1 // SPDX-License-Identifier: GPL-2.0 2 /* OpenVPN data channel offload 3 * 4 * Copyright (C) 2019-2025 OpenVPN, Inc. 5 * 6 * Author: Antonio Quartulli <antonio@openvpn.net> 7 */ 8 9 #include <linux/netdevice.h> 10 #include <linux/inetdevice.h> 11 #include <linux/skbuff.h> 12 #include <linux/socket.h> 13 #include <linux/udp.h> 14 #include <net/addrconf.h> 15 #include <net/dst_cache.h> 16 #include <net/route.h> 17 #include <net/transp_v6.h> 18 #include <net/udp.h> 19 #include <net/udp_tunnel.h> 20 21 #include "ovpnpriv.h" 22 #include "main.h" 23 #include "bind.h" 24 #include "io.h" 25 #include "peer.h" 26 #include "proto.h" 27 #include "socket.h" 28 #include "udp.h" 29 30 /* Retrieve the corresponding ovpn object from a UDP socket 31 * rcu_read_lock must be held on entry 32 */ 33 static struct ovpn_socket *ovpn_socket_from_udp_sock(struct sock *sk) 34 { 35 struct ovpn_socket *ovpn_sock; 36 37 if (unlikely(READ_ONCE(udp_sk(sk)->encap_type) != UDP_ENCAP_OVPNINUDP)) 38 return NULL; 39 40 ovpn_sock = rcu_dereference_sk_user_data(sk); 41 if (unlikely(!ovpn_sock)) 42 return NULL; 43 44 /* make sure that sk matches our stored transport socket */ 45 if (unlikely(!ovpn_sock->sk || sk != ovpn_sock->sk)) 46 return NULL; 47 48 return ovpn_sock; 49 } 50 51 /** 52 * ovpn_udp_encap_recv - Start processing a received UDP packet. 53 * @sk: socket over which the packet was received 54 * @skb: the received packet 55 * 56 * If the first byte of the payload is: 57 * - DATA_V2 the packet is accepted for further processing, 58 * - DATA_V1 the packet is dropped as not supported, 59 * - anything else the packet is forwarded to the UDP stack for 60 * delivery to user space. 61 * 62 * Return: 63 * 0 if skb was consumed or dropped 64 * >0 if skb should be passed up to userspace as UDP (packet not consumed) 65 * <0 if skb should be resubmitted as proto -N (packet not consumed) 66 */ 67 static int ovpn_udp_encap_recv(struct sock *sk, struct sk_buff *skb) 68 { 69 struct ovpn_socket *ovpn_sock; 70 struct ovpn_priv *ovpn; 71 struct ovpn_peer *peer; 72 u32 peer_id; 73 u8 opcode; 74 75 ovpn_sock = ovpn_socket_from_udp_sock(sk); 76 if (unlikely(!ovpn_sock)) { 77 net_err_ratelimited("ovpn: %s invoked on non ovpn socket\n", 78 __func__); 79 goto drop_noovpn; 80 } 81 82 ovpn = ovpn_sock->ovpn; 83 if (unlikely(!ovpn)) { 84 net_err_ratelimited("ovpn: cannot obtain ovpn object from UDP socket\n"); 85 goto drop_noovpn; 86 } 87 88 /* Make sure the first 4 bytes of the skb data buffer after the UDP 89 * header are accessible. 90 * They are required to fetch the OP code, the key ID and the peer ID. 91 */ 92 if (unlikely(!pskb_may_pull(skb, sizeof(struct udphdr) + 93 OVPN_OPCODE_SIZE))) { 94 net_dbg_ratelimited("%s: packet too small from UDP socket\n", 95 netdev_name(ovpn->dev)); 96 goto drop; 97 } 98 99 opcode = ovpn_opcode_from_skb(skb, sizeof(struct udphdr)); 100 if (unlikely(opcode != OVPN_DATA_V2)) { 101 /* DATA_V1 is not supported */ 102 if (opcode == OVPN_DATA_V1) 103 goto drop; 104 105 /* unknown or control packet: let it bubble up to userspace */ 106 return 1; 107 } 108 109 peer_id = ovpn_peer_id_from_skb(skb, sizeof(struct udphdr)); 110 /* some OpenVPN server implementations send data packets with the 111 * peer-id set to UNDEF. In this case we skip the peer lookup by peer-id 112 * and we try with the transport address 113 */ 114 if (peer_id == OVPN_PEER_ID_UNDEF) 115 peer = ovpn_peer_get_by_transp_addr(ovpn, skb); 116 else 117 peer = ovpn_peer_get_by_id(ovpn, peer_id); 118 119 if (unlikely(!peer)) 120 goto drop; 121 122 /* pop off outer UDP header */ 123 __skb_pull(skb, sizeof(struct udphdr)); 124 ovpn_recv(peer, skb); 125 return 0; 126 127 drop: 128 dev_dstats_rx_dropped(ovpn->dev); 129 drop_noovpn: 130 kfree_skb(skb); 131 return 0; 132 } 133 134 /** 135 * ovpn_udp4_output - send IPv4 packet over udp socket 136 * @peer: the destination peer 137 * @bind: the binding related to the destination peer 138 * @cache: dst cache 139 * @sk: the socket to send the packet over 140 * @skb: the packet to send 141 * 142 * Return: 0 on success or a negative error code otherwise 143 */ 144 static int ovpn_udp4_output(struct ovpn_peer *peer, struct ovpn_bind *bind, 145 struct dst_cache *cache, struct sock *sk, 146 struct sk_buff *skb) 147 { 148 struct rtable *rt; 149 struct flowi4 fl = { 150 .saddr = bind->local.ipv4.s_addr, 151 .daddr = bind->remote.in4.sin_addr.s_addr, 152 .fl4_sport = inet_sk(sk)->inet_sport, 153 .fl4_dport = bind->remote.in4.sin_port, 154 .flowi4_proto = sk->sk_protocol, 155 .flowi4_mark = sk->sk_mark, 156 }; 157 int ret; 158 159 local_bh_disable(); 160 rt = dst_cache_get_ip4(cache, &fl.saddr); 161 if (rt) 162 goto transmit; 163 164 if (unlikely(!inet_confirm_addr(sock_net(sk), NULL, 0, fl.saddr, 165 RT_SCOPE_HOST))) { 166 /* we may end up here when the cached address is not usable 167 * anymore. In this case we reset address/cache and perform a 168 * new look up 169 */ 170 fl.saddr = 0; 171 spin_lock_bh(&peer->lock); 172 bind->local.ipv4.s_addr = 0; 173 spin_unlock_bh(&peer->lock); 174 dst_cache_reset(cache); 175 } 176 177 rt = ip_route_output_flow(sock_net(sk), &fl, sk); 178 if (IS_ERR(rt) && PTR_ERR(rt) == -EINVAL) { 179 fl.saddr = 0; 180 spin_lock_bh(&peer->lock); 181 bind->local.ipv4.s_addr = 0; 182 spin_unlock_bh(&peer->lock); 183 dst_cache_reset(cache); 184 185 rt = ip_route_output_flow(sock_net(sk), &fl, sk); 186 } 187 188 if (IS_ERR(rt)) { 189 ret = PTR_ERR(rt); 190 net_dbg_ratelimited("%s: no route to host %pISpc: %d\n", 191 netdev_name(peer->ovpn->dev), 192 &bind->remote.in4, 193 ret); 194 goto err; 195 } 196 dst_cache_set_ip4(cache, &rt->dst, fl.saddr); 197 198 transmit: 199 udp_tunnel_xmit_skb(rt, sk, skb, fl.saddr, fl.daddr, 0, 200 ip4_dst_hoplimit(&rt->dst), 0, fl.fl4_sport, 201 fl.fl4_dport, false, sk->sk_no_check_tx, 0); 202 ret = 0; 203 err: 204 local_bh_enable(); 205 return ret; 206 } 207 208 #if IS_ENABLED(CONFIG_IPV6) 209 /** 210 * ovpn_udp6_output - send IPv6 packet over udp socket 211 * @peer: the destination peer 212 * @bind: the binding related to the destination peer 213 * @cache: dst cache 214 * @sk: the socket to send the packet over 215 * @skb: the packet to send 216 * 217 * Return: 0 on success or a negative error code otherwise 218 */ 219 static int ovpn_udp6_output(struct ovpn_peer *peer, struct ovpn_bind *bind, 220 struct dst_cache *cache, struct sock *sk, 221 struct sk_buff *skb) 222 { 223 struct dst_entry *dst; 224 int ret; 225 226 struct flowi6 fl = { 227 .saddr = bind->local.ipv6, 228 .daddr = bind->remote.in6.sin6_addr, 229 .fl6_sport = inet_sk(sk)->inet_sport, 230 .fl6_dport = bind->remote.in6.sin6_port, 231 .flowi6_proto = sk->sk_protocol, 232 .flowi6_mark = sk->sk_mark, 233 .flowi6_oif = bind->remote.in6.sin6_scope_id, 234 }; 235 236 local_bh_disable(); 237 dst = dst_cache_get_ip6(cache, &fl.saddr); 238 if (dst) 239 goto transmit; 240 241 if (unlikely(!ipv6_chk_addr(sock_net(sk), &fl.saddr, NULL, 0))) { 242 /* we may end up here when the cached address is not usable 243 * anymore. In this case we reset address/cache and perform a 244 * new look up 245 */ 246 fl.saddr = in6addr_any; 247 spin_lock_bh(&peer->lock); 248 bind->local.ipv6 = in6addr_any; 249 spin_unlock_bh(&peer->lock); 250 dst_cache_reset(cache); 251 } 252 253 dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl, NULL); 254 if (IS_ERR(dst)) { 255 ret = PTR_ERR(dst); 256 net_dbg_ratelimited("%s: no route to host %pISpc: %d\n", 257 netdev_name(peer->ovpn->dev), 258 &bind->remote.in6, ret); 259 goto err; 260 } 261 dst_cache_set_ip6(cache, dst, &fl.saddr); 262 263 transmit: 264 /* user IPv6 packets may be larger than the transport interface 265 * MTU (after encapsulation), however, since they are locally 266 * generated we should ensure they get fragmented. 267 * Setting the ignore_df flag to 1 will instruct ip6_fragment() to 268 * fragment packets if needed. 269 * 270 * NOTE: this is not needed for IPv4 because we pass df=0 to 271 * udp_tunnel_xmit_skb() 272 */ 273 skb->ignore_df = 1; 274 udp_tunnel6_xmit_skb(dst, sk, skb, skb->dev, &fl.saddr, &fl.daddr, 0, 275 ip6_dst_hoplimit(dst), 0, fl.fl6_sport, 276 fl.fl6_dport, udp_get_no_check6_tx(sk), 0); 277 ret = 0; 278 err: 279 local_bh_enable(); 280 return ret; 281 } 282 #endif 283 284 /** 285 * ovpn_udp_output - transmit skb using udp-tunnel 286 * @peer: the destination peer 287 * @cache: dst cache 288 * @sk: the socket to send the packet over 289 * @skb: the packet to send 290 * 291 * rcu_read_lock should be held on entry. 292 * On return, the skb is consumed. 293 * 294 * Return: 0 on success or a negative error code otherwise 295 */ 296 static int ovpn_udp_output(struct ovpn_peer *peer, struct dst_cache *cache, 297 struct sock *sk, struct sk_buff *skb) 298 { 299 struct ovpn_bind *bind; 300 int ret; 301 302 /* set sk to null if skb is already orphaned */ 303 if (!skb->destructor) 304 skb->sk = NULL; 305 306 rcu_read_lock(); 307 bind = rcu_dereference(peer->bind); 308 if (unlikely(!bind)) { 309 net_warn_ratelimited("%s: no bind for remote peer %u\n", 310 netdev_name(peer->ovpn->dev), peer->id); 311 ret = -ENODEV; 312 goto out; 313 } 314 315 switch (bind->remote.in4.sin_family) { 316 case AF_INET: 317 ret = ovpn_udp4_output(peer, bind, cache, sk, skb); 318 break; 319 #if IS_ENABLED(CONFIG_IPV6) 320 case AF_INET6: 321 ret = ovpn_udp6_output(peer, bind, cache, sk, skb); 322 break; 323 #endif 324 default: 325 ret = -EAFNOSUPPORT; 326 break; 327 } 328 329 out: 330 rcu_read_unlock(); 331 return ret; 332 } 333 334 /** 335 * ovpn_udp_send_skb - prepare skb and send it over via UDP 336 * @peer: the destination peer 337 * @sk: peer socket 338 * @skb: the packet to send 339 */ 340 void ovpn_udp_send_skb(struct ovpn_peer *peer, struct sock *sk, 341 struct sk_buff *skb) 342 { 343 int ret; 344 345 skb->dev = peer->ovpn->dev; 346 skb->mark = READ_ONCE(sk->sk_mark); 347 /* no checksum performed at this layer */ 348 skb->ip_summed = CHECKSUM_NONE; 349 350 /* crypto layer -> transport (UDP) */ 351 ret = ovpn_udp_output(peer, &peer->dst_cache, sk, skb); 352 if (unlikely(ret < 0)) 353 kfree_skb(skb); 354 } 355 356 static void ovpn_udp_encap_destroy(struct sock *sk) 357 { 358 struct ovpn_socket *sock; 359 struct ovpn_priv *ovpn; 360 361 rcu_read_lock(); 362 sock = rcu_dereference_sk_user_data(sk); 363 if (!sock || !sock->ovpn) { 364 rcu_read_unlock(); 365 return; 366 } 367 ovpn = sock->ovpn; 368 rcu_read_unlock(); 369 370 ovpn_peers_free(ovpn, sk, OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT); 371 } 372 373 /** 374 * ovpn_udp_socket_attach - set udp-tunnel CBs on socket and link it to ovpn 375 * @ovpn_sock: socket to configure 376 * @sock: the socket container to be passed to setup_udp_tunnel_sock() 377 * @ovpn: the openvp instance to link 378 * 379 * After invoking this function, the sock will be controlled by ovpn so that 380 * any incoming packet may be processed by ovpn first. 381 * 382 * Return: 0 on success or a negative error code otherwise 383 */ 384 int ovpn_udp_socket_attach(struct ovpn_socket *ovpn_sock, struct socket *sock, 385 struct ovpn_priv *ovpn) 386 { 387 struct udp_tunnel_sock_cfg cfg = { 388 .sk_user_data = ovpn_sock, 389 .encap_type = UDP_ENCAP_OVPNINUDP, 390 .encap_rcv = ovpn_udp_encap_recv, 391 .encap_destroy = ovpn_udp_encap_destroy, 392 }; 393 struct ovpn_socket *old_data; 394 int ret; 395 396 /* make sure no pre-existing encapsulation handler exists */ 397 rcu_read_lock(); 398 old_data = rcu_dereference_sk_user_data(ovpn_sock->sk); 399 if (!old_data) { 400 /* socket is currently unused - we can take it */ 401 rcu_read_unlock(); 402 setup_udp_tunnel_sock(sock_net(ovpn_sock->sk), sock, &cfg); 403 return 0; 404 } 405 406 /* socket is in use. We need to understand if it's owned by this ovpn 407 * instance or by something else. 408 * In the former case, we can increase the refcounter and happily 409 * use it, because the same UDP socket is expected to be shared among 410 * different peers. 411 * 412 * Unlikely TCP, a single UDP socket can be used to talk to many remote 413 * hosts and therefore openvpn instantiates one only for all its peers 414 */ 415 if ((READ_ONCE(udp_sk(ovpn_sock->sk)->encap_type) == UDP_ENCAP_OVPNINUDP) && 416 old_data->ovpn == ovpn) { 417 netdev_dbg(ovpn->dev, 418 "provided socket already owned by this interface\n"); 419 ret = -EALREADY; 420 } else { 421 netdev_dbg(ovpn->dev, 422 "provided socket already taken by other user\n"); 423 ret = -EBUSY; 424 } 425 rcu_read_unlock(); 426 427 return ret; 428 } 429 430 /** 431 * ovpn_udp_socket_detach - clean udp-tunnel status for this socket 432 * @ovpn_sock: the socket to clean 433 */ 434 void ovpn_udp_socket_detach(struct ovpn_socket *ovpn_sock) 435 { 436 struct sock *sk = ovpn_sock->sk; 437 438 /* Re-enable multicast loopback */ 439 inet_set_bit(MC_LOOP, sk); 440 /* Disable CHECKSUM_UNNECESSARY to CHECKSUM_COMPLETE conversion */ 441 inet_dec_convert_csum(sk); 442 443 WRITE_ONCE(udp_sk(sk)->encap_type, 0); 444 WRITE_ONCE(udp_sk(sk)->encap_rcv, NULL); 445 WRITE_ONCE(udp_sk(sk)->encap_destroy, NULL); 446 447 rcu_assign_sk_user_data(sk, NULL); 448 } 449