| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
|
|
|
| |
IPs mean different things per-vnet.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We can simplify the ratelimit init/deinit calls by allocating the table
statically, that is by not using hashinit_flags. That function ended up
doing some unnecessary calculation and meant that the mask couldn't be
constant.
By increasing the size of struct ratelimit, this also caught a nasty
(but benign) bug, where ratelimit_pool was initialised to allocate
sizeof(struct ratelimit) and not sizeof(struct ratelimit_entry). It has
been this way since FreeBSD tree and I didn't pick up on it while moving
the uma_zcreate call to wg_cookie.
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The two main changes here are:
* Remove cookie_ prefix from static functions. This is a leftover from
OpenBSD where they don't want static functions.
* Rename cm to macs, and cp to cm. Not sure where this came from but it
didn't really make much sense to leave it as is.
The reset are whitespace changes. Overall there is no modification to
functionality here, just appearances.
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Primarily this commit adds a cookie_valid state, to prevent a recently
booted machine from sending a mac2. We also do a little bit of reworking
on locking and a fixup for int to bool.
There is one slight difference to cookie_valid (latest_cookie.is_valid)
on Linux and that is to set cookie_valid to false when the
cookie_birthdate has expired. The purpose of this is to prevent the
expensive timer check after it has expired.
For the locking, we want to hold a write lock in cookie_maker_mac
because we write to mac1_last, mac1_valid and cookie_valid. This
wouldn't cause too much contention as this is a per peer lock and we
only do so when sending handshake packets. This is different from Linux
as Linux writes all it's variables at the start, then downgrades to a
read lock.
We also match cookie_maker_consume_payload locking to Linux, that is to
read lock while checking mac1_valid and decrypting the cookie then take
a write lock to set the cookie.
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
|
|
|
|
| |
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
|
|
|
|
| |
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we relied on gc being called when adding a new entry, which
could leave us in a gc "blind spot". With this change, we schedule a
callout to run gc whenever we have entries in the table. The callout
will continue to run every ELEMENT_TIMEOUT seconds until the table is
empty.
Access to rl_gc is locked by rl_lock, so we will never have any threads
racing to callout_{pending,stop,reset}.
The alternative (which Linux does currently) is just to run the callout
every ELEMENT_TIMEOUT (1) second even when no entries are in the table.
However, the callout solution proposed here seems simple enough.
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
|
|
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This should allow us to get more testing coverage earlier.
This port here is also a bit janky. I really don't like the taskqgroup
business, having to copy and paste those structs. And this isn't well
tested, either. But, it's a start.
This distinguishes between compat.h and support.h, though both header
files are intended to operate in more or less the same way. It's
important to keep some discipline between things that we're backporting
and things that aren't _yet_ upstream or are shims for OpenBSD.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
There's still more to do with wiring this up properly.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|