From nobody Tue Nov 26 22:43:35 2024 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB0EC2628D for ; Wed, 16 Oct 2024 01:04:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729040652; cv=none; b=U0zELNFMSN+9/bWGcoJKPPOZs7sudfQCbRoYuZDSvrebFnuYUpUUqyjKZxJIsLdH6ZLdzD4yicbEsgHo8crlr5p6raPwTF9Y+udJsXrhec5mxhSeD/nnb9ytV4uWXVJkFZwIWXXLEwzY7NdRsWwYvbJ9xQx0UU4kiRZV6/MNDrw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729040652; c=relaxed/simple; bh=sA/j4ujOLCHidfSHkWTUz3qBTHj05rdoZRacUys7DAY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=WPIr/fVW2YurhDNPia77i77JNhUe3jFj+41nK8Q5mgv9v9KHbEjRQlFClFYeQ5LTqoUgQCq04lx8L9GtDW7BnuQ3CiZrFohCtdg4BPEwN1p6KDPtiajP779oNbXYlmlj+gX4Q6PD7nVww8Nf3K3IENtJYgz+3kRLjct91oEZcvA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=openvpn.net; spf=pass smtp.mailfrom=openvpn.com; dkim=pass (2048-bit key) header.d=openvpn.net header.i=@openvpn.net header.b=ctuVbOvP; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=openvpn.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=openvpn.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=openvpn.net header.i=@openvpn.net header.b="ctuVbOvP" Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-43124843b04so34748685e9.2 for ; Tue, 15 Oct 2024 18:04:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1729040648; x=1729645448; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=j9WF8fOdVHScVBWZFs6runNvFAcpSNIRWVoB+2aYyJI=; b=ctuVbOvPt7m+tgfpSZ7VS3AzppHUckjnlazeJM8YqqLYq9v/JxoF7ksJJJ6PGBPdTt IYK9hIE5Cxo1usBhuQRFx479E33bG5yhW5IC2a431Rmhk6p7V8COT0J62qKWVf38L/rA ADvt8uuIxlmSMyraS1WYfjUc9Z8AYRga5O+uzdh2muL1zD6GwYuxxHeg44ptniuwwlBD 3g6aWVXRF5rALHV9yjKmqu2E34be4Mdz9zQe6726x12Wmb+4LUdrxTWBSPkxoyDucYfG qi9jo0RQaPxVkNHZ+9Ycy+h7waQwI4tQiFti7EHiVLYc6w6vSQBJg8+C7yU9gAVJ/dQV jLJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729040648; x=1729645448; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=j9WF8fOdVHScVBWZFs6runNvFAcpSNIRWVoB+2aYyJI=; b=TnrJ9nMtB5puUndFebXxCF9YEes/bW4p8p5ceU76zIGRKvujHbn3wPcZSW6cZb0xFd eM4lR/KLMBGZ6ew76fE6pMXdXmb/QHN4+7CpZjHcVesi0s7SwqoSUXqtAthWi3UclRfx O10opagnZiScthTG/KdK9oyNDRNtcMJe9qJn0qJPW15XJHBPC6VWlWHYQpRa1PQ1JIMn BbhZRm/FYA+nCtnGRXhBVzbLdc6/xGOBouPTnDRt/pTMI0V9kiHtHlRfoVHsVsHOhig7 UOskJ0FuX9KEW5Etm3wWIdX4MpXtEVKrHkMTnX4uIefzlv4yu1o+i93mKlHs1AlKSZNa SDHA== X-Forwarded-Encrypted: i=1; AJvYcCVLRDP8rNvWLUcAqX2kgzC09TLf7MbqpZQwT+PSiUd4B9gAjNSXKcqNassCMrk3kEP8zdoKRCoQPZq/IzY=@vger.kernel.org X-Gm-Message-State: AOJu0YzDXEq7qBZKMFiFB18TPlccrckA3IVL50zcPV26rVYktgu7OAnE drBUo3v07k/F2xv8RkIB8Ujgdm6n2GJHe2BA+0lLf3X023ytlW/SkNycvyrOgEw= X-Google-Smtp-Source: AGHT+IEAnATK5a7GwsIHlRKJMGWSVhk70kVUMulJ3OflxgRD+7+KQVLjsnyPL/mpwFapqMxrkG32dA== X-Received: by 2002:a5d:570d:0:b0:374:c8e5:d568 with SMTP id ffacd0b85a97d-37d551d6b43mr12265936f8f.29.1729040647947; Tue, 15 Oct 2024 18:04:07 -0700 (PDT) Received: from serenity.mandelbit.com ([2001:67c:2fbc:1:4c1a:a7c8:72f5:4282]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d7fa8778csm2886765f8f.25.2024.10.15.18.04.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2024 18:04:07 -0700 (PDT) From: Antonio Quartulli Date: Wed, 16 Oct 2024 03:03:14 +0200 Subject: [PATCH net-next v9 14/23] ovpn: implement peer lookup logic Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20241016-b4-ovpn-v9-14-aabe9d225ad5@openvpn.net> References: <20241016-b4-ovpn-v9-0-aabe9d225ad5@openvpn.net> In-Reply-To: <20241016-b4-ovpn-v9-0-aabe9d225ad5@openvpn.net> To: Eric Dumazet , Jakub Kicinski , Paolo Abeni , Donald Hunter , Antonio Quartulli , Shuah Khan , donald.hunter@gmail.com, sd@queasysnail.net, ryazanov.s.a@gmail.com, Andrew Lunn Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, openvpn-devel@lists.sourceforge.net, linux-kselftest@vger.kernel.org X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=10819; i=antonio@openvpn.net; h=from:subject:message-id; bh=sA/j4ujOLCHidfSHkWTUz3qBTHj05rdoZRacUys7DAY=; b=owEBbQGS/pANAwAIAQtw5TqgONWHAcsmYgBnDxDw7R/hdvfcO2fCIRbAaXLRPqKJvx5LU6Q/v 07pp1yVKzOJATMEAAEIAB0WIQSZq9xs+NQS5N5fwPwLcOU6oDjVhwUCZw8Q8AAKCRALcOU6oDjV h5z/B/wPkYS0Hl4oIfI13O3tsNCuSOCff97pNJ19Xopp1zP2o+VSEtTeX1LSb/8kMuUVNAv/UKI Q3WErL70hS/nPWY6nMQXHzPYe3xRVIxc5S4daqVD7l6MiVASqmUmZPbcC1Xcb02gt90V6aMi8yu S3FekFXs7I+Efr764Oo9/IFsIlZAg2UhtDDWWkHmQh09Vdg7vXDBj3YAC6jJo8tJtzbpZjnnLEu l2LVJRm+VCKT8vFVFoQrmUTTh0mPMKe7GPpw6h//8YPKJhAwgqREktBasGVNrKwABNXn13IASEj 3lQD3vcNLCAt2JspGNfN2eJIq2/6Oe1ecpilKza85WmxLrSo X-Developer-Key: i=antonio@openvpn.net; a=openpgp; fpr=CABDA1282017C267219885C748F0CCB68F59D14C In a multi-peer scenario there are a number of situations when a specific peer needs to be looked up. We may want to lookup a peer by: 1. its ID 2. its VPN destination IP 3. its transport IP/port couple For each of the above, there is a specific routing table referencing all peers for fast look up. Case 2. is a bit special in the sense that an outgoing packet may not be sent to the peer VPN IP directly, but rather to a network behind it. For this reason we first perform a nexthop lookup in the system routing table and then we use the retrieved nexthop as peer search key. Signed-off-by: Antonio Quartulli --- drivers/net/ovpn/peer.c | 272 ++++++++++++++++++++++++++++++++++++++++++++= ++-- 1 file changed, 264 insertions(+), 8 deletions(-) diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c index 73ef509faab9701192a45ffe78a46dbbbeab01c2..c7dc9032c2b55fd42befc1f3e7a= 0eca893a96576 100644 --- a/drivers/net/ovpn/peer.c +++ b/drivers/net/ovpn/peer.c @@ -10,6 +10,7 @@ #include #include #include +#include =20 #include "ovpnstruct.h" #include "bind.h" @@ -125,6 +126,94 @@ static bool ovpn_peer_skb_to_sockaddr(struct sk_buff *= skb, return true; } =20 +/** + * ovpn_nexthop_from_skb4 - retrieve IPv4 nexthop for outgoing skb + * @skb: the outgoing packet + * + * Return: the IPv4 of the nexthop + */ +static __be32 ovpn_nexthop_from_skb4(struct sk_buff *skb) +{ + const struct rtable *rt =3D skb_rtable(skb); + + if (rt && rt->rt_uses_gateway) + return rt->rt_gw4; + + return ip_hdr(skb)->daddr; +} + +/** + * ovpn_nexthop_from_skb6 - retrieve IPv6 nexthop for outgoing skb + * @skb: the outgoing packet + * + * Return: the IPv6 of the nexthop + */ +static struct in6_addr ovpn_nexthop_from_skb6(struct sk_buff *skb) +{ + const struct rt6_info *rt =3D skb_rt6_info(skb); + + if (!rt || !(rt->rt6i_flags & RTF_GATEWAY)) + return ipv6_hdr(skb)->daddr; + + return rt->rt6i_gateway; +} + +#define ovpn_get_hash_head(_tbl, _key, _key_len) ({ \ + typeof(_tbl) *__tbl =3D &(_tbl); \ + (&(*__tbl)[jhash(_key, _key_len, 0) % HASH_SIZE(*__tbl)]); }) \ + +/** + * ovpn_peer_get_by_vpn_addr4 - retrieve peer by its VPN IPv4 address + * @ovpn: the openvpn instance to search + * @addr: VPN IPv4 to use as search key + * + * Refcounter is not increased for the returned peer. + * + * Return: the peer if found or NULL otherwise + */ +static struct ovpn_peer *ovpn_peer_get_by_vpn_addr4(struct ovpn_struct *ov= pn, + __be32 addr) +{ + struct hlist_nulls_head *nhead; + struct hlist_nulls_node *ntmp; + struct ovpn_peer *tmp; + + nhead =3D ovpn_get_hash_head(ovpn->peers->by_vpn_addr, &addr, + sizeof(addr)); + + hlist_nulls_for_each_entry_rcu(tmp, ntmp, nhead, hash_entry_addr4) + if (addr =3D=3D tmp->vpn_addrs.ipv4.s_addr) + return tmp; + + return NULL; +} + +/** + * ovpn_peer_get_by_vpn_addr6 - retrieve peer by its VPN IPv6 address + * @ovpn: the openvpn instance to search + * @addr: VPN IPv6 to use as search key + * + * Refcounter is not increased for the returned peer. + * + * Return: the peer if found or NULL otherwise + */ +static struct ovpn_peer *ovpn_peer_get_by_vpn_addr6(struct ovpn_struct *ov= pn, + struct in6_addr *addr) +{ + struct hlist_nulls_head *nhead; + struct hlist_nulls_node *ntmp; + struct ovpn_peer *tmp; + + nhead =3D ovpn_get_hash_head(ovpn->peers->by_vpn_addr, addr, + sizeof(*addr)); + + hlist_nulls_for_each_entry_rcu(tmp, ntmp, nhead, hash_entry_addr6) + if (ipv6_addr_equal(addr, &tmp->vpn_addrs.ipv6)) + return tmp; + + return NULL; +} + /** * ovpn_peer_transp_match - check if sockaddr and peer binding match * @peer: the peer to get the binding from @@ -202,14 +291,44 @@ ovpn_peer_get_by_transp_addr_p2p(struct ovpn_struct *= ovpn, struct ovpn_peer *ovpn_peer_get_by_transp_addr(struct ovpn_struct *ovpn, struct sk_buff *skb) { - struct ovpn_peer *peer =3D NULL; + struct ovpn_peer *tmp, *peer =3D NULL; struct sockaddr_storage ss =3D { 0 }; + struct hlist_nulls_head *nhead; + struct hlist_nulls_node *ntmp; + size_t sa_len; =20 if (unlikely(!ovpn_peer_skb_to_sockaddr(skb, &ss))) return NULL; =20 if (ovpn->mode =3D=3D OVPN_MODE_P2P) - peer =3D ovpn_peer_get_by_transp_addr_p2p(ovpn, &ss); + return ovpn_peer_get_by_transp_addr_p2p(ovpn, &ss); + + switch (ss.ss_family) { + case AF_INET: + sa_len =3D sizeof(struct sockaddr_in); + break; + case AF_INET6: + sa_len =3D sizeof(struct sockaddr_in6); + break; + default: + return NULL; + } + + nhead =3D ovpn_get_hash_head(ovpn->peers->by_transp_addr, &ss, sa_len); + + rcu_read_lock(); + hlist_nulls_for_each_entry_rcu(tmp, ntmp, nhead, + hash_entry_transp_addr) { + if (!ovpn_peer_transp_match(tmp, &ss)) + continue; + + if (!ovpn_peer_hold(tmp)) + continue; + + peer =3D tmp; + break; + } + rcu_read_unlock(); =20 return peer; } @@ -244,10 +363,27 @@ static struct ovpn_peer *ovpn_peer_get_by_id_p2p(stru= ct ovpn_struct *ovpn, */ struct ovpn_peer *ovpn_peer_get_by_id(struct ovpn_struct *ovpn, u32 peer_i= d) { - struct ovpn_peer *peer =3D NULL; + struct ovpn_peer *tmp, *peer =3D NULL; + struct hlist_head *head; =20 if (ovpn->mode =3D=3D OVPN_MODE_P2P) - peer =3D ovpn_peer_get_by_id_p2p(ovpn, peer_id); + return ovpn_peer_get_by_id_p2p(ovpn, peer_id); + + head =3D ovpn_get_hash_head(ovpn->peers->by_id, &peer_id, + sizeof(peer_id)); + + rcu_read_lock(); + hlist_for_each_entry_rcu(tmp, head, hash_entry_id) { + if (tmp->id !=3D peer_id) + continue; + + if (!ovpn_peer_hold(tmp)) + continue; + + peer =3D tmp; + break; + } + rcu_read_unlock(); =20 return peer; } @@ -269,6 +405,8 @@ struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_stru= ct *ovpn, struct sk_buff *skb) { struct ovpn_peer *peer =3D NULL; + struct in6_addr addr6; + __be32 addr4; =20 /* in P2P mode, no matter the destination, packets are always sent to * the single peer listening on the other side @@ -279,11 +417,109 @@ struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_s= truct *ovpn, if (unlikely(peer && !ovpn_peer_hold(peer))) peer =3D NULL; rcu_read_unlock(); + return peer; } =20 + rcu_read_lock(); + switch (skb_protocol_to_family(skb)) { + case AF_INET: + addr4 =3D ovpn_nexthop_from_skb4(skb); + peer =3D ovpn_peer_get_by_vpn_addr4(ovpn, addr4); + break; + case AF_INET6: + addr6 =3D ovpn_nexthop_from_skb6(skb); + peer =3D ovpn_peer_get_by_vpn_addr6(ovpn, &addr6); + break; + } + + if (unlikely(peer && !ovpn_peer_hold(peer))) + peer =3D NULL; + rcu_read_unlock(); + return peer; } =20 +/** + * ovpn_nexthop_from_rt4 - look up the IPv4 nexthop for the given destinat= ion + * @ovpn: the private data representing the current VPN session + * @dest: the destination to be looked up + * + * Looks up in the IPv4 system routing table the IP of the nexthop to be u= sed + * to reach the destination passed as argument. If no nexthop can be found= , the + * destination itself is returned as it probably has to be used as nexthop. + * + * Return: the IP of the next hop if found or dest itself otherwise + */ +static __be32 ovpn_nexthop_from_rt4(struct ovpn_struct *ovpn, __be32 dest) +{ + struct rtable *rt; + struct flowi4 fl =3D { + .daddr =3D dest + }; + + rt =3D ip_route_output_flow(dev_net(ovpn->dev), &fl, NULL); + if (IS_ERR(rt)) { + net_dbg_ratelimited("%s: no route to host %pI4\n", __func__, + &dest); + /* if we end up here this packet is probably going to be + * thrown away later + */ + return dest; + } + + if (!rt->rt_uses_gateway) + goto out; + + dest =3D rt->rt_gw4; +out: + ip_rt_put(rt); + return dest; +} + +/** + * ovpn_nexthop_from_rt6 - look up the IPv6 nexthop for the given destinat= ion + * @ovpn: the private data representing the current VPN session + * @dest: the destination to be looked up + * + * Looks up in the IPv6 system routing table the IP of the nexthop to be u= sed + * to reach the destination passed as argument. If no nexthop can be found= , the + * destination itself is returned as it probably has to be used as nexthop. + * + * Return: the IP of the next hop if found or dest itself otherwise + */ +static struct in6_addr ovpn_nexthop_from_rt6(struct ovpn_struct *ovpn, + struct in6_addr dest) +{ +#if IS_ENABLED(CONFIG_IPV6) + struct dst_entry *entry; + struct rt6_info *rt; + struct flowi6 fl =3D { + .daddr =3D dest, + }; + + entry =3D ipv6_stub->ipv6_dst_lookup_flow(dev_net(ovpn->dev), NULL, &fl, + NULL); + if (IS_ERR(entry)) { + net_dbg_ratelimited("%s: no route to host %pI6c\n", __func__, + &dest); + /* if we end up here this packet is probably going to be + * thrown away later + */ + return dest; + } + + rt =3D dst_rt6_info(entry); + + if (!(rt->rt6i_flags & RTF_GATEWAY)) + goto out; + + dest =3D rt->rt6i_gateway; +out: + dst_release((struct dst_entry *)rt); +#endif + return dest; +} + /** * ovpn_peer_check_by_src - check that skb source is routed via peer * @ovpn: the openvpn instance to search @@ -296,6 +532,8 @@ bool ovpn_peer_check_by_src(struct ovpn_struct *ovpn, s= truct sk_buff *skb, struct ovpn_peer *peer) { bool match =3D false; + struct in6_addr addr6; + __be32 addr4; =20 if (ovpn->mode =3D=3D OVPN_MODE_P2P) { /* in P2P mode, no matter the destination, packets are always @@ -304,15 +542,33 @@ bool ovpn_peer_check_by_src(struct ovpn_struct *ovpn,= struct sk_buff *skb, rcu_read_lock(); match =3D (peer =3D=3D rcu_dereference(ovpn->peer)); rcu_read_unlock(); + return match; + } + + /* This function performs a reverse path check, therefore we now + * lookup the nexthop we would use if we wanted to route a packet + * to the source IP. If the nexthop matches the sender we know the + * latter is valid and we allow the packet to come in + */ + + switch (skb_protocol_to_family(skb)) { + case AF_INET: + addr4 =3D ovpn_nexthop_from_rt4(ovpn, ip_hdr(skb)->saddr); + rcu_read_lock(); + match =3D (peer =3D=3D ovpn_peer_get_by_vpn_addr4(ovpn, addr4)); + rcu_read_unlock(); + break; + case AF_INET6: + addr6 =3D ovpn_nexthop_from_rt6(ovpn, ipv6_hdr(skb)->saddr); + rcu_read_lock(); + match =3D (peer =3D=3D ovpn_peer_get_by_vpn_addr6(ovpn, &addr6)); + rcu_read_unlock(); + break; } =20 return match; } =20 -#define ovpn_get_hash_head(_tbl, _key, _key_len) ({ \ - typeof(_tbl) *__tbl =3D &(_tbl); \ - (&(*__tbl)[jhash(_key, _key_len, 0) % HASH_SIZE(*__tbl)]); }) \ - /** * ovpn_peer_add_mp - add peer to related tables in a MP instance * @ovpn: the instance to add the peer to --=20 2.45.2