aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* timers: styleJason A. Donenfeld2017-09-151-1/+1
|
* routingtable: satisfy sparseJason A. Donenfeld2017-09-151-1/+2
|
* socket: satisfy sparseJason A. Donenfeld2017-09-151-2/+2
|
* device: IFF_NO_QUEUE is a private flag, not a public oneJason A. Donenfeld2017-09-111-1/+1
|
* version: bump snapshot0.0.20170907Jason A. Donenfeld2017-09-072-2/+2
|
* compat: fix padata to work with 4.13Jason A. Donenfeld2017-09-071-12/+12
|
* wg-quick: only bash complete existing interfaces for downJason A. Donenfeld2017-09-061-12/+15
|
* tools: fix removal of pskJason A. Donenfeld2017-08-231-1/+1
| | | | This is an attribute of the peer, not the device.
* socket: improve reply-to-src algorithmJason A. Donenfeld2017-08-235-5/+102
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We store the destination IP of incoming packets as the source IP of outgoing packets. When we send outgoing packets, we then ask the routing table for which interface to use and which source address, given our inputs of the destination address and a suggested source address. This all is good and fine, since it means we'll successfully reply using the correct source address, correlating with the destination address for incoming packets. However, what happens when default routes change? Or when interface IP addresses change? Prior to this commit, after getting the response from the routing table of the source address, destination address, and interface, we would then make sure that the source address actually belonged to the outbound interface. If it didn't, we'd reset our source address to zero and re-ask the routing table, in which case the routing table would then give us the default IP address for sending that packet. This worked mostly fine for most purposes, but there was a problem: what if WireGuard legitimately accepted an inbound packet on a default interface using an IP of another interface? In this case, falling back to asking for the default source IP was not a good strategy, since it'd nearly always mean we'd fail to reply using the right source. So, this commit changes the algorithm slightly. Rather than falling back to using the default IP if the preferred source IP doesn't belong to the outbound interface, we have two checks: we make sure that the source IP address belongs to _some_ interface on the system, no matter which one (so long as it's within the network namespace), and we check whether or not the interface of an incoming packet matches the returned interface for the outbound traffic. If both these conditions are true, then we proceed with using this source IP address. If not, we fall back to the default IP address.
* version: bump snapshot0.0.20170810Jason A. Donenfeld2017-08-102-2/+2
|
* hashtables: if we have an index match, don't search further everJason A. Donenfeld2017-08-081-2/+3
|
* hashtables: allow up to 2^{20} peers per interfaceJason A. Donenfeld2017-08-084-5/+29
| | | | | | | | | | | | | | | This allows for nearly 1 million peers per interface, which should be more than enough. If needed later, this number could easily be increased beyond this. We also increase the size of the hashtables to accommodate this upper bound. In the future, it might be smart to dynamically expand the hashtable instead of this hard coded compromise value between small systems and large systems. Ongoing work includes figuring out the most optimal scheme for these hashtables and for the insertion to mask their order from timing inference.
* compat: support grsecurity with our compat padata implementationJason A. Donenfeld2017-08-061-0/+8
| | | | | | | | | | | | | | | | | | | | | | Some SMP kernels don't have PADATA enabled, which means we actually ship our own copy of it, lifted right out of the kernel. This is completely insane and stupid, but so it goes with really grotesque "compat/" layers such as this one. What this amounts to is having to make this upstream file compile on all kernels back to 3.10. Ouch. It also means making it compile with whatever other kernels people are using, such as Grsecurity. This patch _should_ make this part of the compat layer work with Grsecurity, but unfortunately I really have no way of knowing, since I don't actually have access to their source code. I assume, though, if this doesn't work, I'll receive more complaints and will take another stab in the dark. The general situation saddens me, as I really liked that project and wish I could still play with it. Alas. Fortunately this entire problem with padata will go away, anyway, when we stop using padata, and move to a better form of multicore processing. But for now, we add this to work around the issue.
* timers: do not send out double keepaliveJason A. Donenfeld2017-08-051-1/+4
| | | | | | It's possible that a persistent keepalive that comes before a normal keepalive will not invalidate the normal keepalive, and then we'll needlessly send two keepalives.
* noise: infer initiator or not from handshake stateJason A. Donenfeld2017-08-044-6/+6
| | | | Suggested-by: Mathias Hall-Andersen <mathias@hall-andersen.dk>
* timers: rename confusingly named functions and variablesJason A. Donenfeld2017-08-046-15/+15
| | | | Suggested-by: Mathias Hall-Andersen <mathias@hall-andersen.dk>
* receive: move lastminute guard into timer eventJason A. Donenfeld2017-08-042-3/+2
| | | | Suggested-by: Mathias Hall-Andersen <mathias@hall-andersen.dk>
* netns: work around linux 3.10 issuesJason A. Donenfeld2017-08-031-0/+6
|
* netns: explictly test reply to sender routingJason A. Donenfeld2017-08-031-1/+25
|
* tools: stricter userspace ipc parsingJason A. Donenfeld2017-08-021-3/+3
|
* routingtable: unbloat BUG()Jason A. Donenfeld2017-08-021-3/+2
| | | | Really isn't necessary.
* blake2s: satisfy sparseJason A. Donenfeld2017-08-021-2/+2
|
* selftest: more checking in ratelimiterJason A. Donenfeld2017-08-021-10/+16
|
* recieve: pskb_trim already checks lengthJason A. Donenfeld2017-08-011-1/+1
|
* receive: single line if styleJason A. Donenfeld2017-08-011-2/+1
|
* socket: move print function from compatJason A. Donenfeld2017-07-282-10/+10
|
* compat: get rid of warnings on frankenkernelsJason A. Donenfeld2017-07-281-0/+8
|
* recieve: cleanup variable usageJason A. Donenfeld2017-07-281-11/+7
|
* compat: work around odd kernels that backport kv[mz]allocJason A. Donenfeld2017-07-271-3/+5
|
* version: bump snapshot0.0.20170726Jason A. Donenfeld2017-07-262-2/+2
|
* wg-quick: add explicit support for common DNS usageJason A. Donenfeld2017-07-262-12/+34
|
* wg-quick: do not use grepJason A. Donenfeld2017-07-241-1/+1
|
* wg-quick: do not set explicit src route for v6 default routeJason A. Donenfeld2017-07-241-11/+3
| | | | | | | | | This was only required because clueless network operators were trying to route fec0::/10 globally, when that range doesn't actually have global scope. Now that we understand the cause was operator error, we revert the change here, so that the routing table is kept consistent. This reverts commit 64e47de870a2f0575b5564a70e5680b48ab83ff9.
* wg-quick: usage typosJason A. Donenfeld2017-07-201-1/+2
|
* qemu: warn on all unseeded random usage when in debug modeJason A. Donenfeld2017-07-201-0/+1
|
* global: wireguard.io --> wireguard.comJason A. Donenfeld2017-07-208-11/+11
| | | | | Due to concerns with the .io TLD, we are switching to using wireguard.com instead.
* blake2s: fix up alignment issuesJason A. Donenfeld2017-07-201-9/+11
| | | | | When it's unclear if block is aligned, we just assume unaligned, rather than branching.
* blake2s: move compression loop to assemblySamuel Neves2017-07-203-72/+84
|
* send: use skb_queue_empty where appropriateSamuel Holland2017-07-201-3/+3
| | | | Signed-off-by: Samuel Holland <samuel@sholland.org>
* data: simplify no-keypair failure caseSamuel Holland2017-07-201-5/+2
| | | | Signed-off-by: Samuel Holland <samuel@sholland.org>
* data: use KMEM_CACHE macroJason A. Donenfeld2017-07-201-2/+2
| | | | Suggested-by: Samuel Holland <samuel@sholland.org>
* ratelimiter: use KMEM_CACHE macroJason A. Donenfeld2017-07-201-6/+6
| | | | Suggested-by: Samuel Holland <samuel@sholland.org>
* global: use pointer to net_deviceJason A. Donenfeld2017-07-2012-52/+46
| | | | | | DaveM prefers it to be this way per [1]. [1] http://www.spinics.net/lists/netdev/msg443992.html
* device: support 4.13's extact newlink paramJason A. Donenfeld2017-07-202-1/+5
|
* send: orphan skbs when buffering longtermJason A. Donenfeld2017-07-201-1/+7
| | | | | | | | | Otherwise we quickly use up all of a socket's memory, which prevents a socket from sending packets to other interfaces. This also has the nice effect of letting TCP connections continue to attempt to begin, with the older ones being naturally rotated out and freed, so when a connection finally is made, only the later TCP connections are attempted, not the ones that would already have timed out.
* selftests: ensure that there isnt CPU lag when testing rate limiterJason A. Donenfeld2017-07-201-1/+25
|
* compat: work around odd kernels that backport kvfreeJason A. Donenfeld2017-07-071-1/+3
|
* socket: styleJason A. Donenfeld2017-07-071-12/+3
|
* qemu: update default testing kernelJason A. Donenfeld2017-07-071-1/+1
|
* ratelimiter: consistently use non-bh rcuJason A. Donenfeld2017-07-072-2/+2
|