diff options
| -rwxr-xr-x | contrib/patch-kernel-builtin.sh | 2 | ||||
| -rw-r--r-- | src/Kbuild | 18 | ||||
| -rw-r--r-- | src/Kconfig | 31 | ||||
| -rw-r--r-- | src/Makefile | 62 | ||||
| -rw-r--r-- | src/device.c | 3 | ||||
| -rw-r--r-- | src/socket.c | 27 | ||||
| -rw-r--r-- | src/tests/moduledeps.mk | 17 |
7 files changed, 76 insertions, 84 deletions
diff --git a/contrib/patch-kernel-builtin.sh b/contrib/patch-kernel-builtin.sh index 37960ba..65cb489 100755 --- a/contrib/patch-kernel-builtin.sh +++ b/contrib/patch-kernel-builtin.sh @@ -8,5 +8,5 @@ if [[ ! -e $K/net/Kconfig ]]; then exit 1 fi -sed -i "/^if NET\$/a source \"$WG/Kconfig\"" "$K/net/Kconfig" +sed -i "/^if INET\$/a source \"$WG/Kconfig\"" "$K/net/Kconfig" echo "obj-y += ../../../../../../../../../../../../../../../../../../../../../..$WG/" >> "$K/net/Makefile" diff --git a/src/Kbuild b/src/Kbuild new file mode 100644 index 0000000..bde4036 --- /dev/null +++ b/src/Kbuild @@ -0,0 +1,18 @@ +ccflags-y := -O3 -fvisibility=hidden +ccflags-$(CONFIG_WIREGUARD_DEBUG) := -DDEBUG -g +ccflags-y += -Wframe-larger-than=8192 +wireguard-y := main.o noise.o device.o peer.o timers.o data.o send.o receive.o socket.o config.o hashtables.o routing-table.o ratelimiter.o cookie.o +wireguard-y += crypto/curve25519.o crypto/chacha20poly1305.o crypto/blake2s.o crypto/siphash24.o +ifeq ($(CONFIG_X86_64),y) + wireguard-y += crypto/chacha20-ssse3-x86_64.o crypto/poly1305-sse2-x86_64.o +avx2_supported := $(call as-instr,vpgatherdd %ymm0$(comma)(%eax$(comma)%ymm1$(comma)4)$(comma)%ymm2,yes,no) +ifeq ($(avx2_supported),yes) + wireguard-y += crypto/chacha20-avx2-x86_64.o crypto/poly1305-avx2-x86_64.o +endif +endif + +ifneq ($(KBUILD_EXTMOD),) +include $(M)/tests/moduledeps.mk +endif + +obj-$(CONFIG_WIREGUARD) := wireguard.o diff --git a/src/Kconfig b/src/Kconfig index cfe50fe..7906f1e 100644 --- a/src/Kconfig +++ b/src/Kconfig @@ -1,8 +1,13 @@ config WIREGUARD - bool "WireGuard secure VPN tunnel" + bool "IP: WireGuard secure network tunnel" + depends on NET && INET select NET_UDP_TUNNEL select NETFILTER_XT_MATCH_HASHLIMIT - select IPV6 + select NETFILTER + select NETFILTER_XTABLES + select NETFILTER_ADVANCED + select NF_CONNTRACK + select CRYPTO_BLKCIPHER default y ---help--- WireGuard is a secure, fast, and easy to use replacement for IPSec @@ -14,17 +19,6 @@ config WIREGUARD It's safe to say Y or M here, as the driver is very lightweight and is only in use when an administrator chooses to add an interface. -config WIREGUARD_DEBUG - bool "Debugging checks and verbose messages for WireGuard" - depends on WIREGUARD - ---help--- - This will write log messages for handshake and other events - that occur for a WireGuard interface. It will also perform some - extra validation checks and unit tests at various points. This is - only useful for debugging. - - Say N here unless you know what you're doing. - config WIREGUARD_PARALLEL bool "Enable parallel engine" depends on SMP && WIREGUARD @@ -36,3 +30,14 @@ config WIREGUARD_PARALLEL It's safe to say Y here, and you probably should, as the performance improvements are substantial. + +config WIREGUARD_DEBUG + bool "Debugging checks and verbose messages" + depends on WIREGUARD + ---help--- + This will write log messages for handshake and other events + that occur for a WireGuard interface. It will also perform some + extra validation checks and unit tests at various points. This is + only useful for debugging. + + Say N here unless you know what you're doing. diff --git a/src/Makefile b/src/Makefile index 3eef0b5..ff20ffe 100644 --- a/src/Makefile +++ b/src/Makefile @@ -1,61 +1,3 @@ -ifneq ($(KERNELRELEASE),) -ifneq ($(KBUILD_EXTMOD),) -CONFIG_WIREGUARD := m -endif - -obj-$(CONFIG_WIREGUARD) := wireguard.o -ccflags-y := -O3 -fvisibility=hidden -ccflags-$(CONFIG_WIREGUARD_DEBUG) := -DDEBUG -g -ifneq ($(KBUILD_EXTMOD),) -ifeq ($(CONFIG_WIREGUARD_PARALLEL),) -ifneq (,$(filter $(CONFIG_PADATA),y m)) -ccflags-y += -DCONFIG_WIREGUARD_PARALLEL=y -endif -endif -endif - -ifneq ($(KBUILD_EXTMOD),) -ifneq ($(CONFIG_MODULES),) -ifeq ($(CONFIG_NET_UDP_TUNNEL),) -$(error "WireGuard requires CONFIG_NET_UDP_TUNNEL to be configured in your kernel. The easiest way to select it is: \ - Networking support --> \ - Networking options --> \ - [*] IP: Foo (IP protocols) over UDP") -endif -ifeq ($(CONFIG_IPV6),) -$(error "WireGuard requires CONFIG_IPV6 to be configured in your kernel. The easiest way to select it is: \ - Networking support --> \ - Networking options --> \ - [*] The IPv6 protocol") -endif -ifeq ($(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT),) -$(error "WireGuard requires CONFIG_NETFILTER_XT_MATCH_HASHLIMIT to be conifugred in your kernel. The easiest way to selectit is: \ - Networking support --> \ - Networking options --> \ - Network packet filtering framework (Netfilter) --> \ - Core Netfilter Configuration --> \ - [*] \"hashlimit\" match support") -endif -ifeq ($(CONFIG_PADATA),) -ifneq ($(CONFIG_SMP),) -$(warning "PEFORMANCE WARNING: WireGuard has enormous speed benefits when using CONFIG_PADATA on SMP systems. Please enable CONFIG_PADATA in your kernel configuration. The easiest way to select it is: \ - Cryptographic API --> \ - [*] Parallel crypto engine") -endif -endif -endif -endif - -wireguard-y := main.o noise.o device.o peer.o timers.o data.o send.o receive.o socket.o config.o hashtables.o routing-table.o ratelimiter.o cookie.o -wireguard-y += crypto/curve25519.o crypto/chacha20poly1305.o crypto/blake2s.o crypto/siphash24.o -ifeq ($(CONFIG_X86_64),y) - wireguard-y += crypto/chacha20-ssse3-x86_64.o crypto/poly1305-sse2-x86_64.o -avx2_supported := $(call as-instr,vpgatherdd %ymm0$(comma)(%eax$(comma)%ymm1$(comma)4)$(comma)%ymm2,yes,no) -ifeq ($(avx2_supported),yes) - wireguard-y += crypto/chacha20-avx2-x86_64.o crypto/poly1305-avx2-x86_64.o -endif -endif -else KERNELDIR ?= /lib/modules/$(shell uname -r)/build PWD := $(shell pwd) @@ -80,13 +22,9 @@ install: tools: $(MAKE) -C tools -core-cloc: clean - cloc ./*.c ./*.h - check: $(MAKE) -C $(KERNELDIR) M=$(PWD) C=2 CF="-D__CHECK_ENDIAN__" CONFIG_WIREGUARD_DEBUG=y include tests/debug.mk .PHONY: all module module-debug tools install clean core-cloc check -endif diff --git a/src/device.c b/src/device.c index 0f922c7..bb81ce2 100644 --- a/src/device.c +++ b/src/device.c @@ -77,10 +77,9 @@ static void skb_unsendable(struct sk_buff *skb, struct net_device *dev) /* This conntrack stuff is because the rate limiting needs to be applied * to the original src IP, so we have to restore saddr in the IP header. */ struct nf_conn *ct = NULL; -#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) enum ip_conntrack_info ctinfo; + ct = nf_ct_get(skb, &ctinfo); -#endif ++dev->stats.tx_errors; if (skb->len < sizeof(struct iphdr)) diff --git a/src/socket.c b/src/socket.c index ac19a47..463e027 100644 --- a/src/socket.c +++ b/src/socket.c @@ -62,6 +62,7 @@ static inline struct dst_entry *route(struct wireguard_device *wg, struct flowi4 dst = ERR_PTR(PTR_ERR(rt)); dst = &rt->dst; } else if (addr->ss_family == AF_INET6) { +#if IS_ENABLED(CONFIG_IPV6) int ret; struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr; @@ -84,6 +85,7 @@ static inline struct dst_entry *route(struct wireguard_device *wg, struct flowi4 #endif if (unlikely(ret)) dst = ERR_PTR(ret); +#endif } return dst; } @@ -122,7 +124,7 @@ static inline int send(struct net_device *dev, struct sk_buff *skb, struct dst_e ret = -ENONET; goto err; } - +#if IS_ENABLED(CONFIG_IPV6) #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 5, 0) return udp_tunnel6_xmit_skb(dst, sock6, skb, dev, &fl6->saddr, &fl6->daddr, @@ -144,6 +146,9 @@ static inline int send(struct net_device *dev, struct sk_buff *skb, struct dst_e false); return 0; #endif +#else + goto err; +#endif } err: @@ -391,11 +396,14 @@ static inline void set_sock_opts(struct socket *sock) int socket_init(struct wireguard_device *wg) { + struct socket *new4 = NULL; struct udp_port_cfg port4 = { .family = AF_INET, .local_ip.s_addr = htonl(INADDR_ANY), .use_udp_checksums = true }; +#if IS_ENABLED(CONFIG_IPV6) + struct socket *new6 = NULL; struct udp_port_cfg port6 = { .family = AF_INET6, .local_ip6 = IN6ADDR_ANY_INIT, @@ -405,6 +413,7 @@ int socket_init(struct wireguard_device *wg) .ipv6_v6only = true #endif }; +#endif struct udp_tunnel_sock_cfg cfg = { .sk_user_data = wg, .encap_type = 1, @@ -412,7 +421,6 @@ int socket_init(struct wireguard_device *wg) }; int ret = 0; - struct socket *new4 = NULL, *new6 = NULL; #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 3, 0) int old_bindv6only; #endif @@ -427,7 +435,11 @@ int socket_init(struct wireguard_device *wg) if (!wg->incoming_port) wg->incoming_port = generate_default_incoming_port(wg); - port4.local_udp_port = port6.local_udp_port = htons(wg->incoming_port); + port4.local_udp_port = +#if IS_ENABLED(CONFIG_IPV6) + port6.local_udp_port = +#endif + htons(wg->incoming_port); ret = udp_sock_create(wg->creating_net, &port4, &new4); if (ret < 0) { @@ -435,6 +447,11 @@ int socket_init(struct wireguard_device *wg) goto out; } + set_sock_opts(new4); + setup_udp_tunnel_sock(wg->creating_net, new4, &cfg); + rcu_assign_pointer(wg->sock4, new4->sk); + +#if IS_ENABLED(CONFIG_IPV6) #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 3, 0) /* Since udp_port_cfg only learned of ipv6_v6only in 4.3, we do this horrible * hack here and set the sysctl variable temporarily to something that will @@ -452,12 +469,10 @@ int socket_init(struct wireguard_device *wg) goto out; } - set_sock_opts(new4); set_sock_opts(new6); - setup_udp_tunnel_sock(wg->creating_net, new4, &cfg); setup_udp_tunnel_sock(wg->creating_net, new6, &cfg); - rcu_assign_pointer(wg->sock4, new4->sk); rcu_assign_pointer(wg->sock6, new6->sk); +#endif out: mutex_unlock(&wg->socket_update_lock); diff --git a/src/tests/moduledeps.mk b/src/tests/moduledeps.mk new file mode 100644 index 0000000..4344d30 --- /dev/null +++ b/src/tests/moduledeps.mk @@ -0,0 +1,17 @@ +CONFIG_WIREGUARD := m +ifeq ($(CONFIG_WIREGUARD_PARALLEL),) +ifneq (,$(filter $(CONFIG_PADATA),y m)) +ccflags-y += -DCONFIG_WIREGUARD_PARALLEL=y +endif +endif + +ifneq ($(CONFIG_MODULES),) +ifeq ($(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT),) +$(error "WireGuard requires CONFIG_NETFILTER_XT_MATCH_HASHLIMIT to be configured in your kernel. See https://www.wireguard.io/install/#kernel-requirements for more info") +endif +ifeq ($(CONFIG_PADATA),) +ifneq ($(CONFIG_SMP),) +$(warning "PEFORMANCE WARNING: WireGuard has enormous speed benefits when using CONFIG_PADATA on SMP systems. Please enable CONFIG_PADATA in your kernel configuration. See https://www.wireguard.io/install/#kernel-requirements for more info.") +endif +endif +endif |