ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c2bbc7bc8ce84672a7a47a99f84db9e588486c95
vpp/src/plugins/wireguard/wireguard_peer.h
Gabriel Oginski 583d4c94dc wireguard: add atomic mutex 
The initiate handshake process can be called a numbers times for each
peers, then the main VPP thread called by Wireguard starting to
allocate memory. This behaviour can lead to out of memory when VPP has
a lot of Wireguard tunnels concurrently.

This fix add mutex to send only once handshake initiate at time for
each peers.

Type: fix
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I13b4b2d47021753926d42a38ccadb36a411c5b79
2022-12-01 06:47:07 +00:00

225 lines
5.4 KiB
C
Raw Blame History

/*
* Copyright (c) 2020 Doc.ai and/or its affiliates.
* Copyright (c) 2020 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef __included_wg_peer_h__
#define __included_wg_peer_h__
#include <vlibapi/api_helper_macros.h>
#include <vnet/ip/ip.h>
#include <wireguard/wireguard_cookie.h>
#include <wireguard/wireguard_timer.h>
#include <wireguard/wireguard_key.h>
#include <wireguard/wireguard_messages.h>
#include <wireguard/wireguard_if.h>
typedef struct ip4_udp_header_t_
{
ip4_header_t ip4;
udp_header_t udp;
} __clib_packed ip4_udp_header_t;
typedef struct ip4_udp_wg_header_t_
{
ip4_header_t ip4;
udp_header_t udp;
message_data_t wg;
} __clib_packed ip4_udp_wg_header_t;
typedef struct ip6_udp_header_t_
{
ip6_header_t ip6;
udp_header_t udp;
} __clib_packed ip6_udp_header_t;
typedef struct ip6_udp_wg_header_t_
{
ip6_header_t ip6;
udp_header_t udp;
message_data_t wg;
} __clib_packed ip6_udp_wg_header_t;
u8 *format_ip4_udp_header (u8 * s, va_list * va);
u8 *format_ip6_udp_header (u8 *s, va_list *va);
typedef struct wg_peer_endpoint_t_
{
ip46_address_t addr;
u16 port;
} wg_peer_endpoint_t;
typedef enum
{
WG_PEER_STATUS_DEAD = 0x1,
WG_PEER_ESTABLISHED = 0x2,
} wg_peer_flags;
typedef struct wg_peer
{
noise_remote_t remote;
cookie_maker_t cookie_maker;
u32 input_thread_index;
u32 output_thread_index;
/* Peer addresses */
wg_peer_endpoint_t dst;
wg_peer_endpoint_t src;
u32 table_id;
adj_index_t *adj_indices;
/* rewrite built from address information */
u8 *rewrite;
/* Vector of allowed-ips */
fib_prefix_t *allowed_ips;
/* The WG interface this peer is attached to */
u32 wg_sw_if_index;
/* API client registered for events */
vpe_client_registration_t *api_clients;
uword *api_client_by_client_index;
wg_peer_flags flags;
/* Timers */
tw_timer_wheel_16t_2w_512sl_t *timer_wheel;
u32 timers[WG_N_TIMERS];
u8 timers_dispatched[WG_N_TIMERS];
u32 timer_handshake_attempts;
u16 persistent_keepalive_interval;
/* Timestamps */
f64 last_sent_handshake;
f64 last_sent_packet;
f64 last_received_packet;
f64 session_derived;
f64 rehandshake_started;
/* Variable intervals */
u32 new_handshake_interval_tick;
u32 rehandshake_interval_tick;
bool timer_need_another_keepalive;
/* Handshake is sent to main thread? */
bool handshake_is_sent;
} wg_peer_t;
typedef struct wg_peer_table_bind_ctx_t_
{
ip_address_family_t af;
u32 new_fib_index;
u32 old_fib_index;
} wg_peer_table_bind_ctx_t;
int wg_peer_add (u32 tun_sw_if_index,
const u8 public_key_64[NOISE_PUBLIC_KEY_LEN],
u32 table_id,
const ip46_address_t * endpoint,
const fib_prefix_t * allowed_ips,
u16 port, u16 persistent_keepalive, index_t * peer_index);
int wg_peer_remove (u32 peer_index);
typedef walk_rc_t (*wg_peer_walk_cb_t) (index_t peeri, void *arg);
index_t wg_peer_walk (wg_peer_walk_cb_t fn, void *data);
u8 *format_wg_peer (u8 * s, va_list * va);
walk_rc_t wg_peer_if_admin_state_change (index_t peeri, void *data);
walk_rc_t wg_peer_if_delete (index_t peeri, void *data);
walk_rc_t wg_peer_if_adj_change (index_t peeri, void *data);
adj_walk_rc_t wg_peer_adj_walk (adj_index_t ai, void *data);
void wg_api_peer_event (index_t peeri, wg_peer_flags flags);
void wg_peer_update_flags (index_t peeri, wg_peer_flags flag, bool add_del);
void wg_peer_update_endpoint (index_t peeri, const ip46_address_t *addr,
u16 port);
void wg_peer_update_endpoint_from_mt (index_t peeri,
const ip46_address_t *addr, u16 port);
static inline bool
wg_peer_is_dead (wg_peer_t *peer)
{
return peer && peer->flags & WG_PEER_STATUS_DEAD;
}
/*
* Expoed for the data-plane
*/
extern index_t *wg_peer_by_adj_index;
extern wg_peer_t *wg_peer_pool;
static inline wg_peer_t *
wg_peer_get (index_t peeri)
{
return (pool_elt_at_index (wg_peer_pool, peeri));
}
static inline index_t
wg_peer_get_by_adj_index (index_t ai)
{
if (ai >= vec_len (wg_peer_by_adj_index))
return INDEX_INVALID;
return (wg_peer_by_adj_index[ai]);
}
/*
* Makes choice for thread_id should be assigned.
*/
static inline u32
wg_peer_assign_thread (u32 thread_id)
{
return ((thread_id) ? thread_id
: (vlib_num_workers ()?
((unix_time_now_nsec () % vlib_num_workers ()) +
1) : thread_id));
}
static_always_inline bool
fib_prefix_is_cover_addr_46 (const fib_prefix_t *p1, const ip46_address_t *ip)
{
switch (p1->fp_proto)
{
case FIB_PROTOCOL_IP4:
return (ip4_destination_matches_route (&ip4_main, &p1->fp_addr.ip4,
&ip->ip4, p1->fp_len) != 0);
case FIB_PROTOCOL_IP6:
return (ip6_destination_matches_route (&ip6_main, &p1->fp_addr.ip6,
&ip->ip6, p1->fp_len) != 0);
case FIB_PROTOCOL_MPLS:
break;
}
return (false);
}
static inline bool
wg_peer_can_send (wg_peer_t *peer)
{
return peer && peer->rewrite;
}
#endif // __included_wg_peer_h__
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/
Reference in New Issue View Git Blame Copy Permalink