1 // SPDX-License-Identifier: GPL-2.0
2 /* OpenVPN data channel offload
3 *
4 * Copyright (C) 2019-2025 OpenVPN, Inc.
5 *
6 * Author: Antonio Quartulli <antonio@openvpn.net>
7 */
8
9 #include <linux/netdevice.h>
10 #include <linux/inetdevice.h>
11 #include <linux/skbuff.h>
12 #include <linux/socket.h>
13 #include <linux/udp.h>
14 #include <net/addrconf.h>
15 #include <net/dst_cache.h>
16 #include <net/route.h>
17 #include <net/transp_v6.h>
18 #include <net/udp.h>
19 #include <net/udp_tunnel.h>
20
21 #include "ovpnpriv.h"
22 #include "main.h"
23 #include "bind.h"
24 #include "io.h"
25 #include "peer.h"
26 #include "proto.h"
27 #include "socket.h"
28 #include "udp.h"
29
30 /* Retrieve the corresponding ovpn object from a UDP socket
31 * rcu_read_lock must be held on entry
32 */
ovpn_socket_from_udp_sock(struct sock * sk)33 static struct ovpn_socket *ovpn_socket_from_udp_sock(struct sock *sk)
34 {
35 struct ovpn_socket *ovpn_sock;
36
37 if (unlikely(READ_ONCE(udp_sk(sk)->encap_type) != UDP_ENCAP_OVPNINUDP))
38 return NULL;
39
40 ovpn_sock = rcu_dereference_sk_user_data(sk);
41 if (unlikely(!ovpn_sock))
42 return NULL;
43
44 /* make sure that sk matches our stored transport socket */
45 if (unlikely(!ovpn_sock->sk || sk != ovpn_sock->sk))
46 return NULL;
47
48 return ovpn_sock;
49 }
50
51 /**
52 * ovpn_udp_encap_recv - Start processing a received UDP packet.
53 * @sk: socket over which the packet was received
54 * @skb: the received packet
55 *
56 * If the first byte of the payload is:
57 * - DATA_V2 the packet is accepted for further processing,
58 * - DATA_V1 the packet is dropped as not supported,
59 * - anything else the packet is forwarded to the UDP stack for
60 * delivery to user space.
61 *
62 * Return:
63 * 0 if skb was consumed or dropped
64 * >0 if skb should be passed up to userspace as UDP (packet not consumed)
65 * <0 if skb should be resubmitted as proto -N (packet not consumed)
66 */
ovpn_udp_encap_recv(struct sock * sk,struct sk_buff * skb)67 static int ovpn_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
68 {
69 struct ovpn_socket *ovpn_sock;
70 struct ovpn_priv *ovpn;
71 struct ovpn_peer *peer;
72 u32 peer_id;
73 u8 opcode;
74
75 ovpn_sock = ovpn_socket_from_udp_sock(sk);
76 if (unlikely(!ovpn_sock)) {
77 net_err_ratelimited("ovpn: %s invoked on non ovpn socket\n",
78 __func__);
79 goto drop_noovpn;
80 }
81
82 ovpn = ovpn_sock->ovpn;
83 if (unlikely(!ovpn)) {
84 net_err_ratelimited("ovpn: cannot obtain ovpn object from UDP socket\n");
85 goto drop_noovpn;
86 }
87
88 /* Make sure the first 4 bytes of the skb data buffer after the UDP
89 * header are accessible.
90 * They are required to fetch the OP code, the key ID and the peer ID.
91 */
92 if (unlikely(!pskb_may_pull(skb, sizeof(struct udphdr) +
93 OVPN_OPCODE_SIZE))) {
94 net_dbg_ratelimited("%s: packet too small from UDP socket\n",
95 netdev_name(ovpn->dev));
96 goto drop;
97 }
98
99 opcode = ovpn_opcode_from_skb(skb, sizeof(struct udphdr));
100 if (unlikely(opcode != OVPN_DATA_V2)) {
101 /* DATA_V1 is not supported */
102 if (opcode == OVPN_DATA_V1)
103 goto drop;
104
105 /* unknown or control packet: let it bubble up to userspace */
106 return 1;
107 }
108
109 peer_id = ovpn_peer_id_from_skb(skb, sizeof(struct udphdr));
110 /* some OpenVPN server implementations send data packets with the
111 * peer-id set to UNDEF. In this case we skip the peer lookup by peer-id
112 * and we try with the transport address
113 */
114 if (peer_id == OVPN_PEER_ID_UNDEF)
115 peer = ovpn_peer_get_by_transp_addr(ovpn, skb);
116 else
117 peer = ovpn_peer_get_by_id(ovpn, peer_id);
118
119 if (unlikely(!peer))
120 goto drop;
121
122 /* pop off outer UDP header */
123 __skb_pull(skb, sizeof(struct udphdr));
124 ovpn_recv(peer, skb);
125 return 0;
126
127 drop:
128 ovpn_dev_dstats_rx_dropped(ovpn->dev);
129 drop_noovpn:
130 kfree_skb(skb);
131 return 0;
132 }
133
134 /**
135 * ovpn_udp4_output - send IPv4 packet over udp socket
136 * @peer: the destination peer
137 * @bind: the binding related to the destination peer
138 * @cache: dst cache
139 * @sk: the socket to send the packet over
140 * @skb: the packet to send
141 *
142 * Return: 0 on success or a negative error code otherwise
143 */
ovpn_udp4_output(struct ovpn_peer * peer,struct ovpn_bind * bind,struct dst_cache * cache,struct sock * sk,struct sk_buff * skb)144 static int ovpn_udp4_output(struct ovpn_peer *peer, struct ovpn_bind *bind,
145 struct dst_cache *cache, struct sock *sk,
146 struct sk_buff *skb)
147 {
148 struct rtable *rt;
149 struct flowi4 fl = {
150 .saddr = bind->local.ipv4.s_addr,
151 .daddr = bind->remote.in4.sin_addr.s_addr,
152 .fl4_sport = inet_sk(sk)->inet_sport,
153 .fl4_dport = bind->remote.in4.sin_port,
154 .flowi4_proto = sk->sk_protocol,
155 .flowi4_mark = sk->sk_mark,
156 };
157 int ret;
158
159 local_bh_disable();
160 rt = dst_cache_get_ip4(cache, &fl.saddr);
161 if (rt)
162 goto transmit;
163
164 if (unlikely(!inet_confirm_addr(sock_net(sk), NULL, 0, fl.saddr,
165 RT_SCOPE_HOST))) {
166 /* we may end up here when the cached address is not usable
167 * anymore. In this case we reset address/cache and perform a
168 * new look up
169 */
170 fl.saddr = 0;
171 spin_lock_bh(&peer->lock);
172 bind->local.ipv4.s_addr = 0;
173 spin_unlock_bh(&peer->lock);
174 dst_cache_reset(cache);
175 }
176
177 rt = ip_route_output_flow(sock_net(sk), &fl, sk);
178 if (IS_ERR(rt) && PTR_ERR(rt) == -EINVAL) {
179 fl.saddr = 0;
180 spin_lock_bh(&peer->lock);
181 bind->local.ipv4.s_addr = 0;
182 spin_unlock_bh(&peer->lock);
183 dst_cache_reset(cache);
184
185 rt = ip_route_output_flow(sock_net(sk), &fl, sk);
186 }
187
188 if (IS_ERR(rt)) {
189 ret = PTR_ERR(rt);
190 net_dbg_ratelimited("%s: no route to host %pISpc: %d\n",
191 netdev_name(peer->ovpn->dev),
192 &bind->remote.in4,
193 ret);
194 goto err;
195 }
196 dst_cache_set_ip4(cache, &rt->dst, fl.saddr);
197
198 transmit:
199 udp_tunnel_xmit_skb(rt, sk, skb, fl.saddr, fl.daddr, 0,
200 ip4_dst_hoplimit(&rt->dst), 0, fl.fl4_sport,
201 fl.fl4_dport, false, sk->sk_no_check_tx, 0);
202 ret = 0;
203 err:
204 local_bh_enable();
205 return ret;
206 }
207
208 #if IS_ENABLED(CONFIG_IPV6)
209 /**
210 * ovpn_udp6_output - send IPv6 packet over udp socket
211 * @peer: the destination peer
212 * @bind: the binding related to the destination peer
213 * @cache: dst cache
214 * @sk: the socket to send the packet over
215 * @skb: the packet to send
216 *
217 * Return: 0 on success or a negative error code otherwise
218 */
ovpn_udp6_output(struct ovpn_peer * peer,struct ovpn_bind * bind,struct dst_cache * cache,struct sock * sk,struct sk_buff * skb)219 static int ovpn_udp6_output(struct ovpn_peer *peer, struct ovpn_bind *bind,
220 struct dst_cache *cache, struct sock *sk,
221 struct sk_buff *skb)
222 {
223 struct dst_entry *dst;
224 int ret;
225
226 struct flowi6 fl = {
227 .saddr = bind->local.ipv6,
228 .daddr = bind->remote.in6.sin6_addr,
229 .fl6_sport = inet_sk(sk)->inet_sport,
230 .fl6_dport = bind->remote.in6.sin6_port,
231 .flowi6_proto = sk->sk_protocol,
232 .flowi6_mark = sk->sk_mark,
233 .flowi6_oif = bind->remote.in6.sin6_scope_id,
234 };
235
236 local_bh_disable();
237 dst = dst_cache_get_ip6(cache, &fl.saddr);
238 if (dst)
239 goto transmit;
240
241 if (unlikely(!ipv6_chk_addr(sock_net(sk), &fl.saddr, NULL, 0))) {
242 /* we may end up here when the cached address is not usable
243 * anymore. In this case we reset address/cache and perform a
244 * new look up
245 */
246 fl.saddr = in6addr_any;
247 spin_lock_bh(&peer->lock);
248 bind->local.ipv6 = in6addr_any;
249 spin_unlock_bh(&peer->lock);
250 dst_cache_reset(cache);
251 }
252
253 dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl, NULL);
254 if (IS_ERR(dst)) {
255 ret = PTR_ERR(dst);
256 net_dbg_ratelimited("%s: no route to host %pISpc: %d\n",
257 netdev_name(peer->ovpn->dev),
258 &bind->remote.in6, ret);
259 goto err;
260 }
261 dst_cache_set_ip6(cache, dst, &fl.saddr);
262
263 transmit:
264 /* user IPv6 packets may be larger than the transport interface
265 * MTU (after encapsulation), however, since they are locally
266 * generated we should ensure they get fragmented.
267 * Setting the ignore_df flag to 1 will instruct ip6_fragment() to
268 * fragment packets if needed.
269 *
270 * NOTE: this is not needed for IPv4 because we pass df=0 to
271 * udp_tunnel_xmit_skb()
272 */
273 skb->ignore_df = 1;
274 udp_tunnel6_xmit_skb(dst, sk, skb, skb->dev, &fl.saddr, &fl.daddr, 0,
275 ip6_dst_hoplimit(dst), 0, fl.fl6_sport,
276 fl.fl6_dport, udp_get_no_check6_tx(sk), 0);
277 ret = 0;
278 err:
279 local_bh_enable();
280 return ret;
281 }
282 #endif
283
284 /**
285 * ovpn_udp_output - transmit skb using udp-tunnel
286 * @peer: the destination peer
287 * @cache: dst cache
288 * @sk: the socket to send the packet over
289 * @skb: the packet to send
290 *
291 * rcu_read_lock should be held on entry.
292 * On return, the skb is consumed.
293 *
294 * Return: 0 on success or a negative error code otherwise
295 */
ovpn_udp_output(struct ovpn_peer * peer,struct dst_cache * cache,struct sock * sk,struct sk_buff * skb)296 static int ovpn_udp_output(struct ovpn_peer *peer, struct dst_cache *cache,
297 struct sock *sk, struct sk_buff *skb)
298 {
299 struct ovpn_bind *bind;
300 int ret;
301
302 /* set sk to null if skb is already orphaned */
303 if (!skb->destructor)
304 skb->sk = NULL;
305
306 rcu_read_lock();
307 bind = rcu_dereference(peer->bind);
308 if (unlikely(!bind)) {
309 net_warn_ratelimited("%s: no bind for remote peer %u\n",
310 netdev_name(peer->ovpn->dev), peer->id);
311 ret = -ENODEV;
312 goto out;
313 }
314
315 switch (bind->remote.in4.sin_family) {
316 case AF_INET:
317 ret = ovpn_udp4_output(peer, bind, cache, sk, skb);
318 break;
319 #if IS_ENABLED(CONFIG_IPV6)
320 case AF_INET6:
321 ret = ovpn_udp6_output(peer, bind, cache, sk, skb);
322 break;
323 #endif
324 default:
325 ret = -EAFNOSUPPORT;
326 break;
327 }
328
329 out:
330 rcu_read_unlock();
331 return ret;
332 }
333
334 /**
335 * ovpn_udp_send_skb - prepare skb and send it over via UDP
336 * @peer: the destination peer
337 * @sk: peer socket
338 * @skb: the packet to send
339 */
ovpn_udp_send_skb(struct ovpn_peer * peer,struct sock * sk,struct sk_buff * skb)340 void ovpn_udp_send_skb(struct ovpn_peer *peer, struct sock *sk,
341 struct sk_buff *skb)
342 {
343 int ret;
344
345 skb->dev = peer->ovpn->dev;
346 skb->mark = READ_ONCE(sk->sk_mark);
347 /* no checksum performed at this layer */
348 skb->ip_summed = CHECKSUM_NONE;
349
350 /* crypto layer -> transport (UDP) */
351 ret = ovpn_udp_output(peer, &peer->dst_cache, sk, skb);
352 if (unlikely(ret < 0))
353 kfree_skb(skb);
354 }
355
ovpn_udp_encap_destroy(struct sock * sk)356 static void ovpn_udp_encap_destroy(struct sock *sk)
357 {
358 struct ovpn_socket *sock;
359 struct ovpn_priv *ovpn;
360
361 rcu_read_lock();
362 sock = rcu_dereference_sk_user_data(sk);
363 if (!sock || !sock->ovpn) {
364 rcu_read_unlock();
365 return;
366 }
367 ovpn = sock->ovpn;
368 rcu_read_unlock();
369
370 ovpn_peers_free(ovpn, sk, OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT);
371 }
372
373 /**
374 * ovpn_udp_socket_attach - set udp-tunnel CBs on socket and link it to ovpn
375 * @ovpn_sock: socket to configure
376 * @sock: the socket container to be passed to setup_udp_tunnel_sock()
377 * @ovpn: the openvp instance to link
378 *
379 * After invoking this function, the sock will be controlled by ovpn so that
380 * any incoming packet may be processed by ovpn first.
381 *
382 * Return: 0 on success or a negative error code otherwise
383 */
ovpn_udp_socket_attach(struct ovpn_socket * ovpn_sock,struct socket * sock,struct ovpn_priv * ovpn)384 int ovpn_udp_socket_attach(struct ovpn_socket *ovpn_sock, struct socket *sock,
385 struct ovpn_priv *ovpn)
386 {
387 struct udp_tunnel_sock_cfg cfg = {
388 .sk_user_data = ovpn_sock,
389 .encap_type = UDP_ENCAP_OVPNINUDP,
390 .encap_rcv = ovpn_udp_encap_recv,
391 .encap_destroy = ovpn_udp_encap_destroy,
392 };
393 struct ovpn_socket *old_data;
394 int ret;
395
396 /* make sure no pre-existing encapsulation handler exists */
397 rcu_read_lock();
398 old_data = rcu_dereference_sk_user_data(ovpn_sock->sk);
399 if (!old_data) {
400 /* socket is currently unused - we can take it */
401 rcu_read_unlock();
402 setup_udp_tunnel_sock(sock_net(ovpn_sock->sk), sock, &cfg);
403 return 0;
404 }
405
406 /* socket is in use. We need to understand if it's owned by this ovpn
407 * instance or by something else.
408 * In the former case, we can increase the refcounter and happily
409 * use it, because the same UDP socket is expected to be shared among
410 * different peers.
411 *
412 * Unlikely TCP, a single UDP socket can be used to talk to many remote
413 * hosts and therefore openvpn instantiates one only for all its peers
414 */
415 if ((READ_ONCE(udp_sk(ovpn_sock->sk)->encap_type) == UDP_ENCAP_OVPNINUDP) &&
416 old_data->ovpn == ovpn) {
417 netdev_dbg(ovpn->dev,
418 "provided socket already owned by this interface\n");
419 ret = -EALREADY;
420 } else {
421 netdev_dbg(ovpn->dev,
422 "provided socket already taken by other user\n");
423 ret = -EBUSY;
424 }
425 rcu_read_unlock();
426
427 return ret;
428 }
429
430 /**
431 * ovpn_udp_socket_detach - clean udp-tunnel status for this socket
432 * @ovpn_sock: the socket to clean
433 */
ovpn_udp_socket_detach(struct ovpn_socket * ovpn_sock)434 void ovpn_udp_socket_detach(struct ovpn_socket *ovpn_sock)
435 {
436 struct sock *sk = ovpn_sock->sk;
437
438 /* Re-enable multicast loopback */
439 inet_set_bit(MC_LOOP, sk);
440 /* Disable CHECKSUM_UNNECESSARY to CHECKSUM_COMPLETE conversion */
441 inet_dec_convert_csum(sk);
442
443 WRITE_ONCE(udp_sk(sk)->encap_type, 0);
444 WRITE_ONCE(udp_sk(sk)->encap_rcv, NULL);
445 WRITE_ONCE(udp_sk(sk)->encap_destroy, NULL);
446
447 rcu_assign_sk_user_data(sk, NULL);
448 }
449