| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Otherwise, we can't reply to incoming endpoints.
Reported-by: Peter Whisker <peter.whisker@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If we're being delivered packets from multiple CPUs so quickly that the
ring lock is contended for CPU tries, then it's safe to assume that the
queue is near capacity anyway, so just drop the packet rather than
spinning. This helps deal with multicore DoS that can interfere with
data path performance. It _still_ does not completely fix the issue, but
it again chips away at it.
Reported-by: Streun Fabio <fstreun@student.ethz.ch>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the cmsg only contains an IP_PKTINFO or IP_PKTINFO_EX, then on some
systems, the entire control message will be stripped out early before
passing it to WFP. Presumably this is an optimization gone bad. The lack
of a valid controlMessage member in FWPS_INCOMING_METADATA_VALUES0 when
callouts are triggered results in big problems.
Specifically, problems occur with drivers like NFSDK or McAfee or
various other applications users install that install callouts that
capture an outgoing packet, and then later reinject it (with, say,
FwpsInjectTransportSendAsync0). McAfee does this for their DPI. NFSDK
does this for their userspace parser library. Various things seem to use
this technique. The problem is that when IN_PKTINFO is stripped from
FWPS_INCOMING_METADATA_VALUES0, then it's not subsequently passed to
FwpsInjectTransportSendAsync0, so it's as if the packet was sent without
IP_PKTINFO in the first place. This causes routing loops, and users have
a dysfunctional tunnel with high CPU usage, as packets route round and
round. These issues go away when the callout and
FwpsInjectTransportSendAsync0 dance is removed, indicating that
IN_PKTINFO is working as intended in the rest of the networking stack.
It turns out that the faulty optimization only triggers if IP_PKTINFO is
the only control message used. So, we tag on a second control message
that (hopefully) does nothing; IP_WFP_REDIRECT_RECORDS seems like a
reasonable candidate. It happens to be Windows 8+, so we disable it on
Windows 7, which doesn't need the hack anyway. Adding an extra control
message and potentially adding additional overhead to the egress path is
pretty awful, but currently, I'm not aware of a better workaround.
Reported-by: Keshav Kejriwal <kesh.kejriwal@gmail.com>
Reported-by: Kai Haberzettl <khaberz@gmail.com>
Reported-by: Seyed Mohammad Hossein Amirkhalili <hosami@gmail.com>
Reported-by: Francky Meyer <francky.meyer@hotmail.fr>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
| |
SDV is allergic to code analysis. So, when we're doing SDV (SDVHacks is
"true"), we need to turn the code analysis off.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
| |
This moves downlevelshim.lib and those .lib from any future DLLs in this
repo to the matching IntDir.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently the spinlock on incoming_handshake's skb_queue is highly
contended, and a torrent of handshake or cookie packets can bring the
data plane to its knees, simply by virtue of enqueueing the handshake
packets to be processed asynchronously. So, we try switching this to a
ring buffer to hopefully have less lock contention. If this is still a
problem, we can resurrect the MPMC ring buffer, but for now let's see if
good old ptr_ring does the trick.
Reported-by: Streun Fabio <fstreun@student.ethz.ch>
Reported-by: Joel Wanner <joel.wanner@inf.ethz.ch>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
With the way NAT and such is designed, this is never going to happen.
Give up on it.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
You can still create loops, but ever since we started making copies on
both RX and TX, and freeing TX buffers really early (after encryption),
we no longer have a stack chaining issue on free.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
It turns out the precision is very useful for diagnosing weird errors.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
This is a holdover from Linux, where we reset the packet before
consuming.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This reverts commit 217922afde75df527cada3224df8930264375fa1.
The NSI hijack works so well! But video game anti-cheat stuff make this
annoying.
At least GetIpInterfaceEntry only takes 70,000 cycles...
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
This is very dirty and reverse engineered, but it seems to work, and
it's a stop-gap solution until Windows patches ship.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
Not pretty, but functional.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Let's assume that Windows is operating as described, and then later we
can hack around the limitations.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
| |
It expects to receive the total space, with padding, for the cmsg length
argument, so pad out cmsg_len to the data padding multiple, which
amounts to the same thing. This will fix IPv6 endpoints.
Reported-by: Darren VanBuren <onekopaka@theoks.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
The most ridiculous function gets even more ridiculous: we need a heap
allocation. We should probably find a new strategy here, as this is
growing unwieldy.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
This increases performance considerably.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
This is preparation for the next commit, which will attempt to allocate
everything at once for the RX path.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
Pretty soon after our first release, indeed, but people are hitting some
show stoppers that are hindering additional testing, so lets nip that in
the bud asap.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
| |
In line with ff41718 ("TODO: note current unsolved MTU notification
issue") of this repo and 3f07aa3f ("winipcfg: set MTU in registry after
setting it in iphlpapi") of the wireguard-windows repo, it seems like
MTU changes are still complicated and partially unsolved, so just leave
it out of the example code for now.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
This should allow better transition between wifi and wired.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
We're not (yet?) doing cursored gets, so this isn't in use. Remove it.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Otherwise we wind up retrying and doing the routing generation
comparison at the top needlessly.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Very silly error that caused non-default routes to be ignored.
Reported-by: Peter Whisker <peter.whisker@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
| |
Otherwise WFP attempts to correlate flows and winds up dereferencing
garbage in ParentNetBuffer->NetBufferListInfo[WfpNetBufferListInfo].
Reported-by: Sam Sun <sam@samczsun.com>
Reported-by: Jauder Ho <jauderho@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
https://git.zx2c4.com/downlevel-driver-enabler/about/
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
These are no longer supported by the CAs.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
This seems surprising to me, but the Windows scheduler doesn't behave as
expected, and this is actually faster.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
Jason A. Donenfeld
Simon Rozman