Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | socket: satisfy sparse | Jason A. Donenfeld | 2017-09-15 | 1 | -2/+2 |
| | |||||
* | socket: improve reply-to-src algorithm | Jason A. Donenfeld | 2017-08-23 | 1 | -3/+11 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We store the destination IP of incoming packets as the source IP of outgoing packets. When we send outgoing packets, we then ask the routing table for which interface to use and which source address, given our inputs of the destination address and a suggested source address. This all is good and fine, since it means we'll successfully reply using the correct source address, correlating with the destination address for incoming packets. However, what happens when default routes change? Or when interface IP addresses change? Prior to this commit, after getting the response from the routing table of the source address, destination address, and interface, we would then make sure that the source address actually belonged to the outbound interface. If it didn't, we'd reset our source address to zero and re-ask the routing table, in which case the routing table would then give us the default IP address for sending that packet. This worked mostly fine for most purposes, but there was a problem: what if WireGuard legitimately accepted an inbound packet on a default interface using an IP of another interface? In this case, falling back to asking for the default source IP was not a good strategy, since it'd nearly always mean we'd fail to reply using the right source. So, this commit changes the algorithm slightly. Rather than falling back to using the default IP if the preferred source IP doesn't belong to the outbound interface, we have two checks: we make sure that the source IP address belongs to _some_ interface on the system, no matter which one (so long as it's within the network namespace), and we check whether or not the interface of an incoming packet matches the returned interface for the outbound traffic. If both these conditions are true, then we proceed with using this source IP address. If not, we fall back to the default IP address. | ||||
* | global: use pointer to net_device | Jason A. Donenfeld | 2017-07-20 | 1 | -8/+8 |
| | | | | | | DaveM prefers it to be this way per [1]. [1] http://www.spinics.net/lists/netdev/msg443992.html | ||||
* | socket: style | Jason A. Donenfeld | 2017-07-07 | 1 | -12/+3 |
| | |||||
* | socket: the checkers distinguish between _bh and non _bh | Jason A. Donenfeld | 2017-07-06 | 1 | -1/+1 |
| | |||||
* | global: cleanup IP header checking | Jason A. Donenfeld | 2017-06-26 | 1 | -2/+2 |
| | | | | This way is more correct and ensures we're within the skb head. | ||||
* | socket: use ip_rt_put instead of dst_release | Jason A. Donenfeld | 2017-06-26 | 1 | -2/+2 |
| | |||||
* | socket: verify saddr belongs to interface | Jason A. Donenfeld | 2017-06-26 | 1 | -1/+4 |
| | | | | | This helps "unstick" stuck source addresses, when changing routes dynamically. | ||||
* | debug: print interface name in dmesg | Jason A. Donenfeld | 2017-05-31 | 1 | -6/+6 |
| | |||||
* | locking: always use _bh | Jason A. Donenfeld | 2017-04-04 | 1 | -7/+7 |
| | | | | | All locks are potentially between user context and softirq, which means we need to take the _bh variant. | ||||
* | socket: avoid deadlock on port retry | Jason A. Donenfeld | 2017-03-24 | 1 | -4/+3 |
| | |||||
* | socket: do not try to create v6 socket when disabled | Jason A. Donenfeld | 2017-02-23 | 1 | -0/+2 |
| | |||||
* | socket: enable setting of fwmark | Jason A. Donenfeld | 2017-02-13 | 1 | -1/+2 |
| | |||||
* | socket: general ephemeral ports instead of name-based ports | Jason A. Donenfeld | 2017-02-13 | 1 | -53/+16 |
| | |||||
* | socket: synchronize net on socket tear down | Jason A. Donenfeld | 2017-02-07 | 1 | -0/+1 |
| | |||||
* | Update copyright | Jason A. Donenfeld | 2017-01-10 | 1 | -1/+1 |
| | |||||
* | peer: don't use sockaddr_storage to reduce memory usage | Jason A. Donenfeld | 2016-12-13 | 1 | -10/+10 |
| | |||||
* | global: move to consistent use of uN instead of uintN_t for kernel code | Jason A. Donenfeld | 2016-12-11 | 1 | -6/+6 |
| | |||||
* | socket: clear src address when retrying handshake | Jason A. Donenfeld | 2016-12-09 | 1 | -0/+8 |
| | |||||
* | headers: cleanup notices | Jason A. Donenfeld | 2016-11-21 | 1 | -1/+1 |
| | |||||
* | socket: ensure that saddr routing can deal with interface removal | Jason A. Donenfeld | 2016-11-15 | 1 | -0/+11 |
| | |||||
* | socket: keep track of src address in sending packets | Jason A. Donenfeld | 2016-11-15 | 1 | -50/+54 |
| | |||||
* | socket: release dst on routing loop | Jason A. Donenfeld | 2016-11-06 | 1 | -0/+2 |
| | |||||
* | socket: big refactoring | Jason A. Donenfeld | 2016-11-05 | 1 | -189/+166 |
| | |||||
* | socket: route() returns an error pointer, not NULL on failure | Jason A. Donenfeld | 2016-11-04 | 1 | -2/+2 |
| | | | | Reported-by: Cedric Buxin <cedric.buxin@izri.org> | ||||
* | compat: stub out dst_cache for old kernels | Jason A. Donenfeld | 2016-11-04 | 1 | -1/+0 |
| | |||||
* | socket: use dst_cache instead of handrolled cache | Jason A. Donenfeld | 2016-11-04 | 1 | -92/+59 |
| | |||||
* | compat: Isolate more functions | Jason A. Donenfeld | 2016-09-29 | 1 | -54/+1 |
| | |||||
* | Rework headers and includes | Jason A. Donenfeld | 2016-09-29 | 1 | -1/+2 |
| | |||||
* | send: properly encapsulate ECN | Jason A. Donenfeld | 2016-08-29 | 1 | -4/+4 |
| | | | | We're not leaking the DSCP, but we do deal with ECN. | ||||
* | socket: use isdigit | Jason A. Donenfeld | 2016-08-22 | 1 | -1/+2 |
| | |||||
* | socket: fix compat for 4.1 v6 sockets | Jason A. Donenfeld | 2016-07-22 | 1 | -3/+9 |
| | | | | | | | | It turns out 4.1 is even more broken than expected. While both 4.1 and 4.2 need to jigger the sysctl nob temporarily, it turns out that in 4.1 it's looking in the wrong namespace for the nob value. So, we have to account for the different namespace semantics in the different versions. Super ugly. But, all this code goes away once we upstream. | ||||
* | socket: reset IPv4 socket to NULL after free | Jason A. Donenfeld | 2016-07-21 | 1 | -0/+1 |
| | |||||
* | socket: simpler debug message | Jason A. Donenfeld | 2016-07-21 | 1 | -2/+2 |
| | |||||
* | build system: revamp building and configuration | Jason A. Donenfeld | 2016-07-18 | 1 | -6/+21 |
| | |||||
* | persistent keepalive: use authenticated keepalives | Jason A. Donenfeld | 2016-07-10 | 1 | -6/+2 |
| | |||||
* | persistent keepalive: add kernel mechanism | Jason A. Donenfeld | 2016-07-08 | 1 | -2/+6 |
| | |||||
* | Initial commit | Jason A. Donenfeld | 2016-06-25 | 1 | -0/+479 |