From nobody Thu Dec 18 06:17:23 2025 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A70CB296D2E for ; Tue, 15 Apr 2025 11:17:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744715863; cv=none; b=hLPeR29EEqFX++Fgmm9ZHtAPILj6MykVdwaLfK01cXLfg5MN6vwugYmqaef0M+NwBrWmxGxpAYc0SPTeWaXZQwpe5dN2Yl/zffR8MzA17kRFwwx9iu+SVYaPncXf46hpcJ9Dt3lNum+N6/yX5D5Ei+DdV65fIPnklByMnUVhGwI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744715863; c=relaxed/simple; bh=jlCLaGVNxLm1Jsk4tkiNegdEQkq21daqEz9fo+9VcI4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=cTKY3XvZSwDlY3E19ey0alAW4kIbjQe/C5mEs714DXNbiCqQcHftMOOoBGSY9nPeLl1vFN0ew/ei8qeJsOOrhVBGH2dcpBa1Bu3KIN75eQbhFeEUxVucEZDX+VvSE2yPFA4GFTSWtLiCiOeFNoUgRFYwEDi/swkjnPFZGrD5shk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=openvpn.net; spf=pass smtp.mailfrom=openvpn.com; dkim=pass (2048-bit key) header.d=openvpn.net header.i=@openvpn.net header.b=Wy6w6kQZ; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=openvpn.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=openvpn.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=openvpn.net header.i=@openvpn.net header.b="Wy6w6kQZ" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-43cf06eabdaso52000575e9.2 for ; Tue, 15 Apr 2025 04:17:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1744715858; x=1745320658; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=wcZ4k/k95znNdp6YriGx1xBYvWaYpJ8GxQw+hTFVv8Q=; b=Wy6w6kQZQCv46q7qpWX8ge6o40HTPquQ0TgqoK6A3GDqQV/MRoE+Ny5rLx9sID9l2+ dA1anreZFMDfVzAm8GdaE781FQnUkbTA2ZFubOELIUX3NQqtRbExnCoCa+cJSKo9sFhZ ZR32Pwo7WVHS/WM2GoZDiovC3EWPbvSoNcXv1lHNWh6Z1fp8gQAckcFH6XWI1dsg/Ycy 3v6Q3VEg/lh1OfhHdnaMfJRBw0bR6c/ckOA0F9hwbW4fHVvkNTPsE5JAyYfsrQ6C55tt DNXUHB9/8IgS3bGzJhMTKPXHt60f0gyn/4nx3k51SlyUZAGt3bjYTmcbYEK27MWV6Vkg ISaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744715858; x=1745320658; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wcZ4k/k95znNdp6YriGx1xBYvWaYpJ8GxQw+hTFVv8Q=; b=gsp2wXBcUegb4tkwxuSvTlRqRZ/PLgk9HdxQ2kfgT1Z/0FCF1RY6vDHBfwjOr8dlJQ VqeUP9ja9gbCWzWk8Jl8nGD883ZzktNUPi+hNSumvfI+pN0aAgluJMLSBmXGrff3i0fv NvXsFS7iMfKQaY+ZUQ1nBityVPKn3+73T0H3uftZoQ6rIKtZxrIegoFoyEDJP5uCefqY tvsBlZDvuVUhN1O44Z/yRQOvQh8H4H8f0/Y9haFzVH2HrKPP3LbG5p24RWZn4y3xyGCD vdmvFX13+ZyqKM4uINrTW9WMSYs07DNta8y60/4jNBm8oLXiXAB+gvll4jvrL8eg+cRE VwHw== X-Forwarded-Encrypted: i=1; AJvYcCUxMkqp6bl75GrnkqWuy9bbnaxpyW9pyDQBhYjhpH9YUwUM4GZbE59JaO8t1xDYIZhsPUSIhJk44OElwIg=@vger.kernel.org X-Gm-Message-State: AOJu0Yz3mpvMpgwubOBRhteCE/qqIGn7a5htU0KnV+SstQ3kG+pBaA+p X5QGdJvyjrkB2z+rNZvQtA0f6h/OLgqSGQ0GE6PQlHGsbPFP+391aslTM8u201DCR5ZQXPx1SqD bQ2QgTlo+1vCVB+dZgeHahlNc08WjTSfDiZFEt3P54jeEUB33Y+Qt8kM= X-Gm-Gg: ASbGncv6I4L9xvyRi6kBmy+ZpRH9hyvjkh2HXTf92M9wm20TwMJze4+SdPWWl2/Sp9T 9BOuURrCBo9C2vdIJ2WAM71SCMs8tV0BadJb0HRd3E+U62U9wJ7lrpLUoZfkaveyIYbZlLE3Knw Z5UC1aSNFI2mv1pmZ6ZOqlG2PGfhZyVXXwrqz2v+rpH4UVYs+AaISXDvWrQss3dVNRqoN1LEHgC W5cghl7Pxicy3bWXePuw6lpD7HytDd/VFRkKi78YbQwUikUswNQ6ZfZA2qVMfCogX715Ul9sFm+ afcksk8A0u6WHyPXP4b9YkaNE4zCy7h2Jn4BjA== X-Google-Smtp-Source: AGHT+IH7Jcw4JCqhPlH3V3HgIBweSBREGujZ9Lk37c2/ZCR87skvltP2Lq6qU5G5KMlbFkbDm9t/MA== X-Received: by 2002:a05:600c:458b:b0:43c:fc0c:7f33 with SMTP id 5b1f17b1804b1-43f3a925f6amr143384645e9.2.1744715853430; Tue, 15 Apr 2025 04:17:33 -0700 (PDT) Received: from [127.0.0.1] ([2001:67c:2fbc:1:83ac:73b4:720f:dc99]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43f2066d26bsm210836255e9.22.2025.04.15.04.17.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Apr 2025 04:17:32 -0700 (PDT) From: Antonio Quartulli Date: Tue, 15 Apr 2025 13:17:24 +0200 Subject: [PATCH net-next v26 07/23] ovpn: implement basic TX path (UDP) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250415-b4-ovpn-v26-7-577f6097b964@openvpn.net> References: <20250415-b4-ovpn-v26-0-577f6097b964@openvpn.net> In-Reply-To: <20250415-b4-ovpn-v26-0-577f6097b964@openvpn.net> To: netdev@vger.kernel.org, Eric Dumazet , Jakub Kicinski , Paolo Abeni , Donald Hunter , Antonio Quartulli , Shuah Khan , sd@queasysnail.net, ryazanov.s.a@gmail.com, Andrew Lunn Cc: Simon Horman , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Xiao Liang X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=16589; i=antonio@openvpn.net; h=from:subject:message-id; bh=jlCLaGVNxLm1Jsk4tkiNegdEQkq21daqEz9fo+9VcI4=; b=owEBbQGS/pANAwAIAQtw5TqgONWHAcsmYgBn/kBBiasEA7+354YE5uX8/UktWsLwl6Dp8oVeo VQa6de9NJmJATMEAAEIAB0WIQSZq9xs+NQS5N5fwPwLcOU6oDjVhwUCZ/5AQQAKCRALcOU6oDjV h1gyB/0TpTJRD9FzFK7ngLfY7bfQ2TTz75xoy1PR+zjJWt2tqKjXv6foDzH/yRutjcbWOQ6qBvc rYFtyDw6o4942IhP+7IMwzd+RVhCDhN2GN2hjTJWPMZ9YFKz5L1X6D5gH1c9ey6CVDmwAFPtrVQ +lKt8xkE5bsiG3lH/UNkBIdqhbIV0fwY0n0vzb3YrEW/fcCQEh/5r4XuPxnjNOJw/HNgtTLT4Ic Aw84YaFuzaFSBvmRfyeS+hXMsP3cv08diKK9vfgYjAVo2FwAisNKpWlBv9JQqyQe+UOv24bCjW+ YSJz9a4BjmnI56PP0JDsYoO3G3ulyrG0aVzfcbCTcgxfRSqv X-Developer-Key: i=antonio@openvpn.net; a=openpgp; fpr=CABDA1282017C267219885C748F0CCB68F59D14C Packets sent over the ovpn interface are processed and transmitted to the connected peer, if any. Implementation is UDP only. TCP will be added by a later patch. Note: no crypto/encapsulation exists yet. Packets are just captured and sent. Signed-off-by: Antonio Quartulli --- drivers/net/Kconfig | 1 + drivers/net/ovpn/io.c | 137 +++++++++++++++++++++++++++- drivers/net/ovpn/peer.c | 32 +++++++ drivers/net/ovpn/peer.h | 2 + drivers/net/ovpn/skb.h | 55 ++++++++++++ drivers/net/ovpn/udp.c | 233 ++++++++++++++++++++++++++++++++++++++++++++= +++- drivers/net/ovpn/udp.h | 6 ++ 7 files changed, 464 insertions(+), 2 deletions(-) diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig index 2806fcc22a2dbd9b2985b09dd6ef65dd1dc4ebc1..305f04dd97234c4aa43da782174= 48b914cc7ede0 100644 --- a/drivers/net/Kconfig +++ b/drivers/net/Kconfig @@ -120,6 +120,7 @@ config OVPN depends on NET && INET depends on IPV6 || !IPV6 select DST_CACHE + select NET_UDP_TUNNEL help This module enhances the performance of the OpenVPN userspace software by offloading the data channel processing to kernelspace. diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c index 4b71c38165d7adbb1a2d1a64d27a13b7f76cfbfe..93b128827b6d683a57297391816= bff3391ef5bec 100644 --- a/drivers/net/ovpn/io.c +++ b/drivers/net/ovpn/io.c @@ -9,14 +9,149 @@ =20 #include #include +#include =20 #include "io.h" +#include "ovpnpriv.h" +#include "peer.h" +#include "udp.h" +#include "skb.h" +#include "socket.h" + +static void ovpn_encrypt_post(struct sk_buff *skb, int ret) +{ + struct ovpn_peer *peer =3D ovpn_skb_cb(skb)->peer; + struct ovpn_socket *sock; + + if (unlikely(ret < 0)) + goto err; + + skb_mark_not_on_list(skb); + + rcu_read_lock(); + sock =3D rcu_dereference(peer->sock); + if (unlikely(!sock)) + goto err_unlock; + + switch (sock->sock->sk->sk_protocol) { + case IPPROTO_UDP: + ovpn_udp_send_skb(peer, sock->sock, skb); + break; + default: + /* no transport configured yet */ + goto err_unlock; + } + /* skb passed down the stack - don't free it */ + skb =3D NULL; +err_unlock: + rcu_read_unlock(); +err: + if (unlikely(skb)) + dev_dstats_tx_dropped(peer->ovpn->dev); + ovpn_peer_put(peer); + kfree_skb(skb); +} + +static bool ovpn_encrypt_one(struct ovpn_peer *peer, struct sk_buff *skb) +{ + ovpn_skb_cb(skb)->peer =3D peer; + + /* take a reference to the peer because the crypto code may run async. + * ovpn_encrypt_post() will release it upon completion + */ + if (unlikely(!ovpn_peer_hold(peer))) { + DEBUG_NET_WARN_ON_ONCE(1); + return false; + } + + ovpn_encrypt_post(skb, 0); + return true; +} + +/* send skb to connected peer, if any */ +static void ovpn_send(struct ovpn_priv *ovpn, struct sk_buff *skb, + struct ovpn_peer *peer) +{ + struct sk_buff *curr, *next; + + /* this might be a GSO-segmented skb list: process each skb + * independently + */ + skb_list_walk_safe(skb, curr, next) { + if (unlikely(!ovpn_encrypt_one(peer, curr))) { + dev_dstats_tx_dropped(ovpn->dev); + kfree_skb(curr); + } + } + + ovpn_peer_put(peer); +} =20 /* Send user data to the network */ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev) { + struct ovpn_priv *ovpn =3D netdev_priv(dev); + struct sk_buff *segments, *curr, *next; + struct sk_buff_head skb_list; + struct ovpn_peer *peer; + __be16 proto; + int ret; + + /* reset netfilter state */ + nf_reset_ct(skb); + + /* verify IP header size in network packet */ + proto =3D ovpn_ip_check_protocol(skb); + if (unlikely(!proto || skb->protocol !=3D proto)) + goto drop; + + if (skb_is_gso(skb)) { + segments =3D skb_gso_segment(skb, 0); + if (IS_ERR(segments)) { + ret =3D PTR_ERR(segments); + net_err_ratelimited("%s: cannot segment payload packet: %d\n", + netdev_name(dev), ret); + goto drop; + } + + consume_skb(skb); + skb =3D segments; + } + + /* from this moment on, "skb" might be a list */ + + __skb_queue_head_init(&skb_list); + skb_list_walk_safe(skb, curr, next) { + skb_mark_not_on_list(curr); + + curr =3D skb_share_check(curr, GFP_ATOMIC); + if (unlikely(!curr)) { + net_err_ratelimited("%s: skb_share_check failed for payload packet\n", + netdev_name(dev)); + dev_dstats_tx_dropped(ovpn->dev); + continue; + } + + __skb_queue_tail(&skb_list, curr); + } + skb_list.prev->next =3D NULL; + + /* retrieve peer serving the destination IP of this packet */ + peer =3D ovpn_peer_get_by_dst(ovpn, skb); + if (unlikely(!peer)) { + net_dbg_ratelimited("%s: no peer to send data to\n", + netdev_name(ovpn->dev)); + goto drop; + } + + ovpn_send(ovpn, skb_list.next, peer); + + return NETDEV_TX_OK; + +drop: + dev_dstats_tx_dropped(ovpn->dev); skb_tx_error(skb); - kfree_skb(skb); + kfree_skb_list(skb); return NET_XMIT_DROP; } diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c index 0bb6c15171848acbc055829a3d2aefd26c5b810a..10eabd62ae7237162a36a333b41= c748901a7d888 100644 --- a/drivers/net/ovpn/peer.c +++ b/drivers/net/ovpn/peer.c @@ -294,6 +294,38 @@ static void ovpn_peer_remove(struct ovpn_peer *peer, llist_add(&peer->release_entry, release_list); } =20 +/** + * ovpn_peer_get_by_dst - Lookup peer to send skb to + * @ovpn: the private data representing the current VPN session + * @skb: the skb to extract the destination address from + * + * This function takes a tunnel packet and looks up the peer to send it to + * after encapsulation. The skb is expected to be the in-tunnel packet, wi= thout + * any OpenVPN related header. + * + * Assume that the IP header is accessible in the skb data. + * + * Return: the peer if found or NULL otherwise. + */ +struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn, + struct sk_buff *skb) +{ + struct ovpn_peer *peer =3D NULL; + + /* in P2P mode, no matter the destination, packets are always sent to + * the single peer listening on the other side + */ + if (ovpn->mode =3D=3D OVPN_MODE_P2P) { + rcu_read_lock(); + peer =3D rcu_dereference(ovpn->peer); + if (unlikely(peer && !ovpn_peer_hold(peer))) + peer =3D NULL; + rcu_read_unlock(); + } + + return peer; +} + /** * ovpn_peer_add_p2p - add peer to related tables in a P2P instance * @ovpn: the instance to add the peer to diff --git a/drivers/net/ovpn/peer.h b/drivers/net/ovpn/peer.h index 29c9065cedccb156ec6ca6d9b692372e8fc89a2d..fef04311c1593db4ccfa3c41748= 7b3d4faaae9d7 100644 --- a/drivers/net/ovpn/peer.h +++ b/drivers/net/ovpn/peer.h @@ -80,5 +80,7 @@ void ovpn_peer_release_p2p(struct ovpn_priv *ovpn, struct= sock *sk, struct ovpn_peer *ovpn_peer_get_by_transp_addr(struct ovpn_priv *ovpn, struct sk_buff *skb); struct ovpn_peer *ovpn_peer_get_by_id(struct ovpn_priv *ovpn, u32 peer_id); +struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn, + struct sk_buff *skb); =20 #endif /* _NET_OVPN_OVPNPEER_H_ */ diff --git a/drivers/net/ovpn/skb.h b/drivers/net/ovpn/skb.h new file mode 100644 index 0000000000000000000000000000000000000000..9db7a9adebdb4cc493f162f89fb= 2e9c6301fa213 --- /dev/null +++ b/drivers/net/ovpn/skb.h @@ -0,0 +1,55 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* OpenVPN data channel offload + * + * Copyright (C) 2020-2025 OpenVPN, Inc. + * + * Author: Antonio Quartulli + * James Yonan + */ + +#ifndef _NET_OVPN_SKB_H_ +#define _NET_OVPN_SKB_H_ + +#include +#include +#include +#include +#include +#include +#include + +struct ovpn_cb { + struct ovpn_peer *peer; +}; + +static inline struct ovpn_cb *ovpn_skb_cb(struct sk_buff *skb) +{ + BUILD_BUG_ON(sizeof(struct ovpn_cb) > sizeof(skb->cb)); + return (struct ovpn_cb *)skb->cb; +} + +/* Return IP protocol version from skb header. + * Return 0 if protocol is not IPv4/IPv6 or cannot be read. + */ +static inline __be16 ovpn_ip_check_protocol(struct sk_buff *skb) +{ + __be16 proto =3D 0; + + /* skb could be non-linear, + * make sure IP header is in non-fragmented part + */ + if (!pskb_network_may_pull(skb, sizeof(struct iphdr))) + return 0; + + if (ip_hdr(skb)->version =3D=3D 4) { + proto =3D htons(ETH_P_IP); + } else if (ip_hdr(skb)->version =3D=3D 6) { + if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr))) + return 0; + proto =3D htons(ETH_P_IPV6); + } + + return proto; +} + +#endif /* _NET_OVPN_SKB_H_ */ diff --git a/drivers/net/ovpn/udp.c b/drivers/net/ovpn/udp.c index 91970e66a4340370a96c1fc42321f94574302143..28307ef7b2672cf1ad1240c1d17= ffdcb9e64b5a5 100644 --- a/drivers/net/ovpn/udp.c +++ b/drivers/net/ovpn/udp.c @@ -7,15 +7,246 @@ */ =20 #include +#include +#include #include #include +#include +#include +#include +#include #include +#include =20 #include "ovpnpriv.h" #include "main.h" +#include "bind.h" +#include "io.h" +#include "peer.h" #include "socket.h" #include "udp.h" =20 +/** + * ovpn_udp4_output - send IPv4 packet over udp socket + * @peer: the destination peer + * @bind: the binding related to the destination peer + * @cache: dst cache + * @sk: the socket to send the packet over + * @skb: the packet to send + * + * Return: 0 on success or a negative error code otherwise + */ +static int ovpn_udp4_output(struct ovpn_peer *peer, struct ovpn_bind *bind, + struct dst_cache *cache, struct sock *sk, + struct sk_buff *skb) +{ + struct rtable *rt; + struct flowi4 fl =3D { + .saddr =3D bind->local.ipv4.s_addr, + .daddr =3D bind->remote.in4.sin_addr.s_addr, + .fl4_sport =3D inet_sk(sk)->inet_sport, + .fl4_dport =3D bind->remote.in4.sin_port, + .flowi4_proto =3D sk->sk_protocol, + .flowi4_mark =3D sk->sk_mark, + }; + int ret; + + local_bh_disable(); + rt =3D dst_cache_get_ip4(cache, &fl.saddr); + if (rt) + goto transmit; + + if (unlikely(!inet_confirm_addr(sock_net(sk), NULL, 0, fl.saddr, + RT_SCOPE_HOST))) { + /* we may end up here when the cached address is not usable + * anymore. In this case we reset address/cache and perform a + * new look up + */ + fl.saddr =3D 0; + spin_lock_bh(&peer->lock); + bind->local.ipv4.s_addr =3D 0; + spin_unlock_bh(&peer->lock); + dst_cache_reset(cache); + } + + rt =3D ip_route_output_flow(sock_net(sk), &fl, sk); + if (IS_ERR(rt) && PTR_ERR(rt) =3D=3D -EINVAL) { + fl.saddr =3D 0; + spin_lock_bh(&peer->lock); + bind->local.ipv4.s_addr =3D 0; + spin_unlock_bh(&peer->lock); + dst_cache_reset(cache); + + rt =3D ip_route_output_flow(sock_net(sk), &fl, sk); + } + + if (IS_ERR(rt)) { + ret =3D PTR_ERR(rt); + net_dbg_ratelimited("%s: no route to host %pISpc: %d\n", + netdev_name(peer->ovpn->dev), + &bind->remote.in4, + ret); + goto err; + } + dst_cache_set_ip4(cache, &rt->dst, fl.saddr); + +transmit: + udp_tunnel_xmit_skb(rt, sk, skb, fl.saddr, fl.daddr, 0, + ip4_dst_hoplimit(&rt->dst), 0, fl.fl4_sport, + fl.fl4_dport, false, sk->sk_no_check_tx); + ret =3D 0; +err: + local_bh_enable(); + return ret; +} + +#if IS_ENABLED(CONFIG_IPV6) +/** + * ovpn_udp6_output - send IPv6 packet over udp socket + * @peer: the destination peer + * @bind: the binding related to the destination peer + * @cache: dst cache + * @sk: the socket to send the packet over + * @skb: the packet to send + * + * Return: 0 on success or a negative error code otherwise + */ +static int ovpn_udp6_output(struct ovpn_peer *peer, struct ovpn_bind *bind, + struct dst_cache *cache, struct sock *sk, + struct sk_buff *skb) +{ + struct dst_entry *dst; + int ret; + + struct flowi6 fl =3D { + .saddr =3D bind->local.ipv6, + .daddr =3D bind->remote.in6.sin6_addr, + .fl6_sport =3D inet_sk(sk)->inet_sport, + .fl6_dport =3D bind->remote.in6.sin6_port, + .flowi6_proto =3D sk->sk_protocol, + .flowi6_mark =3D sk->sk_mark, + .flowi6_oif =3D bind->remote.in6.sin6_scope_id, + }; + + local_bh_disable(); + dst =3D dst_cache_get_ip6(cache, &fl.saddr); + if (dst) + goto transmit; + + if (unlikely(!ipv6_chk_addr(sock_net(sk), &fl.saddr, NULL, 0))) { + /* we may end up here when the cached address is not usable + * anymore. In this case we reset address/cache and perform a + * new look up + */ + fl.saddr =3D in6addr_any; + spin_lock_bh(&peer->lock); + bind->local.ipv6 =3D in6addr_any; + spin_unlock_bh(&peer->lock); + dst_cache_reset(cache); + } + + dst =3D ipv6_stub->ipv6_dst_lookup_flow(sock_net(sk), sk, &fl, NULL); + if (IS_ERR(dst)) { + ret =3D PTR_ERR(dst); + net_dbg_ratelimited("%s: no route to host %pISpc: %d\n", + netdev_name(peer->ovpn->dev), + &bind->remote.in6, ret); + goto err; + } + dst_cache_set_ip6(cache, dst, &fl.saddr); + +transmit: + udp_tunnel6_xmit_skb(dst, sk, skb, skb->dev, &fl.saddr, &fl.daddr, 0, + ip6_dst_hoplimit(dst), 0, fl.fl6_sport, + fl.fl6_dport, udp_get_no_check6_tx(sk)); + ret =3D 0; +err: + local_bh_enable(); + return ret; +} +#endif + +/** + * ovpn_udp_output - transmit skb using udp-tunnel + * @peer: the destination peer + * @cache: dst cache + * @sk: the socket to send the packet over + * @skb: the packet to send + * + * rcu_read_lock should be held on entry. + * On return, the skb is consumed. + * + * Return: 0 on success or a negative error code otherwise + */ +static int ovpn_udp_output(struct ovpn_peer *peer, struct dst_cache *cache, + struct sock *sk, struct sk_buff *skb) +{ + struct ovpn_bind *bind; + int ret; + + /* set sk to null if skb is already orphaned */ + if (!skb->destructor) + skb->sk =3D NULL; + + rcu_read_lock(); + bind =3D rcu_dereference(peer->bind); + if (unlikely(!bind)) { + net_warn_ratelimited("%s: no bind for remote peer %u\n", + netdev_name(peer->ovpn->dev), peer->id); + ret =3D -ENODEV; + goto out; + } + + switch (bind->remote.in4.sin_family) { + case AF_INET: + ret =3D ovpn_udp4_output(peer, bind, cache, sk, skb); + break; +#if IS_ENABLED(CONFIG_IPV6) + case AF_INET6: + ret =3D ovpn_udp6_output(peer, bind, cache, sk, skb); + break; +#endif + default: + ret =3D -EAFNOSUPPORT; + break; + } + +out: + rcu_read_unlock(); + return ret; +} + +/** + * ovpn_udp_send_skb - prepare skb and send it over via UDP + * @peer: the destination peer + * @sock: the RCU protected peer socket + * @skb: the packet to send + */ +void ovpn_udp_send_skb(struct ovpn_peer *peer, struct socket *sock, + struct sk_buff *skb) +{ + int ret =3D -1; + + skb->dev =3D peer->ovpn->dev; + /* no checksum performed at this layer */ + skb->ip_summed =3D CHECKSUM_NONE; + + /* get socket info */ + if (unlikely(!sock)) { + net_warn_ratelimited("%s: no sock for remote peer %u\n", + netdev_name(peer->ovpn->dev), peer->id); + goto out; + } + + /* crypto layer -> transport (UDP) */ + ret =3D ovpn_udp_output(peer, &peer->dst_cache, sock->sk, skb); +out: + if (unlikely(ret < 0)) { + kfree_skb(skb); + return; + } +} + /** * ovpn_udp_socket_attach - set udp-tunnel CBs on socket and link it to ov= pn * @ovpn_sock: socket to configure @@ -31,7 +262,7 @@ int ovpn_udp_socket_attach(struct ovpn_socket *ovpn_sock, { struct socket *sock =3D ovpn_sock->sock; struct ovpn_socket *old_data; - int ret =3D 0; + int ret; =20 /* make sure no pre-existing encapsulation handler exists */ rcu_read_lock(); diff --git a/drivers/net/ovpn/udp.h b/drivers/net/ovpn/udp.h index 1c8fb6fe402dc1cfdc10fddc9cf5b74d7d6887ce..9994eb6e04283247d8ffc729966= 345810f84b22b 100644 --- a/drivers/net/ovpn/udp.h +++ b/drivers/net/ovpn/udp.h @@ -9,6 +9,9 @@ #ifndef _NET_OVPN_UDP_H_ #define _NET_OVPN_UDP_H_ =20 +#include + +struct ovpn_peer; struct ovpn_priv; struct socket; =20 @@ -16,4 +19,7 @@ int ovpn_udp_socket_attach(struct ovpn_socket *ovpn_sock, struct ovpn_priv *ovpn); void ovpn_udp_socket_detach(struct ovpn_socket *ovpn_sock); =20 +void ovpn_udp_send_skb(struct ovpn_peer *peer, struct socket *sock, + struct sk_buff *skb); + #endif /* _NET_OVPN_UDP_H_ */ --=20 2.49.0