ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
53badfc6839da351c1d1dd7f1422418b0696c580
vpp/src/plugins/wireguard/wireguard_if.h
Alexander Chernavin ce91af8ad2 wireguard: add dos mitigation support 
Type: feature

With this change:
 - if the number of received handshake messages exceeds the limit
   calculated based on the peers number, under load state will activate;
 - if being under load a handshake message with a valid mac1 is
   received, but mac2 is invalid, a cookie reply will be sent.

Also, cover these with tests.

Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
2022-08-08 14:24:06 +00:00

136 lines
3.3 KiB
C
Raw Blame History

/*
* Copyright (c) 2020 Cisco and/or its affiliates.
* Copyright (c) 2020 Doc.ai and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef __WG_ITF_H__
#define __WG_ITF_H__
#include <wireguard/wireguard_index_table.h>
#include <wireguard/wireguard_messages.h>
typedef struct wg_if_t_
{
int user_instance;
u32 sw_if_index;
// Interface params
/* noise_local_pool elt index */
u32 local_idx;
cookie_checker_t cookie_checker;
u16 port;
/* Source IP address for originated packets */
ip_address_t src_ip;
/* hash table of peers on this link */
uword *peers;
/* Under load params */
f64 handshake_counting_end;
u32 handshake_num;
} wg_if_t;
int wg_if_create (u32 user_instance,
const u8 private_key_64[NOISE_PUBLIC_KEY_LEN],
u16 port, const ip_address_t * src_ip, u32 * sw_if_indexp);
int wg_if_delete (u32 sw_if_index);
index_t wg_if_find_by_sw_if_index (u32 sw_if_index);
u8 *format_wg_if (u8 * s, va_list * va);
typedef walk_rc_t (*wg_if_walk_cb_t) (index_t wgi, void *data);
void wg_if_walk (wg_if_walk_cb_t fn, void *data);
typedef walk_rc_t (*wg_if_peer_walk_cb_t) (index_t peeri, void *data);
index_t wg_if_peer_walk (wg_if_t * wgi, wg_if_peer_walk_cb_t fn, void *data);
void wg_if_peer_add (wg_if_t * wgi, index_t peeri);
void wg_if_peer_remove (wg_if_t * wgi, index_t peeri);
/**
* Data-plane exposed functions
*/
extern wg_if_t *wg_if_pool;
static_always_inline wg_if_t *
wg_if_get (index_t wgii)
{
if (INDEX_INVALID == wgii)
return (NULL);
return (pool_elt_at_index (wg_if_pool, wgii));
}
extern index_t **wg_if_indexes_by_port;
static_always_inline index_t *
wg_if_indexes_get_by_port (u16 port)
{
if (vec_len (wg_if_indexes_by_port) == 0)
return (NULL);
if (vec_len (wg_if_indexes_by_port[port]) == 0)
return (NULL);
return (wg_if_indexes_by_port[port]);
}
#define HANDSHAKE_COUNTING_INTERVAL 0.5
#define UNDER_LOAD_INTERVAL 1.0
#define HANDSHAKE_NUM_PER_PEER_UNTIL_UNDER_LOAD 40
static_always_inline bool
wg_if_is_under_load (vlib_main_t *vm, wg_if_t *wgi)
{
static f64 wg_under_load_end;
f64 now = vlib_time_now (vm);
u32 num_until_under_load =
hash_elts (wgi->peers) * HANDSHAKE_NUM_PER_PEER_UNTIL_UNDER_LOAD;
if (wgi->handshake_counting_end < now)
{
wgi->handshake_counting_end = now + HANDSHAKE_COUNTING_INTERVAL;
wgi->handshake_num = 0;
}
wgi->handshake_num++;
if (wgi->handshake_num >= num_until_under_load)
{
wg_under_load_end = now + UNDER_LOAD_INTERVAL;
return true;
}
if (wg_under_load_end > now)
{
return true;
}
return false;
}
static_always_inline void
wg_if_dec_handshake_num (wg_if_t *wgi)
{
wgi->handshake_num--;
}
#endif
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/
Reference in New Issue View Git Blame Copy Permalink