From nobody Tue Nov 26 22:21:34 2024 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63D01189F3F for ; Wed, 16 Oct 2024 01:03:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729040639; cv=none; b=bImVzS1xteVagzYb56Yy10lt23sLcwQaeKItre8GuZigfxSiY/SsnmEk+jvoKJortBKVJiSwVJgTplHD6cwh1dFtbSn/WxzwcFRO4/E4dNytKLhQqgfkQm4Vjt1Y97DMXbTNSee6pNQS8q907XfK5UiBKZdrKuQ3oQLWmeOHg+E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729040639; c=relaxed/simple; bh=ggF5K+58gLgiad5OUSjEn5k2AotXeWRMNMLXDkZhNv0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ka8K3Ray0GqK7pjPKw0TX87ylyuqox7p7LB73a17IQ/KGKLAl4mjv5BX3fsEnYqRIXcwPDVdchqLNSQs7VatDyv2EyuFxam/dqxIY40mV6on6ypgagqzOQJaFS0y975oG1kNPLxHVWh396JRwy+F9kdhffsxxMXm9mzY5HWr8Ko= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=openvpn.net; spf=pass smtp.mailfrom=openvpn.com; dkim=pass (2048-bit key) header.d=openvpn.net header.i=@openvpn.net header.b=EjI4Ra7+; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=openvpn.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=openvpn.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=openvpn.net header.i=@openvpn.net header.b="EjI4Ra7+" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-43124843b04so34747345e9.2 for ; Tue, 15 Oct 2024 18:03:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1729040635; x=1729645435; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=ud6K5GOoq3b4lX4KydaG6wKHFrptq5dDMvYiS7l/dAc=; b=EjI4Ra7+mUtw6mx+ECVTzl22I6MuAJaq+ZpkMdqFRJ0ojMmlcwX1XcWgWsCaoSIb0w HQv3CXvVy8fx4vR1aKBEZgIWbHV/Z1XfcbcAUaEp8TX/5Z32SoIusND0lqsX9bv47+hS xwGsS7Yzp7aZjZwt8oOvNav72HsUofEKG8cnNccav/X2qXfnmVMDoRP7mylROUEaeX6e qERjMz7cmZfvhY7RdgPz3+uJd2aSK1FquDn3h1EOEpgApCYSwWZJk0GqcfMdd1lVEpb0 idfybnmC1bHoZwhORzv2+K5mY22PtQLpl2Aok7TldZ9+Uh7kNWzz+yDV8KFn5gKKNujz iX0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729040635; x=1729645435; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ud6K5GOoq3b4lX4KydaG6wKHFrptq5dDMvYiS7l/dAc=; b=isUx7kAV+fQr/zt1g1100SFg+Kvg3rZ3mfebem9p5XHSwcJSGgwT3/gP7LarWWwDql tX+YQHBiC4cPpTaP9yqgs0mmtAKpHY14gKOTIh4TPGXUdANJFY1vjk73hajSOcQr3Dfp XZpyUXinSuK7NYNz9QWH869C4ALfqkBjt2xqz/LHft5i7YLeZlxJz+ECfuwjYcDeg2yJ TMwxT3xCnVUZtUW9bdrJTlYuS5wtk4vRXydgl8LX5nTqXV3ioNMxHVzCYH7HSYdud0fr cIDNAwItrqBQhq9hpUnplUjCL9l6E6TZuBCJrhRg8og3Umny1uPQdvaFIj2/+1Wrd8nU YhLQ== X-Forwarded-Encrypted: i=1; AJvYcCU13qz04uMrecXkgMnX5V6Dz1d6MQ1kKPMJwWtJlX0SD6M8Ig/2+SDZpcqQ8BYmsfdrL+Z6iaFv1wUrcPs=@vger.kernel.org X-Gm-Message-State: AOJu0YzH0ZDGsWmGtGacAH6/7l+7j/6lDVpZpEvCsoj3PDm3OuLw5qAx kRxjl+/b9aOiT9vmBdEHnvCnvILx3i2nB257fJcVw3xqgJ5xPEYK/I5H3ZeLWwo= X-Google-Smtp-Source: AGHT+IElhVPemSMkaKzDVK6PyvleajJ2ybaHbRRGgXby+pI4RQz6g2YdJdfaif0XRYc8ChjoZir7gA== X-Received: by 2002:a05:600c:2314:b0:431:5044:e388 with SMTP id 5b1f17b1804b1-4315044e674mr5340115e9.22.1729040634638; Tue, 15 Oct 2024 18:03:54 -0700 (PDT) Received: from serenity.mandelbit.com ([2001:67c:2fbc:1:4c1a:a7c8:72f5:4282]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d7fa8778csm2886765f8f.25.2024.10.15.18.03.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2024 18:03:53 -0700 (PDT) From: Antonio Quartulli Date: Wed, 16 Oct 2024 03:03:07 +0200 Subject: [PATCH net-next v9 07/23] ovpn: introduce the ovpn_socket object Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20241016-b4-ovpn-v9-7-aabe9d225ad5@openvpn.net> References: <20241016-b4-ovpn-v9-0-aabe9d225ad5@openvpn.net> In-Reply-To: <20241016-b4-ovpn-v9-0-aabe9d225ad5@openvpn.net> To: Eric Dumazet , Jakub Kicinski , Paolo Abeni , Donald Hunter , Antonio Quartulli , Shuah Khan , donald.hunter@gmail.com, sd@queasysnail.net, ryazanov.s.a@gmail.com, Andrew Lunn Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, openvpn-devel@lists.sourceforge.net, linux-kselftest@vger.kernel.org X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=9019; i=antonio@openvpn.net; h=from:subject:message-id; bh=ggF5K+58gLgiad5OUSjEn5k2AotXeWRMNMLXDkZhNv0=; b=owEBbQGS/pANAwAIAQtw5TqgONWHAcsmYgBnDxDvkB0iccAPf51dXcjIuE5PlChNgocu3n670 bhsJqkOBqmJATMEAAEIAB0WIQSZq9xs+NQS5N5fwPwLcOU6oDjVhwUCZw8Q7wAKCRALcOU6oDjV h7IRCACuclE/Hw6nucIkFqbDD4j1FJyNvYHFTA8QEma+CjSf1LvLgRA0+wDQDcvD7CzGs0/kBVL +p7qFfU1Z3hRD5RaUIc58ByahD4fs14gKTzFb+geIoyr8QtLt61RYdG3/rP6FNDAiMD+t6L5XNC CWkqfD8uX6pzQiqnjSek7qBy5fauBVI8QCb0pExKkHnYgk2V41VOxHKeKSSftmOY80rJl0IlK1B 2couLFlVAk+Ml9E0J4NYrmSTLeMy5rU3GNMy890nSkbaAXtTGYLeAqUAB1w3z5Lm4QZoUio2Fx7 sjiyOZ5F94kK3r1HdQYjSLNMI904L1iuXfEf4eU+bmn0o6/l X-Developer-Key: i=antonio@openvpn.net; a=openpgp; fpr=CABDA1282017C267219885C748F0CCB68F59D14C This specific structure is used in the ovpn kernel module to wrap and carry around a standard kernel socket. ovpn takes ownership of passed sockets and therefore an ovpn specific objects is attached to them for status tracking purposes. Initially only UDP support is introduced. TCP will come in a later patch. Signed-off-by: Antonio Quartulli --- drivers/net/ovpn/Makefile | 2 + drivers/net/ovpn/socket.c | 120 ++++++++++++++++++++++++++++++++++++++++++= ++++ drivers/net/ovpn/socket.h | 48 +++++++++++++++++++ drivers/net/ovpn/udp.c | 72 ++++++++++++++++++++++++++++ drivers/net/ovpn/udp.h | 17 +++++++ 5 files changed, 259 insertions(+) diff --git a/drivers/net/ovpn/Makefile b/drivers/net/ovpn/Makefile index ce13499b3e1775a7f2a9ce16c6cb0aa088f93685..56bddc9bef83e0befde6af3c356= 5bb91731d7b22 100644 --- a/drivers/net/ovpn/Makefile +++ b/drivers/net/ovpn/Makefile @@ -13,3 +13,5 @@ ovpn-y +=3D io.o ovpn-y +=3D netlink.o ovpn-y +=3D netlink-gen.o ovpn-y +=3D peer.o +ovpn-y +=3D socket.o +ovpn-y +=3D udp.o diff --git a/drivers/net/ovpn/socket.c b/drivers/net/ovpn/socket.c new file mode 100644 index 0000000000000000000000000000000000000000..090a3232ab0ec19702110f1a90f= 45c7f10889f6f --- /dev/null +++ b/drivers/net/ovpn/socket.c @@ -0,0 +1,120 @@ +// SPDX-License-Identifier: GPL-2.0 +/* OpenVPN data channel offload + * + * Copyright (C) 2020-2024 OpenVPN, Inc. + * + * Author: James Yonan + * Antonio Quartulli + */ + +#include +#include + +#include "ovpnstruct.h" +#include "main.h" +#include "io.h" +#include "peer.h" +#include "socket.h" +#include "udp.h" + +static void ovpn_socket_detach(struct socket *sock) +{ + if (!sock) + return; + + sockfd_put(sock); +} + +/** + * ovpn_socket_release_kref - kref_put callback + * @kref: the kref object + */ +void ovpn_socket_release_kref(struct kref *kref) +{ + struct ovpn_socket *sock =3D container_of(kref, struct ovpn_socket, + refcount); + + ovpn_socket_detach(sock->sock); + kfree_rcu(sock, rcu); +} + +static bool ovpn_socket_hold(struct ovpn_socket *sock) +{ + return kref_get_unless_zero(&sock->refcount); +} + +static struct ovpn_socket *ovpn_socket_get(struct socket *sock) +{ + struct ovpn_socket *ovpn_sock; + + rcu_read_lock(); + ovpn_sock =3D rcu_dereference_sk_user_data(sock->sk); + if (!ovpn_socket_hold(ovpn_sock)) { + pr_warn("%s: found ovpn_socket with ref =3D 0\n", __func__); + ovpn_sock =3D NULL; + } + rcu_read_unlock(); + + return ovpn_sock; +} + +static int ovpn_socket_attach(struct socket *sock, struct ovpn_peer *peer) +{ + int ret =3D -EOPNOTSUPP; + + if (!sock || !peer) + return -EINVAL; + + if (sock->sk->sk_protocol =3D=3D IPPROTO_UDP) + ret =3D ovpn_udp_socket_attach(sock, peer->ovpn); + + return ret; +} + +/** + * ovpn_socket_new - create a new socket and initialize it + * @sock: the kernel socket to embed + * @peer: the peer reachable via this socket + * + * Return: an openvpn socket on success or a negative error code otherwise + */ +struct ovpn_socket *ovpn_socket_new(struct socket *sock, struct ovpn_peer = *peer) +{ + struct ovpn_socket *ovpn_sock; + int ret; + + ret =3D ovpn_socket_attach(sock, peer); + if (ret < 0 && ret !=3D -EALREADY) + return ERR_PTR(ret); + + /* if this socket is already owned by this interface, just increase the + * refcounter and use it as expected. + * + * Since UDP sockets can be used to talk to multiple remote endpoints, + * openvpn normally instantiates only one socket and shares it among all + * its peers. For this reason, when we find out that a socket is already + * used for some other peer in *this* instance, we can happily increase + * its refcounter and use it normally. + */ + if (ret =3D=3D -EALREADY) { + /* caller is expected to increase the sock refcounter before + * passing it to this function. For this reason we drop it if + * not needed, like when this socket is already owned. + */ + ovpn_sock =3D ovpn_socket_get(sock); + sockfd_put(sock); + return ovpn_sock; + } + + ovpn_sock =3D kzalloc(sizeof(*ovpn_sock), GFP_KERNEL); + if (!ovpn_sock) + return ERR_PTR(-ENOMEM); + + ovpn_sock->ovpn =3D peer->ovpn; + ovpn_sock->sock =3D sock; + kref_init(&ovpn_sock->refcount); + + rcu_assign_sk_user_data(sock->sk, ovpn_sock); + + return ovpn_sock; +} diff --git a/drivers/net/ovpn/socket.h b/drivers/net/ovpn/socket.h new file mode 100644 index 0000000000000000000000000000000000000000..5ad9c5073b085482da95ee8ebf4= 0acf20bf2e4b3 --- /dev/null +++ b/drivers/net/ovpn/socket.h @@ -0,0 +1,48 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* OpenVPN data channel offload + * + * Copyright (C) 2020-2024 OpenVPN, Inc. + * + * Author: James Yonan + * Antonio Quartulli + */ + +#ifndef _NET_OVPN_SOCK_H_ +#define _NET_OVPN_SOCK_H_ + +#include +#include +#include + +struct ovpn_struct; +struct ovpn_peer; + +/** + * struct ovpn_socket - a kernel socket referenced in the ovpn code + * @ovpn: ovpn instance owning this socket (UDP only) + * @sock: the low level sock object + * @refcount: amount of contexts currently referencing this object + * @rcu: member used to schedule RCU destructor callback + */ +struct ovpn_socket { + struct ovpn_struct *ovpn; + struct socket *sock; + struct kref refcount; + struct rcu_head rcu; +}; + +void ovpn_socket_release_kref(struct kref *kref); + +/** + * ovpn_socket_put - decrease reference counter + * @sock: the socket whose reference counter should be decreased + */ +static inline void ovpn_socket_put(struct ovpn_socket *sock) +{ + kref_put(&sock->refcount, ovpn_socket_release_kref); +} + +struct ovpn_socket *ovpn_socket_new(struct socket *sock, + struct ovpn_peer *peer); + +#endif /* _NET_OVPN_SOCK_H_ */ diff --git a/drivers/net/ovpn/udp.c b/drivers/net/ovpn/udp.c new file mode 100644 index 0000000000000000000000000000000000000000..c10474d252e19a0626d17a6f5dd= 328a5e5811551 --- /dev/null +++ b/drivers/net/ovpn/udp.c @@ -0,0 +1,72 @@ +// SPDX-License-Identifier: GPL-2.0 +/* OpenVPN data channel offload + * + * Copyright (C) 2019-2024 OpenVPN, Inc. + * + * Author: Antonio Quartulli + */ + +#include +#include +#include + +#include "ovpnstruct.h" +#include "main.h" +#include "socket.h" +#include "udp.h" + +/** + * ovpn_udp_socket_attach - set udp-tunnel CBs on socket and link it to ov= pn + * @sock: socket to configure + * @ovpn: the openvp instance to link + * + * After invoking this function, the sock will be controlled by ovpn so th= at + * any incoming packet may be processed by ovpn first. + * + * Return: 0 on success or a negative error code otherwise + */ +int ovpn_udp_socket_attach(struct socket *sock, struct ovpn_struct *ovpn) +{ + struct ovpn_socket *old_data; + int ret =3D 0; + + /* sanity check */ + if (sock->sk->sk_protocol !=3D IPPROTO_UDP) { + DEBUG_NET_WARN_ON_ONCE(1); + return -EINVAL; + } + + /* make sure no pre-existing encapsulation handler exists */ + rcu_read_lock(); + old_data =3D rcu_dereference_sk_user_data(sock->sk); + if (!old_data) { + /* socket is currently unused - we can take it */ + rcu_read_unlock(); + return 0; + } + + /* socket is in use. We need to understand if it's owned by this ovpn + * instance or by something else. + * In the former case, we can increase the refcounter and happily + * use it, because the same UDP socket is expected to be shared among + * different peers. + * + * Unlikely TCP, a single UDP socket can be used to talk to many remote + * hosts and therefore openvpn instantiates one only for all its peers + */ + if ((READ_ONCE(udp_sk(sock->sk)->encap_type) =3D=3D UDP_ENCAP_OVPNINUDP) = && + old_data->ovpn =3D=3D ovpn) { + netdev_dbg(ovpn->dev, + "%s: provided socket already owned by this interface\n", + __func__); + ret =3D -EALREADY; + } else { + netdev_err(ovpn->dev, + "%s: provided socket already taken by other user\n", + __func__); + ret =3D -EBUSY; + } + rcu_read_unlock(); + + return ret; +} diff --git a/drivers/net/ovpn/udp.h b/drivers/net/ovpn/udp.h new file mode 100644 index 0000000000000000000000000000000000000000..f2507f8f2c71ea9d5e5ac544680= 1e2d56f86700f --- /dev/null +++ b/drivers/net/ovpn/udp.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* OpenVPN data channel offload + * + * Copyright (C) 2019-2024 OpenVPN, Inc. + * + * Author: Antonio Quartulli + */ + +#ifndef _NET_OVPN_UDP_H_ +#define _NET_OVPN_UDP_H_ + +struct ovpn_struct; +struct socket; + +int ovpn_udp_socket_attach(struct socket *sock, struct ovpn_struct *ovpn); + +#endif /* _NET_OVPN_UDP_H_ */ --=20 2.45.2