ratelimiter: rewrite from scratch

This not only removes the depenency on x_tables, but it also gives us
much better performance and memory usage. Now, systems are able to have
millions of WireGuard interfaces, without having to worry about a
thundering herd of garbage collection.

1 files changed, 3 insertions, 11 deletions

diff --git a/src/cookie.c b/src/cookie.c
index ce22b53..0e9c211 100644
--- a/src/cookie.c
+++ b/src/cookie.c
@@ -4,6 +4,7 @@
 #include "peer.h"
 #include "device.h"
 #include "messages.h"
+#include "ratelimiter.h"
 #include "crypto/blake2s.h"
 #include "crypto/chacha20poly1305.h"
 
@@ -11,16 +12,12 @@
 #include <net/ipv6.h>
 #include <crypto/algapi.h>
 
-int cookie_checker_init(struct cookie_checker *checker, struct wireguard_device *wg)
+void cookie_checker_init(struct cookie_checker *checker, struct wireguard_device *wg)
 {
-	int ret = ratelimiter_init(&checker->ratelimiter, wg);
-	if (ret)
-		return ret;
 	init_rwsem(&checker->secret_lock);
 	checker->secret_birthdate = get_jiffies_64();
 	get_random_bytes(checker->secret, NOISE_HASH_LEN);
 	checker->device = wg;
-	return 0;
 }
 
 enum { COOKIE_KEY_LABEL_LEN = 8 };
@@ -56,11 +53,6 @@ void cookie_checker_precompute_peer_keys(struct wireguard_peer *peer)
 	precompute_key(peer->latest_cookie.message_mac1_key, peer->handshake.remote_static, mac1_key_label);
 }
 
-void cookie_checker_uninit(struct cookie_checker *checker)
-{
-	ratelimiter_uninit(&checker->ratelimiter);
-}
-
 void cookie_init(struct cookie *cookie)
 {
 	memset(cookie, 0, sizeof(struct cookie));
@@ -127,7 +119,7 @@ enum cookie_mac_state cookie_validate_packet(struct cookie_checker *checker, str
 		goto out;
 
 	ret = VALID_MAC_WITH_COOKIE_BUT_RATELIMITED;
-	if (!ratelimiter_allow(&checker->ratelimiter, skb))
+	if (!ratelimiter_allow(skb, dev_net(netdev_pub(checker->device))))
 		goto out;
 
 	ret = VALID_MAC_WITH_COOKIE;