv4 address
* @ovpn: the openvpn instance to search
diff --git a/drivers/net/ovpn/peer.h b/drivers/net/ovpn/peer.h
index 1f12ba141d80..691cf20bd870 100644
--- a/drivers/net/ovpn/peer.h
+++ b/drivers/net/ovpn/peer.h
@@ -192,4 +192,6 @@ void ovpn_peer_keepalive_set(struct ovpn_peer *peer, u32 interval, u32 timeout);
void ovpn_peer_update_local_endpoint(struct ovpn_peer *peer,
struct sk_buff *skb);
+void ovpn_peer_float(struct ovpn_peer *peer, struct sk_buff *skb);
+
#endif /* _NET_OVPN_OVPNPEER_H_ */
--
2.44.2
next prev parent reply other threads:[~2024-06-24 11:30 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-24 11:30 [PATCH net-next v4 00/25] Introducing OpenVPN Data Channel Offload Antonio Quartulli
2024-06-24 11:30 ` [PATCH net-next v4 01/25] netlink: add NLA_POLICY_MAX_LEN macro Antonio Quartulli
2024-06-24 11:30 ` [PATCH net-next v4 02/25] rtnetlink: don't crash on unregister if no dellink exists Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 03/25] net: introduce OpenVPN Data Channel Offload (ovpn) Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 04/25] ovpn: add basic netlink support Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 05/25] ovpn: add basic interface creation/destruction/management routines Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 06/25] ovpn: implement interface creation/destruction via netlink Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 07/25] ovpn: keep carrier always on Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 08/25] ovpn: introduce the ovpn_peer object Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 09/25] ovpn: introduce the ovpn_socket object Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 10/25] ovpn: implement basic TX path (UDP) Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 11/25] ovpn: implement basic RX " Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 12/25] ovpn: implement packet processing Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 13/25] ovpn: store tunnel and transport statistics Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 14/25] ovpn: implement TCP transport Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 15/25] ovpn: implement multi-peer support Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 16/25] ovpn: implement peer lookup logic Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 17/25] ovpn: implement keepalive mechanism Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 18/25] ovpn: add support for updating local UDP endpoint Antonio Quartulli
2024-06-24 11:31 ` Antonio Quartulli [this message]
2024-06-24 11:31 ` [PATCH net-next v4 20/25] ovpn: implement peer add/dump/delete via netlink Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 21/25] ovpn: implement key add/del/swap " Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 22/25] ovpn: kill key and notify userspace in case of IV exhaustion Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 23/25] ovpn: notify userspace when a peer is deleted Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 24/25] ovpn: add basic ethtool support Antonio Quartulli
2024-06-24 11:31 ` [PATCH net-next v4 25/25] testing/selftest: add test tool and scripts for ovpn module Antonio Quartulli
2024-06-25 15:14 ` Jakub Kicinski
2024-06-27 6:46 ` Antonio Quartulli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240624113122.12732-20-antonio@openvpn.net \
--to=antonio@openvpn.net \
--cc=andrew@lunn.ch \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ryazanov.s.a@gmail.com \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).