1f6226ae7SAntonio Quartulli // SPDX-License-Identifier: GPL-2.0
2f6226ae7SAntonio Quartulli /* OpenVPN data channel offload
3f6226ae7SAntonio Quartulli *
4f6226ae7SAntonio Quartulli * Copyright (C) 2019-2025 OpenVPN, Inc.
5f6226ae7SAntonio Quartulli *
6f6226ae7SAntonio Quartulli * Author: Antonio Quartulli <antonio@openvpn.net>
7f6226ae7SAntonio Quartulli */
8f6226ae7SAntonio Quartulli
9f6226ae7SAntonio Quartulli #include <linux/netdevice.h>
1008857b5eSAntonio Quartulli #include <linux/inetdevice.h>
1108857b5eSAntonio Quartulli #include <linux/skbuff.h>
12f6226ae7SAntonio Quartulli #include <linux/socket.h>
13f6226ae7SAntonio Quartulli #include <linux/udp.h>
1408857b5eSAntonio Quartulli #include <net/addrconf.h>
1508857b5eSAntonio Quartulli #include <net/dst_cache.h>
1608857b5eSAntonio Quartulli #include <net/route.h>
1708857b5eSAntonio Quartulli #include <net/ipv6_stubs.h>
18ab66abbcSAntonio Quartulli #include <net/transp_v6.h>
19f6226ae7SAntonio Quartulli #include <net/udp.h>
2008857b5eSAntonio Quartulli #include <net/udp_tunnel.h>
21f6226ae7SAntonio Quartulli
22f6226ae7SAntonio Quartulli #include "ovpnpriv.h"
23f6226ae7SAntonio Quartulli #include "main.h"
2408857b5eSAntonio Quartulli #include "bind.h"
2508857b5eSAntonio Quartulli #include "io.h"
2608857b5eSAntonio Quartulli #include "peer.h"
27ab66abbcSAntonio Quartulli #include "proto.h"
28f6226ae7SAntonio Quartulli #include "socket.h"
29f6226ae7SAntonio Quartulli #include "udp.h"
30f6226ae7SAntonio Quartulli
31ab66abbcSAntonio Quartulli /* Retrieve the corresponding ovpn object from a UDP socket
32ab66abbcSAntonio Quartulli * rcu_read_lock must be held on entry
33ab66abbcSAntonio Quartulli */
ovpn_socket_from_udp_sock(struct sock * sk)34ab66abbcSAntonio Quartulli static struct ovpn_socket *ovpn_socket_from_udp_sock(struct sock *sk)
35ab66abbcSAntonio Quartulli {
36ab66abbcSAntonio Quartulli struct ovpn_socket *ovpn_sock;
37ab66abbcSAntonio Quartulli
38ab66abbcSAntonio Quartulli if (unlikely(READ_ONCE(udp_sk(sk)->encap_type) != UDP_ENCAP_OVPNINUDP))
39ab66abbcSAntonio Quartulli return NULL;
40ab66abbcSAntonio Quartulli
41ab66abbcSAntonio Quartulli ovpn_sock = rcu_dereference_sk_user_data(sk);
42ab66abbcSAntonio Quartulli if (unlikely(!ovpn_sock))
43ab66abbcSAntonio Quartulli return NULL;
44ab66abbcSAntonio Quartulli
45ab66abbcSAntonio Quartulli /* make sure that sk matches our stored transport socket */
46*ba499a07SAntonio Quartulli if (unlikely(!ovpn_sock->sk || sk != ovpn_sock->sk))
47ab66abbcSAntonio Quartulli return NULL;
48ab66abbcSAntonio Quartulli
49ab66abbcSAntonio Quartulli return ovpn_sock;
50ab66abbcSAntonio Quartulli }
51ab66abbcSAntonio Quartulli
52ab66abbcSAntonio Quartulli /**
53ab66abbcSAntonio Quartulli * ovpn_udp_encap_recv - Start processing a received UDP packet.
54ab66abbcSAntonio Quartulli * @sk: socket over which the packet was received
55ab66abbcSAntonio Quartulli * @skb: the received packet
56ab66abbcSAntonio Quartulli *
57ab66abbcSAntonio Quartulli * If the first byte of the payload is:
58ab66abbcSAntonio Quartulli * - DATA_V2 the packet is accepted for further processing,
59ab66abbcSAntonio Quartulli * - DATA_V1 the packet is dropped as not supported,
60ab66abbcSAntonio Quartulli * - anything else the packet is forwarded to the UDP stack for
61ab66abbcSAntonio Quartulli * delivery to user space.
62ab66abbcSAntonio Quartulli *
63ab66abbcSAntonio Quartulli * Return:
64ab66abbcSAntonio Quartulli * 0 if skb was consumed or dropped
65ab66abbcSAntonio Quartulli * >0 if skb should be passed up to userspace as UDP (packet not consumed)
66ab66abbcSAntonio Quartulli * <0 if skb should be resubmitted as proto -N (packet not consumed)
67ab66abbcSAntonio Quartulli */
ovpn_udp_encap_recv(struct sock * sk,struct sk_buff * skb)68ab66abbcSAntonio Quartulli static int ovpn_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
69ab66abbcSAntonio Quartulli {
70ab66abbcSAntonio Quartulli struct ovpn_socket *ovpn_sock;
71ab66abbcSAntonio Quartulli struct ovpn_priv *ovpn;
72ab66abbcSAntonio Quartulli struct ovpn_peer *peer;
73ab66abbcSAntonio Quartulli u32 peer_id;
74ab66abbcSAntonio Quartulli u8 opcode;
75ab66abbcSAntonio Quartulli
76ab66abbcSAntonio Quartulli ovpn_sock = ovpn_socket_from_udp_sock(sk);
77ab66abbcSAntonio Quartulli if (unlikely(!ovpn_sock)) {
78ab66abbcSAntonio Quartulli net_err_ratelimited("ovpn: %s invoked on non ovpn socket\n",
79ab66abbcSAntonio Quartulli __func__);
80ab66abbcSAntonio Quartulli goto drop_noovpn;
81ab66abbcSAntonio Quartulli }
82ab66abbcSAntonio Quartulli
83ab66abbcSAntonio Quartulli ovpn = ovpn_sock->ovpn;
84ab66abbcSAntonio Quartulli if (unlikely(!ovpn)) {
85ab66abbcSAntonio Quartulli net_err_ratelimited("ovpn: cannot obtain ovpn object from UDP socket\n");
86ab66abbcSAntonio Quartulli goto drop_noovpn;
87ab66abbcSAntonio Quartulli }
88ab66abbcSAntonio Quartulli
89ab66abbcSAntonio Quartulli /* Make sure the first 4 bytes of the skb data buffer after the UDP
90ab66abbcSAntonio Quartulli * header are accessible.
91ab66abbcSAntonio Quartulli * They are required to fetch the OP code, the key ID and the peer ID.
92ab66abbcSAntonio Quartulli */
93ab66abbcSAntonio Quartulli if (unlikely(!pskb_may_pull(skb, sizeof(struct udphdr) +
94ab66abbcSAntonio Quartulli OVPN_OPCODE_SIZE))) {
95ab66abbcSAntonio Quartulli net_dbg_ratelimited("%s: packet too small from UDP socket\n",
96ab66abbcSAntonio Quartulli netdev_name(ovpn->dev));
97ab66abbcSAntonio Quartulli goto drop;
98ab66abbcSAntonio Quartulli }
99ab66abbcSAntonio Quartulli
100ab66abbcSAntonio Quartulli opcode = ovpn_opcode_from_skb(skb, sizeof(struct udphdr));
101ab66abbcSAntonio Quartulli if (unlikely(opcode != OVPN_DATA_V2)) {
102ab66abbcSAntonio Quartulli /* DATA_V1 is not supported */
103ab66abbcSAntonio Quartulli if (opcode == OVPN_DATA_V1)
104ab66abbcSAntonio Quartulli goto drop;
105ab66abbcSAntonio Quartulli
106ab66abbcSAntonio Quartulli /* unknown or control packet: let it bubble up to userspace */
107ab66abbcSAntonio Quartulli return 1;
108ab66abbcSAntonio Quartulli }
109ab66abbcSAntonio Quartulli
110ab66abbcSAntonio Quartulli peer_id = ovpn_peer_id_from_skb(skb, sizeof(struct udphdr));
111ab66abbcSAntonio Quartulli /* some OpenVPN server implementations send data packets with the
112ab66abbcSAntonio Quartulli * peer-id set to UNDEF. In this case we skip the peer lookup by peer-id
113ab66abbcSAntonio Quartulli * and we try with the transport address
114ab66abbcSAntonio Quartulli */
115ab66abbcSAntonio Quartulli if (peer_id == OVPN_PEER_ID_UNDEF)
116ab66abbcSAntonio Quartulli peer = ovpn_peer_get_by_transp_addr(ovpn, skb);
117ab66abbcSAntonio Quartulli else
118ab66abbcSAntonio Quartulli peer = ovpn_peer_get_by_id(ovpn, peer_id);
119ab66abbcSAntonio Quartulli
120ab66abbcSAntonio Quartulli if (unlikely(!peer))
121ab66abbcSAntonio Quartulli goto drop;
122ab66abbcSAntonio Quartulli
123ab66abbcSAntonio Quartulli /* pop off outer UDP header */
124ab66abbcSAntonio Quartulli __skb_pull(skb, sizeof(struct udphdr));
125ab66abbcSAntonio Quartulli ovpn_recv(peer, skb);
126ab66abbcSAntonio Quartulli return 0;
127ab66abbcSAntonio Quartulli
128ab66abbcSAntonio Quartulli drop:
129ab66abbcSAntonio Quartulli dev_dstats_rx_dropped(ovpn->dev);
130ab66abbcSAntonio Quartulli drop_noovpn:
131ab66abbcSAntonio Quartulli kfree_skb(skb);
132ab66abbcSAntonio Quartulli return 0;
133ab66abbcSAntonio Quartulli }
134ab66abbcSAntonio Quartulli
135f6226ae7SAntonio Quartulli /**
13608857b5eSAntonio Quartulli * ovpn_udp4_output - send IPv4 packet over udp socket
13708857b5eSAntonio Quartulli * @peer: the destination peer
13808857b5eSAntonio Quartulli * @bind: the binding related to the destination peer
13908857b5eSAntonio Quartulli * @cache: dst cache
14008857b5eSAntonio Quartulli * @sk: the socket to send the packet over
14108857b5eSAntonio Quartulli * @skb: the packet to send
14208857b5eSAntonio Quartulli *
14308857b5eSAntonio Quartulli * Return: 0 on success or a negative error code otherwise
14408857b5eSAntonio Quartulli */
ovpn_udp4_output(struct ovpn_peer * peer,struct ovpn_bind * bind,struct dst_cache * cache,struct sock * sk,struct sk_buff * skb)14508857b5eSAntonio Quartulli static int ovpn_udp4_output(struct ovpn_peer *peer, struct ovpn_bind *bind,
14608857b5eSAntonio Quartulli struct dst_cache *cache, struct sock *sk,
14708857b5eSAntonio Quartulli struct sk_buff *skb)
14808857b5eSAntonio Quartulli {
14908857b5eSAntonio Quartulli struct rtable *rt;
15008857b5eSAntonio Quartulli struct flowi4 fl = {
15108857b5eSAntonio Quartulli .saddr = bind->local.ipv4.s_addr,
15208857b5eSAntonio Quartulli .daddr = bind->remote.in4.sin_addr.s_addr,
15308857b5eSAntonio Quartulli .fl4_sport = inet_sk(sk)->inet_sport,
15408857b5eSAntonio Quartulli .fl4_dport = bind->remote.in4.sin_port,
15508857b5eSAntonio Quartulli .flowi4_proto = sk->sk_protocol,
15608857b5eSAntonio Quartulli .flowi4_mark = sk->sk_mark,
15708857b5eSAntonio Quartulli };
15808857b5eSAntonio Quartulli int ret;
15908857b5eSAntonio Quartulli
16008857b5eSAntonio Quartulli local_bh_disable();
16108857b5eSAntonio Quartulli rt = dst_cache_get_ip4(cache, &fl.saddr);
16208857b5eSAntonio Quartulli if (rt)
16308857b5eSAntonio Quartulli goto transmit;
16408857b5eSAntonio Quartulli
16508857b5eSAntonio Quartulli if (unlikely(!inet_confirm_addr(sock_net(sk), NULL, 0, fl.saddr,
16608857b5eSAntonio Quartulli RT_SCOPE_HOST))) {
16708857b5eSAntonio Quartulli /* we may end up here when the cached address is not usable
16808857b5eSAntonio Quartulli * anymore. In this case we reset address/cache and perform a
16908857b5eSAntonio Quartulli * new look up
17008857b5eSAntonio Quartulli */
17108857b5eSAntonio Quartulli fl.saddr = 0;
17208857b5eSAntonio Quartulli spin_lock_bh(&peer->lock);
17308857b5eSAntonio Quartulli bind->local.ipv4.s_addr = 0;
17408857b5eSAntonio Quartulli spin_unlock_bh(&peer->lock);
17508857b5eSAntonio Quartulli dst_cache_reset(cache);
17608857b5eSAntonio Quartulli }
17708857b5eSAntonio Quartulli
17808857b5eSAntonio Quartulli rt = ip_route_output_flow(sock_net(sk), &fl, sk);
17908857b5eSAntonio Quartulli if (IS_ERR(rt) && PTR_ERR(rt) == -EINVAL) {
18008857b5eSAntonio Quartulli fl.saddr = 0;
18108857b5eSAntonio Quartulli spin_lock_bh(&peer->lock);
18208857b5eSAntonio Quartulli bind->local.ipv4.s_addr = 0;
18308857b5eSAntonio Quartulli spin_unlock_bh(&peer->lock);
18408857b5eSAntonio Quartulli dst_cache_reset(cache);
18508857b5eSAntonio Quartulli
18608857b5eSAntonio Quartulli rt = ip_route_output_flow(sock_net(sk), &fl, sk);
18708857b5eSAntonio Quartulli }
18808857b5eSAntonio Quartulli
18908857b5eSAntonio Quartulli if (IS_ERR(rt)) {
19008857b5eSAntonio Quartulli ret = PTR_ERR(rt);
19108857b5eSAntonio Quartulli net_dbg_ratelimited("%s: no route to host %pISpc: %d\n",
19208857b5eSAntonio Quartulli netdev_name(peer->ovpn->dev),
19308857b5eSAntonio Quartulli &bind->remote.in4,
19408857b5eSAntonio Quartulli ret);
19508857b5eSAntonio Quartulli goto err;
19608857b5eSAntonio Quartulli }
19708857b5eSAntonio Quartulli dst_cache_set_ip4(cache, &rt->dst, fl.saddr);
19808857b5eSAntonio Quartulli
19908857b5eSAntonio Quartulli transmit:
20008857b5eSAntonio Quartulli udp_tunnel_xmit_skb(rt, sk, skb, fl.saddr, fl.daddr, 0,
20108857b5eSAntonio Quartulli ip4_dst_hoplimit(&rt->dst), 0, fl.fl4_sport,
20208857b5eSAntonio Quartulli fl.fl4_dport, false, sk->sk_no_check_tx);
20308857b5eSAntonio Quartulli ret = 0;
20408857b5eSAntonio Quartulli err:
20508857b5eSAntonio Quartulli local_bh_enable();
20608857b5eSAntonio Quartulli return ret;
20708857b5eSAntonio Quartulli }
20808857b5eSAntonio Quartulli
20908857b5eSAntonio Quartulli #if IS_ENABLED(CONFIG_IPV6)
21008857b5eSAntonio Quartulli /**
21108857b5eSAntonio Quartulli * ovpn_udp6_output - send IPv6 packet over udp socket
21208857b5eSAntonio Quartulli * @peer: the destination peer
21308857b5eSAntonio Quartulli * @bind: the binding related to the destination peer
21408857b5eSAntonio Quartulli * @cache: dst cache
21508857b5eSAntonio Quartulli * @sk: the socket to send the packet over
21608857b5eSAntonio Quartulli * @skb: the packet to send
21708857b5eSAntonio Quartulli *
21808857b5eSAntonio Quartulli * Return: 0 on success or a negative error code otherwise
21908857b5eSAntonio Quartulli */
ovpn_udp6_output(struct ovpn_peer * peer,struct ovpn_bind * bind,struct dst_cache * cache,struct sock * sk,struct sk_buff * skb)22008857b5eSAntonio Quartulli static int ovpn_udp6_output(struct ovpn_peer *peer, struct ovpn_bind *bind,
22108857b5eSAntonio Quartulli struct dst_cache *cache, struct sock *sk,
22208857b5eSAntonio Quartulli struct sk_buff *skb)
22308857b5eSAntonio Quartulli {
22408857b5eSAntonio Quartulli struct dst_entry *dst;
22508857b5eSAntonio Quartulli int ret;
22608857b5eSAntonio Quartulli
22708857b5eSAntonio Quartulli struct flowi6 fl = {
22808857b5eSAntonio Quartulli .saddr = bind->local.ipv6,
22908857b5eSAntonio Quartulli .daddr = bind->remote.in6.sin6_addr,
23008857b5eSAntonio Quartulli .fl6_sport = inet_sk(sk)->inet_sport,
23108857b5eSAntonio Quartulli .fl6_dport = bind->remote.in6.sin6_port,
23208857b5eSAntonio Quartulli .flowi6_proto = sk->sk_protocol,
23308857b5eSAntonio Quartulli .flowi6_mark = sk->sk_mark,
23408857b5eSAntonio Quartulli .flowi6_oif = bind->remote.in6.sin6_scope_id,
23508857b5eSAntonio Quartulli };
23608857b5eSAntonio Quartulli
23708857b5eSAntonio Quartulli local_bh_disable();
23808857b5eSAntonio Quartulli dst = dst_cache_get_ip6(cache, &fl.saddr);
23908857b5eSAntonio Quartulli if (dst)
24008857b5eSAntonio Quartulli goto transmit;
24108857b5eSAntonio Quartulli
24208857b5eSAntonio Quartulli if (unlikely(!ipv6_chk_addr(sock_net(sk), &fl.saddr, NULL, 0))) {
24308857b5eSAntonio Quartulli /* we may end up here when the cached address is not usable
24408857b5eSAntonio Quartulli * anymore. In this case we reset address/cache and perform a
24508857b5eSAntonio Quartulli * new look up
24608857b5eSAntonio Quartulli */
24708857b5eSAntonio Quartulli fl.saddr = in6addr_any;
24808857b5eSAntonio Quartulli spin_lock_bh(&peer->lock);
24908857b5eSAntonio Quartulli bind->local.ipv6 = in6addr_any;
25008857b5eSAntonio Quartulli spin_unlock_bh(&peer->lock);
25108857b5eSAntonio Quartulli dst_cache_reset(cache);
25208857b5eSAntonio Quartulli }
25308857b5eSAntonio Quartulli
25408857b5eSAntonio Quartulli dst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(sk), sk, &fl, NULL);
25508857b5eSAntonio Quartulli if (IS_ERR(dst)) {
25608857b5eSAntonio Quartulli ret = PTR_ERR(dst);
25708857b5eSAntonio Quartulli net_dbg_ratelimited("%s: no route to host %pISpc: %d\n",
25808857b5eSAntonio Quartulli netdev_name(peer->ovpn->dev),
25908857b5eSAntonio Quartulli &bind->remote.in6, ret);
26008857b5eSAntonio Quartulli goto err;
26108857b5eSAntonio Quartulli }
26208857b5eSAntonio Quartulli dst_cache_set_ip6(cache, dst, &fl.saddr);
26308857b5eSAntonio Quartulli
26408857b5eSAntonio Quartulli transmit:
2654e51141fSAntonio Quartulli /* user IPv6 packets may be larger than the transport interface
2664e51141fSAntonio Quartulli * MTU (after encapsulation), however, since they are locally
2674e51141fSAntonio Quartulli * generated we should ensure they get fragmented.
2684e51141fSAntonio Quartulli * Setting the ignore_df flag to 1 will instruct ip6_fragment() to
2694e51141fSAntonio Quartulli * fragment packets if needed.
2704e51141fSAntonio Quartulli *
2714e51141fSAntonio Quartulli * NOTE: this is not needed for IPv4 because we pass df=0 to
2724e51141fSAntonio Quartulli * udp_tunnel_xmit_skb()
2734e51141fSAntonio Quartulli */
2744e51141fSAntonio Quartulli skb->ignore_df = 1;
27508857b5eSAntonio Quartulli udp_tunnel6_xmit_skb(dst, sk, skb, skb->dev, &fl.saddr, &fl.daddr, 0,
27608857b5eSAntonio Quartulli ip6_dst_hoplimit(dst), 0, fl.fl6_sport,
27708857b5eSAntonio Quartulli fl.fl6_dport, udp_get_no_check6_tx(sk));
27808857b5eSAntonio Quartulli ret = 0;
27908857b5eSAntonio Quartulli err:
28008857b5eSAntonio Quartulli local_bh_enable();
28108857b5eSAntonio Quartulli return ret;
28208857b5eSAntonio Quartulli }
28308857b5eSAntonio Quartulli #endif
28408857b5eSAntonio Quartulli
28508857b5eSAntonio Quartulli /**
28608857b5eSAntonio Quartulli * ovpn_udp_output - transmit skb using udp-tunnel
28708857b5eSAntonio Quartulli * @peer: the destination peer
28808857b5eSAntonio Quartulli * @cache: dst cache
28908857b5eSAntonio Quartulli * @sk: the socket to send the packet over
29008857b5eSAntonio Quartulli * @skb: the packet to send
29108857b5eSAntonio Quartulli *
29208857b5eSAntonio Quartulli * rcu_read_lock should be held on entry.
29308857b5eSAntonio Quartulli * On return, the skb is consumed.
29408857b5eSAntonio Quartulli *
29508857b5eSAntonio Quartulli * Return: 0 on success or a negative error code otherwise
29608857b5eSAntonio Quartulli */
ovpn_udp_output(struct ovpn_peer * peer,struct dst_cache * cache,struct sock * sk,struct sk_buff * skb)29708857b5eSAntonio Quartulli static int ovpn_udp_output(struct ovpn_peer *peer, struct dst_cache *cache,
29808857b5eSAntonio Quartulli struct sock *sk, struct sk_buff *skb)
29908857b5eSAntonio Quartulli {
30008857b5eSAntonio Quartulli struct ovpn_bind *bind;
30108857b5eSAntonio Quartulli int ret;
30208857b5eSAntonio Quartulli
30308857b5eSAntonio Quartulli /* set sk to null if skb is already orphaned */
30408857b5eSAntonio Quartulli if (!skb->destructor)
30508857b5eSAntonio Quartulli skb->sk = NULL;
30608857b5eSAntonio Quartulli
30708857b5eSAntonio Quartulli rcu_read_lock();
30808857b5eSAntonio Quartulli bind = rcu_dereference(peer->bind);
30908857b5eSAntonio Quartulli if (unlikely(!bind)) {
31008857b5eSAntonio Quartulli net_warn_ratelimited("%s: no bind for remote peer %u\n",
31108857b5eSAntonio Quartulli netdev_name(peer->ovpn->dev), peer->id);
31208857b5eSAntonio Quartulli ret = -ENODEV;
31308857b5eSAntonio Quartulli goto out;
31408857b5eSAntonio Quartulli }
31508857b5eSAntonio Quartulli
31608857b5eSAntonio Quartulli switch (bind->remote.in4.sin_family) {
31708857b5eSAntonio Quartulli case AF_INET:
31808857b5eSAntonio Quartulli ret = ovpn_udp4_output(peer, bind, cache, sk, skb);
31908857b5eSAntonio Quartulli break;
32008857b5eSAntonio Quartulli #if IS_ENABLED(CONFIG_IPV6)
32108857b5eSAntonio Quartulli case AF_INET6:
32208857b5eSAntonio Quartulli ret = ovpn_udp6_output(peer, bind, cache, sk, skb);
32308857b5eSAntonio Quartulli break;
32408857b5eSAntonio Quartulli #endif
32508857b5eSAntonio Quartulli default:
32608857b5eSAntonio Quartulli ret = -EAFNOSUPPORT;
32708857b5eSAntonio Quartulli break;
32808857b5eSAntonio Quartulli }
32908857b5eSAntonio Quartulli
33008857b5eSAntonio Quartulli out:
33108857b5eSAntonio Quartulli rcu_read_unlock();
33208857b5eSAntonio Quartulli return ret;
33308857b5eSAntonio Quartulli }
33408857b5eSAntonio Quartulli
33508857b5eSAntonio Quartulli /**
33608857b5eSAntonio Quartulli * ovpn_udp_send_skb - prepare skb and send it over via UDP
33708857b5eSAntonio Quartulli * @peer: the destination peer
338*ba499a07SAntonio Quartulli * @sk: peer socket
33908857b5eSAntonio Quartulli * @skb: the packet to send
34008857b5eSAntonio Quartulli */
ovpn_udp_send_skb(struct ovpn_peer * peer,struct sock * sk,struct sk_buff * skb)341*ba499a07SAntonio Quartulli void ovpn_udp_send_skb(struct ovpn_peer *peer, struct sock *sk,
34208857b5eSAntonio Quartulli struct sk_buff *skb)
34308857b5eSAntonio Quartulli {
344*ba499a07SAntonio Quartulli int ret;
34508857b5eSAntonio Quartulli
34608857b5eSAntonio Quartulli skb->dev = peer->ovpn->dev;
34708857b5eSAntonio Quartulli /* no checksum performed at this layer */
34808857b5eSAntonio Quartulli skb->ip_summed = CHECKSUM_NONE;
34908857b5eSAntonio Quartulli
35008857b5eSAntonio Quartulli /* crypto layer -> transport (UDP) */
351*ba499a07SAntonio Quartulli ret = ovpn_udp_output(peer, &peer->dst_cache, sk, skb);
352*ba499a07SAntonio Quartulli if (unlikely(ret < 0))
35308857b5eSAntonio Quartulli kfree_skb(skb);
35408857b5eSAntonio Quartulli }
35508857b5eSAntonio Quartulli
ovpn_udp_encap_destroy(struct sock * sk)356ab66abbcSAntonio Quartulli static void ovpn_udp_encap_destroy(struct sock *sk)
357ab66abbcSAntonio Quartulli {
358ab66abbcSAntonio Quartulli struct ovpn_socket *sock;
359ab66abbcSAntonio Quartulli struct ovpn_priv *ovpn;
360ab66abbcSAntonio Quartulli
361ab66abbcSAntonio Quartulli rcu_read_lock();
362ab66abbcSAntonio Quartulli sock = rcu_dereference_sk_user_data(sk);
363ab66abbcSAntonio Quartulli if (!sock || !sock->ovpn) {
364ab66abbcSAntonio Quartulli rcu_read_unlock();
365ab66abbcSAntonio Quartulli return;
366ab66abbcSAntonio Quartulli }
367ab66abbcSAntonio Quartulli ovpn = sock->ovpn;
368ab66abbcSAntonio Quartulli rcu_read_unlock();
369ab66abbcSAntonio Quartulli
37005003b40SAntonio Quartulli ovpn_peers_free(ovpn, sk, OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT);
371ab66abbcSAntonio Quartulli }
372ab66abbcSAntonio Quartulli
37308857b5eSAntonio Quartulli /**
374f6226ae7SAntonio Quartulli * ovpn_udp_socket_attach - set udp-tunnel CBs on socket and link it to ovpn
375f6226ae7SAntonio Quartulli * @ovpn_sock: socket to configure
376*ba499a07SAntonio Quartulli * @sock: the socket container to be passed to setup_udp_tunnel_sock()
377f6226ae7SAntonio Quartulli * @ovpn: the openvp instance to link
378f6226ae7SAntonio Quartulli *
379f6226ae7SAntonio Quartulli * After invoking this function, the sock will be controlled by ovpn so that
380f6226ae7SAntonio Quartulli * any incoming packet may be processed by ovpn first.
381f6226ae7SAntonio Quartulli *
382f6226ae7SAntonio Quartulli * Return: 0 on success or a negative error code otherwise
383f6226ae7SAntonio Quartulli */
ovpn_udp_socket_attach(struct ovpn_socket * ovpn_sock,struct socket * sock,struct ovpn_priv * ovpn)384*ba499a07SAntonio Quartulli int ovpn_udp_socket_attach(struct ovpn_socket *ovpn_sock, struct socket *sock,
385f6226ae7SAntonio Quartulli struct ovpn_priv *ovpn)
386f6226ae7SAntonio Quartulli {
387ab66abbcSAntonio Quartulli struct udp_tunnel_sock_cfg cfg = {
388ab66abbcSAntonio Quartulli .encap_type = UDP_ENCAP_OVPNINUDP,
389ab66abbcSAntonio Quartulli .encap_rcv = ovpn_udp_encap_recv,
390ab66abbcSAntonio Quartulli .encap_destroy = ovpn_udp_encap_destroy,
391ab66abbcSAntonio Quartulli };
392f6226ae7SAntonio Quartulli struct ovpn_socket *old_data;
39308857b5eSAntonio Quartulli int ret;
394f6226ae7SAntonio Quartulli
395f6226ae7SAntonio Quartulli /* make sure no pre-existing encapsulation handler exists */
396f6226ae7SAntonio Quartulli rcu_read_lock();
397*ba499a07SAntonio Quartulli old_data = rcu_dereference_sk_user_data(ovpn_sock->sk);
398f6226ae7SAntonio Quartulli if (!old_data) {
399f6226ae7SAntonio Quartulli /* socket is currently unused - we can take it */
400f6226ae7SAntonio Quartulli rcu_read_unlock();
401*ba499a07SAntonio Quartulli setup_udp_tunnel_sock(sock_net(ovpn_sock->sk), sock, &cfg);
402f6226ae7SAntonio Quartulli return 0;
403f6226ae7SAntonio Quartulli }
404f6226ae7SAntonio Quartulli
405f6226ae7SAntonio Quartulli /* socket is in use. We need to understand if it's owned by this ovpn
406f6226ae7SAntonio Quartulli * instance or by something else.
407f6226ae7SAntonio Quartulli * In the former case, we can increase the refcounter and happily
408f6226ae7SAntonio Quartulli * use it, because the same UDP socket is expected to be shared among
409f6226ae7SAntonio Quartulli * different peers.
410f6226ae7SAntonio Quartulli *
411f6226ae7SAntonio Quartulli * Unlikely TCP, a single UDP socket can be used to talk to many remote
412f6226ae7SAntonio Quartulli * hosts and therefore openvpn instantiates one only for all its peers
413f6226ae7SAntonio Quartulli */
414*ba499a07SAntonio Quartulli if ((READ_ONCE(udp_sk(ovpn_sock->sk)->encap_type) == UDP_ENCAP_OVPNINUDP) &&
415f6226ae7SAntonio Quartulli old_data->ovpn == ovpn) {
416f6226ae7SAntonio Quartulli netdev_dbg(ovpn->dev,
417f6226ae7SAntonio Quartulli "provided socket already owned by this interface\n");
418f6226ae7SAntonio Quartulli ret = -EALREADY;
419f6226ae7SAntonio Quartulli } else {
420f6226ae7SAntonio Quartulli netdev_dbg(ovpn->dev,
421f6226ae7SAntonio Quartulli "provided socket already taken by other user\n");
422f6226ae7SAntonio Quartulli ret = -EBUSY;
423f6226ae7SAntonio Quartulli }
424f6226ae7SAntonio Quartulli rcu_read_unlock();
425f6226ae7SAntonio Quartulli
426f6226ae7SAntonio Quartulli return ret;
427f6226ae7SAntonio Quartulli }
428f6226ae7SAntonio Quartulli
429f6226ae7SAntonio Quartulli /**
430f6226ae7SAntonio Quartulli * ovpn_udp_socket_detach - clean udp-tunnel status for this socket
431f6226ae7SAntonio Quartulli * @ovpn_sock: the socket to clean
432f6226ae7SAntonio Quartulli */
ovpn_udp_socket_detach(struct ovpn_socket * ovpn_sock)433f6226ae7SAntonio Quartulli void ovpn_udp_socket_detach(struct ovpn_socket *ovpn_sock)
434f6226ae7SAntonio Quartulli {
435*ba499a07SAntonio Quartulli struct sock *sk = ovpn_sock->sk;
436ab66abbcSAntonio Quartulli
437930faf1eSAntonio Quartulli /* Re-enable multicast loopback */
438930faf1eSAntonio Quartulli inet_set_bit(MC_LOOP, sk);
439930faf1eSAntonio Quartulli /* Disable CHECKSUM_UNNECESSARY to CHECKSUM_COMPLETE conversion */
440930faf1eSAntonio Quartulli inet_dec_convert_csum(sk);
441930faf1eSAntonio Quartulli
442930faf1eSAntonio Quartulli WRITE_ONCE(udp_sk(sk)->encap_type, 0);
443930faf1eSAntonio Quartulli WRITE_ONCE(udp_sk(sk)->encap_rcv, NULL);
444930faf1eSAntonio Quartulli WRITE_ONCE(udp_sk(sk)->encap_destroy, NULL);
445930faf1eSAntonio Quartulli
446930faf1eSAntonio Quartulli rcu_assign_sk_user_data(sk, NULL);
447f6226ae7SAntonio Quartulli }
448