[RFC PATCH v3 3/3] platform: add support for WireGuard links
- From: Javier Arteaga <jarteaga jbeta is>
- To: Thomas Haller <thaller redhat com>
- Cc: Javier Arteaga <jarteaga jbeta is>, "Jason A. Donenfeld" <Jason zx2c4 com>, networkmanager-list gnome org
- Subject: [RFC PATCH v3 3/3] platform: add support for WireGuard links
- Date: Sun, 17 Jun 2018 12:34:58 +0100
Add support for a new wireguard link type to the platform code. For now
this only covers querying existing links via genetlink and parsing them
into platform objects.
---
Notes:
Changes in v2->v3:
* Changed peers/allowedips from CList to arrays-of-structs
(GArray wrappers are used during genl parsing stage to handle reallocs)
* Wrote proper cmp/hash methods for peer objects
* Split off two patches not really specific to WireGuard
* Corrected WireGuard uapi identifier names
* Addressed a few other comments on v2
libnm-core/nm-core-types-internal.h | 25 +++
src/nm-types.h | 2 +
src/platform/nm-linux-platform.c | 315 ++++++++++++++++++++++++++++
src/platform/nm-platform.c | 124 +++++++++++
src/platform/nm-platform.h | 15 ++
src/platform/nmp-object.c | 219 +++++++++++++++++++
src/platform/nmp-object.h | 10 +
7 files changed, 710 insertions(+)
diff --git a/libnm-core/nm-core-types-internal.h b/libnm-core/nm-core-types-internal.h
index 4d43aaf45..f95652fa2 100644
--- a/libnm-core/nm-core-types-internal.h
+++ b/libnm-core/nm-core-types-internal.h
@@ -31,6 +31,31 @@ typedef struct {
guint32 to;
} NMVlanQosMapping;
+typedef struct {
+ NMIPAddr ip;
+ guint8 family;
+ guint8 cidr;
+} NMWireguardAllowedIP;
+
+#define NM_WG_PUBLIC_KEY_LEN 32
+#define NM_WG_SYMMETRIC_KEY_LEN 32
+
+typedef struct {
+ guint8 public_key[NM_WG_PUBLIC_KEY_LEN];
+ guint8 preshared_key[NM_WG_SYMMETRIC_KEY_LEN];
+ union {
+ struct sockaddr addr;
+ struct sockaddr_in addr4;
+ struct sockaddr_in6 addr6;
+ } endpoint;
+ guint16 persistent_keepalive_interval;
+ struct timespec last_handshake_time;
+ guint64 rx_bytes, tx_bytes;
+
+ gsize allowedips_len;
+ NMWireguardAllowedIP *allowedips;
+} NMWireguardPeer;
+
#define _NM_IP_TUNNEL_FLAG_ALL_IP6TNL \
( NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT \
| NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS \
diff --git a/src/nm-types.h b/src/nm-types.h
index 1477d2269..6f73289b0 100644
--- a/src/nm-types.h
+++ b/src/nm-types.h
@@ -170,6 +170,7 @@ typedef enum {
NM_LINK_TYPE_VETH,
NM_LINK_TYPE_VLAN,
NM_LINK_TYPE_VXLAN,
+ NM_LINK_TYPE_WIREGUARD,
/* Software types with slaves */
NM_LINK_TYPE_BRIDGE = 0x10000 | 0x20000,
@@ -202,6 +203,7 @@ typedef enum {
NMP_OBJECT_TYPE_LNK_TUN,
NMP_OBJECT_TYPE_LNK_VLAN,
NMP_OBJECT_TYPE_LNK_VXLAN,
+ NMP_OBJECT_TYPE_LNK_WIREGUARD,
__NMP_OBJECT_TYPE_LAST,
NMP_OBJECT_TYPE_MAX = __NMP_OBJECT_TYPE_LAST - 1,
diff --git a/src/platform/nm-linux-platform.c b/src/platform/nm-linux-platform.c
index 32d4203b8..8ba2a1deb 100644
--- a/src/platform/nm-linux-platform.c
+++ b/src/platform/nm-linux-platform.c
@@ -173,6 +173,40 @@ G_STATIC_ASSERT (RTA_MAX == (__RTA_MAX - 1));
/*****************************************************************************/
+#define WG_CMD_GET_DEVICE 0
+#define WG_CMD_SET_DEVICE 1
+
+#define WGDEVICE_A_UNSPEC 0
+#define WGDEVICE_A_IFINDEX 1
+#define WGDEVICE_A_IFNAME 2
+#define WGDEVICE_A_PRIVATE_KEY 3
+#define WGDEVICE_A_PUBLIC_KEY 4
+#define WGDEVICE_A_FLAGS 5
+#define WGDEVICE_A_LISTEN_PORT 6
+#define WGDEVICE_A_FWMARK 7
+#define WGDEVICE_A_PEERS 8
+#define WGDEVICE_A_MAX 8
+
+#define WGPEER_A_UNSPEC 0
+#define WGPEER_A_PUBLIC_KEY 1
+#define WGPEER_A_PRESHARED_KEY 2
+#define WGPEER_A_FLAGS 3
+#define WGPEER_A_ENDPOINT 4
+#define WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL 5
+#define WGPEER_A_LAST_HANDSHAKE_TIME 6
+#define WGPEER_A_RX_BYTES 7
+#define WGPEER_A_TX_BYTES 8
+#define WGPEER_A_ALLOWEDIPS 9
+#define WGPEER_A_MAX 9
+
+#define WGALLOWEDIP_A_UNSPEC 0
+#define WGALLOWEDIP_A_FAMILY 1
+#define WGALLOWEDIP_A_IPADDR 2
+#define WGALLOWEDIP_A_CIDR_MASK 3
+#define WGALLOWEDIP_A_MAX 3
+
+/*****************************************************************************/
+
#define _NMLOG_PREFIX_NAME "platform-linux"
#define _NMLOG_DOMAIN LOGD_PLATFORM
#define _NMLOG2_DOMAIN LOGD_PLATFORM
@@ -564,6 +598,7 @@ static const LinkDesc linktypes[] = {
{ NM_LINK_TYPE_VETH, "veth", "veth", NULL },
{ NM_LINK_TYPE_VLAN, "vlan", "vlan", "vlan" },
{ NM_LINK_TYPE_VXLAN, "vxlan", "vxlan", "vxlan" },
+ { NM_LINK_TYPE_WIREGUARD, "wireguard", "wireguard", "wireguard" },
{ NM_LINK_TYPE_BRIDGE, "bridge", "bridge", "bridge" },
{ NM_LINK_TYPE_BOND, "bond", "bond", "bond" },
@@ -1675,6 +1710,197 @@ _parse_lnk_vxlan (const char *kind, struct nlattr *info_data)
/*****************************************************************************/
+/* Context to build a NMPObjectLnkWireguard instance.
+ * GArray wrappers are discarded after processing all netlink messages. */
+struct _wireguard_device_buf {
+ NMPObject *obj;
+ GArray *peers;
+ GArray *allowedips;
+};
+
+static int
+_wireguard_update_from_allowedips_nla (struct _wireguard_device_buf *buf,
+ struct nlattr *allowedip_attr)
+{
+ static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = {
+ [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 },
+ [WGALLOWEDIP_A_IPADDR] = { .minlen = sizeof (struct in_addr) },
+ [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 },
+ };
+ struct nlattr *tba[WGALLOWEDIP_A_MAX + 1];
+ NMWireguardPeer *peer = &g_array_index (buf->peers, NMWireguardPeer, buf->peers->len - 1);
+ NMWireguardAllowedIP *allowedip;
+ NMWireguardAllowedIP new_allowedip = {0};
+ int addr_len;
+ int ret;
+
+ ret = nla_parse_nested (tba, WGALLOWEDIP_A_MAX, allowedip_attr, allowedip_policy);
+ if (ret)
+ goto errout;
+
+ g_array_append_val (buf->allowedips, new_allowedip);
+ allowedip = &g_array_index (buf->allowedips, NMWireguardAllowedIP, buf->allowedips->len - 1);
+ peer->allowedips_len++;
+
+ if (tba[WGALLOWEDIP_A_FAMILY])
+ allowedip->family = nla_get_u16 (tba[WGALLOWEDIP_A_FAMILY]);
+
+ if (allowedip->family == AF_INET)
+ addr_len = sizeof (in_addr_t);
+ else if (allowedip->family == AF_INET6)
+ addr_len = sizeof (struct in6_addr);
+ else {
+ ret = -EAFNOSUPPORT;
+ goto errout;
+ }
+
+ ret = -EMSGSIZE;
+ _check_addr_or_errout (tba, WGALLOWEDIP_A_IPADDR, addr_len);
+ if (tba[WGALLOWEDIP_A_IPADDR])
+ nla_memcpy (&allowedip->ip, tba[WGALLOWEDIP_A_IPADDR], addr_len);
+
+ if (tba[WGALLOWEDIP_A_CIDR_MASK])
+ allowedip->cidr = nla_get_u8 (tba[WGALLOWEDIP_A_CIDR_MASK]);
+
+ ret = 0;
+errout:
+ return ret;
+}
+
+static int
+_wireguard_update_from_peers_nla (struct _wireguard_device_buf *buf,
+ struct nlattr *peer_attr)
+{
+ static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = {
+ [WGPEER_A_PUBLIC_KEY] = { .minlen = NM_WG_PUBLIC_KEY_LEN },
+ [WGPEER_A_PRESHARED_KEY] = { },
+ [WGPEER_A_FLAGS] = { .type = NLA_U32 },
+ [WGPEER_A_ENDPOINT] = { },
+ [WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16 },
+ [WGPEER_A_LAST_HANDSHAKE_TIME] = { },
+ [WGPEER_A_RX_BYTES] = { .type = NLA_U64 },
+ [WGPEER_A_TX_BYTES] = { .type = NLA_U64 },
+ [WGPEER_A_ALLOWEDIPS] = { .type = NLA_NESTED },
+ };
+ struct nlattr *tbp[WGPEER_A_MAX + 1];
+ NMWireguardPeer * const last = buf->peers->len ? &g_array_index (buf->peers, NMWireguardPeer,
buf->peers->len - 1) : NULL;
+ NMWireguardPeer *peer;
+ NMWireguardPeer new_peer = {0};
+ int ret;
+
+ if (nla_parse_nested (tbp, WGPEER_A_MAX, peer_attr, peer_policy)) {
+ ret = -EBADMSG;
+ goto errout;
+ }
+
+ if (!tbp[WGPEER_A_PUBLIC_KEY]) {
+ ret = -EBADMSG;
+ goto errout;
+ }
+
+ /* a peer with the same public key as last peer is just a continuation for extra AllowedIPs */
+ if (last && !memcmp (nla_data (tbp[WGPEER_A_PUBLIC_KEY]), last->public_key, sizeof
(last->public_key))) {
+ peer = last;
+ goto add_allowedips;
+ }
+
+ /* otherwise, start a new peer */
+ g_array_append_val (buf->peers, new_peer);
+ peer = &g_array_index (buf->peers, NMWireguardPeer, buf->peers->len - 1);
+
+ nla_memcpy (&peer->public_key, tbp[WGPEER_A_PUBLIC_KEY], sizeof (peer->public_key));
+
+ if (tbp[WGPEER_A_PRESHARED_KEY])
+ nla_memcpy (&peer->preshared_key, tbp[WGPEER_A_PRESHARED_KEY], sizeof (peer->preshared_key));
+ if (tbp[WGPEER_A_ENDPOINT]) {
+ struct sockaddr *addr = nla_data (tbp[WGPEER_A_ENDPOINT]);
+ if (addr->sa_family == AF_INET)
+ nla_memcpy (&peer->endpoint.addr4, tbp[WGPEER_A_ENDPOINT], sizeof
(peer->endpoint.addr4));
+ else if (addr->sa_family == AF_INET6)
+ nla_memcpy (&peer->endpoint.addr6, tbp[WGPEER_A_ENDPOINT], sizeof
(peer->endpoint.addr6));
+ }
+ if (tbp[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL])
+ peer->persistent_keepalive_interval = nla_get_u64
(tbp[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL]);
+ if (tbp[WGPEER_A_LAST_HANDSHAKE_TIME])
+ nla_memcpy (&peer->last_handshake_time, tbp[WGPEER_A_LAST_HANDSHAKE_TIME], sizeof
(peer->last_handshake_time));
+ if (tbp[WGPEER_A_RX_BYTES])
+ peer->rx_bytes = nla_get_u64 (tbp[WGPEER_A_RX_BYTES]);
+ if (tbp[WGPEER_A_TX_BYTES])
+ peer->tx_bytes = nla_get_u64 (tbp[WGPEER_A_TX_BYTES]);
+
+ peer->allowedips = NULL;
+ peer->allowedips_len = 0;
+
+add_allowedips:
+ if (tbp[WGPEER_A_ALLOWEDIPS]) {
+ struct nlattr *attr;
+ int rem;
+
+ nla_for_each_nested (attr, tbp[WGPEER_A_ALLOWEDIPS], rem) {
+ ret = _wireguard_update_from_allowedips_nla (buf, attr);
+ if (ret)
+ goto errout;
+ }
+ }
+
+ ret = 0;
+errout:
+ return ret;
+}
+
+static int
+_wireguard_get_device_cb (struct nl_msg *msg, void *arg)
+{
+ static const struct nla_policy device_policy[WGDEVICE_A_MAX + 1] = {
+ [WGDEVICE_A_IFINDEX] = { .type = NLA_U32 },
+ [WGDEVICE_A_IFNAME] = { .type = NLA_NUL_STRING, .maxlen = IFNAMSIZ },
+ [WGDEVICE_A_PRIVATE_KEY] = { },
+ [WGDEVICE_A_PUBLIC_KEY] = { },
+ [WGDEVICE_A_FLAGS] = { .type = NLA_U32 },
+ [WGDEVICE_A_LISTEN_PORT] = { .type = NLA_U16 },
+ [WGDEVICE_A_FWMARK] = { .type = NLA_U32 },
+ [WGDEVICE_A_PEERS] = { .type = NLA_NESTED },
+ };
+ struct _wireguard_device_buf *buf = arg;
+ struct nlattr *tbd[WGDEVICE_A_MAX + 1];
+ NMPlatformLnkWireguard *props = &buf->obj->lnk_wireguard;
+ struct nlmsghdr *nlh = nlmsg_hdr (msg);
+ int ret;
+
+ ret = genlmsg_parse (nlh, 0, tbd, WGDEVICE_A_MAX, device_policy);
+ if (ret)
+ goto errout;
+
+ if (tbd[WGDEVICE_A_PRIVATE_KEY])
+ nla_memcpy (props->private_key, tbd[WGDEVICE_A_PRIVATE_KEY], sizeof (props->private_key));
+ if (tbd[WGDEVICE_A_PUBLIC_KEY])
+ nla_memcpy (props->public_key, tbd[WGDEVICE_A_PUBLIC_KEY], sizeof (props->public_key));
+ if (tbd[WGDEVICE_A_LISTEN_PORT])
+ props->listen_port = nla_get_u16 (tbd[WGDEVICE_A_LISTEN_PORT]);
+ if (tbd[WGDEVICE_A_FWMARK])
+ props->fwmark = nla_get_u32 (tbd[WGDEVICE_A_FWMARK]);
+
+ if (tbd[WGDEVICE_A_PEERS]) {
+ struct nlattr *attr;
+ int rem;
+
+ nla_for_each_nested (attr, tbd[WGDEVICE_A_PEERS], rem) {
+ ret = _wireguard_update_from_peers_nla (buf, attr);
+ if (ret)
+ goto errout;
+ }
+ }
+
+ return NL_OK;
+errout:
+ return NL_SKIP;
+}
+
+static gboolean
+_wireguard_get_link_properties (NMPlatform *platform, const NMPlatformLink *link, NMPObject *obj);
+
+/*****************************************************************************/
+
/* Copied and heavily modified from libnl3's link_msg_parser(). */
static NMPObject *
_new_from_nl_link (NMPlatform *platform, const NMPCache *cache, struct nlmsghdr *nlh, gboolean id_only)
@@ -1880,6 +2106,8 @@ _new_from_nl_link (NMPlatform *platform, const NMPCache *cache, struct nlmsghdr
case NM_LINK_TYPE_VXLAN:
lnk_data = _parse_lnk_vxlan (nl_info_kind, nl_info_data);
break;
+ case NM_LINK_TYPE_WIREGUARD:
+ break;
default:
lnk_data_complete_from_cache = FALSE;
break;
@@ -1922,6 +2150,26 @@ _new_from_nl_link (NMPlatform *platform, const NMPCache *cache, struct nlmsghdr
}
}
+ if (obj->link.type == NM_LINK_TYPE_WIREGUARD) {
+ nm_auto_nmpobj NMPObject *lnk_data_now;
+
+ /* The WireGuard kernel module does not yet send link update
+ * notifications, so we don't actually update the cache. For
+ * now, always refetch link data here. */
+ lnk_data_now = nmp_object_new (NMP_OBJECT_TYPE_LNK_WIREGUARD, NULL);
+ if (!_wireguard_get_link_properties (platform, &obj->link, lnk_data_now)) {
+ _LOGE ("wireguard: %d %s: failed to get properties",
+ obj->link.ifindex,
+ obj->link.name ?: "");
+ }
+
+ if (lnk_data && nmp_object_cmp (lnk_data, lnk_data_now))
+ nmp_object_unref (g_steal_pointer (&lnk_data));
+
+ if (!lnk_data)
+ lnk_data = (NMPObject *) nmp_object_ref (lnk_data_now);
+ }
+
obj->_link.netlink.lnk = lnk_data;
obj->_link.netlink.is_in_netlink = TRUE;
@@ -3013,6 +3261,8 @@ typedef struct {
} delayed_action;
GHashTable *wifi_data;
+
+ int wireguard_family_id;
} NMLinuxPlatformPrivate;
struct _NMLinuxPlatform {
@@ -5931,6 +6181,69 @@ link_release (NMPlatform *platform, int master, int slave)
/*****************************************************************************/
+static gboolean
+_wireguard_get_link_properties (NMPlatform *platform, const NMPlatformLink *link, NMPObject *obj)
+{
+ NMLinuxPlatformPrivate *priv = NM_LINUX_PLATFORM_GET_PRIVATE (platform);
+ nm_auto_nlmsg struct nl_msg *msg = NULL;
+ struct _wireguard_device_buf buf = {
+ .obj = obj,
+ .peers = g_array_new (FALSE, FALSE, sizeof (NMWireguardPeer)),
+ .allowedips = g_array_new (FALSE, FALSE, sizeof (NMWireguardAllowedIP)),
+ };
+ struct nl_cb cb = {
+ .valid_cb = _wireguard_get_device_cb,
+ .valid_arg = &buf,
+ };
+ guint i, j;
+
+ if (!priv->wireguard_family_id)
+ priv->wireguard_family_id = _support_genl_family (priv->genlh, "wireguard");
+
+ if (!priv->wireguard_family_id) {
+ _LOG2W ("kernel support not available for wireguard link %s", link->name);
+ goto err;
+ }
+
+ msg = nlmsg_alloc ();
+ if (!msg)
+ goto err;
+
+ if (!genlmsg_put (msg, NL_AUTO_PORT, NL_AUTO_SEQ, priv->wireguard_family_id,
+ 0, NLM_F_DUMP, WG_CMD_GET_DEVICE, 1))
+ goto err;
+
+ NLA_PUT_U32 (msg, WGDEVICE_A_IFINDEX, link->ifindex);
+
+ if (nl_send_auto (priv->genlh, msg) < 0)
+ goto err;
+
+ if (nl_recvmsgs (priv->genlh, &cb) < 0)
+ goto err;
+
+ /* have each peer point to its own chunk of the allowedips buffer */
+ for (i = 0, j = 0; i < buf.peers->len; i++) {
+ NMWireguardPeer *p = &g_array_index (buf.peers, NMWireguardPeer, i);
+ p->allowedips = &g_array_index (buf.allowedips, NMWireguardAllowedIP, j);
+ j += p->allowedips_len;
+ }
+ /* drop the wrapper (but also the buffer if no peer points to it) */
+ g_array_free (buf.allowedips, buf.peers->len ? FALSE : TRUE);
+
+ obj->_lnk_wireguard.peers_len = buf.peers->len;
+ obj->_lnk_wireguard.peers = (NMWireguardPeer *) g_array_free (buf.peers, FALSE);
+
+ return TRUE;
+
+err:
+nla_put_failure:
+ g_array_free (buf.peers, TRUE);
+ g_array_free (buf.allowedips, TRUE);
+ return FALSE;
+}
+
+/*****************************************************************************/
+
static gboolean
_infiniband_partition_action (NMPlatform *platform,
InfinibandAction action,
@@ -7103,6 +7416,8 @@ constructed (GObject *_object)
g_assert (!nle);
_LOGD ("Generic netlink socket established: port=%u, fd=%d", nl_socket_get_local_port (priv->genlh),
nl_socket_get_fd (priv->genlh));
+ priv->wireguard_family_id = _support_genl_family (priv->genlh, "wireguard");
+
/* complete construction of the GObject instance before populating the cache. */
G_OBJECT_CLASS (nm_linux_platform_parent_class)->constructed (_object);
diff --git a/src/platform/nm-platform.c b/src/platform/nm-platform.c
index f75019e8b..fc100d7e5 100644
--- a/src/platform/nm-platform.c
+++ b/src/platform/nm-platform.c
@@ -27,6 +27,8 @@
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <netdb.h>
#include <string.h>
#include <linux/ip.h>
#include <linux/if_tun.h>
@@ -1912,6 +1914,12 @@ nm_platform_link_get_lnk_vxlan (NMPlatform *self, int ifindex, const NMPlatformL
return _link_get_lnk (self, ifindex, NM_LINK_TYPE_VXLAN, out_link);
}
+const NMPlatformLnkWireguard *
+nm_platform_link_get_lnk_wireguard (NMPlatform *self, int ifindex, const NMPlatformLink **out_link)
+{
+ return _link_get_lnk (self, ifindex, NM_LINK_TYPE_WIREGUARD, out_link);
+}
+
/*****************************************************************************/
/**
@@ -5192,6 +5200,7 @@ nm_platform_lnk_tun_to_string (const NMPlatformLnkTun *lnk, char *buf, gsize len
lnk->persist ? " persist" : "",
lnk->owner_valid ? nm_sprintf_buf (str_owner, " owner %u", (guint) lnk->owner) : "",
lnk->group_valid ? nm_sprintf_buf (str_group, " group %u", (guint) lnk->group) : "");
+
return buf;
}
@@ -5298,6 +5307,100 @@ nm_platform_lnk_vxlan_to_string (const NMPlatformLnkVxlan *lnk, char *buf, gsize
return buf;
}
+const char *
+nm_platform_wireguard_peer_to_string (const NMWireguardPeer *peer, char *buf, gsize len)
+{
+ gs_free char *public_b64 = NULL;
+ char s_address[INET6_ADDRSTRLEN] = {0};
+ char s_endpoint[INET6_ADDRSTRLEN + NI_MAXSERV + sizeof("endpoint []:") + 1] = {0};
+ guint8 nonzero_key = 0;
+ gsize i;
+
+ nm_utils_to_string_buffer_init (&buf, &len);
+
+ if (peer->endpoint.addr.sa_family == AF_INET || peer->endpoint.addr.sa_family == AF_INET6) {
+ char s_service[NI_MAXSERV];
+ socklen_t addr_len = 0;
+
+ if (peer->endpoint.addr.sa_family == AF_INET)
+ addr_len = sizeof (struct sockaddr_in);
+ else if (peer->endpoint.addr.sa_family == AF_INET6)
+ addr_len = sizeof (struct sockaddr_in6);
+ if (!getnameinfo (&peer->endpoint.addr, addr_len, s_address, sizeof(s_address), s_service,
sizeof(s_service), NI_DGRAM | NI_NUMERICSERV | NI_NUMERICHOST)) {
+ if (peer->endpoint.addr.sa_family == AF_INET6 && strchr (s_address, ':'))
+ g_snprintf(s_endpoint, sizeof (s_endpoint), "endpoint [%s]:%s ", s_address,
s_service);
+ else
+ g_snprintf(s_endpoint, sizeof (s_endpoint), "endpoint %s:%s ", s_address,
s_service);
+ }
+ }
+
+
+ for (i = 0; i < sizeof (peer->preshared_key); i++)
+ nonzero_key |= peer->preshared_key[i];
+
+ public_b64 = g_base64_encode (peer->public_key, sizeof (peer->public_key));
+
+ nm_utils_strbuf_append (&buf, &len,
+ "{ "
+ "public_key %s "
+ "%s" /* preshared key indicator */
+ "%s" /* endpoint */
+ "rx %"G_GUINT64_FORMAT" "
+ "tx %"G_GUINT64_FORMAT" "
+ "allowedips (%"G_GSIZE_FORMAT") {",
+ public_b64,
+ nonzero_key ? "preshared_key (hidden) " : "",
+ s_endpoint,
+ peer->rx_bytes,
+ peer->tx_bytes,
+ peer->allowedips_len);
+
+
+ for (i = 0; i < peer->allowedips_len; i++) {
+ NMWireguardAllowedIP *allowedip = &peer->allowedips[i];
+ const char *ret;
+
+ ret = inet_ntop (allowedip->family, &allowedip->ip, s_address, sizeof(s_address));
+
+ nm_utils_strbuf_append (&buf, &len,
+ " %s/%u",
+ ret ? s_address : "<EAFNOSUPPORT>",
+ allowedip->cidr);
+ }
+
+ nm_utils_strbuf_append_str (&buf, &len, " } }");
+ return buf;
+}
+
+const char *
+nm_platform_lnk_wireguard_to_string (const NMPlatformLnkWireguard *lnk, char *buf, gsize len)
+{
+ gs_free char *public_b64 = NULL;
+ guint8 nonzero_key = 0;
+ gsize i;
+
+ if (!nm_utils_to_string_buffer_init_null (lnk, &buf, &len))
+ return buf;
+
+ public_b64 = g_base64_encode (lnk->public_key, sizeof (lnk->public_key));
+
+ for (i = 0; i < sizeof (lnk->private_key); i++)
+ nonzero_key |= lnk->private_key[i];
+
+ g_snprintf (buf, len,
+ "wireguard "
+ "public_key %s "
+ "%s" /* private key indicator */
+ "listen_port %u "
+ "fwmark 0x%x",
+ public_b64,
+ nonzero_key ? "private_key (hidden) " : "",
+ lnk->listen_port,
+ lnk->fwmark);
+
+ return buf;
+}
+
/**
* nm_platform_ip4_address_to_string:
* @route: pointer to NMPlatformIP4Address address structure
@@ -6123,6 +6226,27 @@ nm_platform_lnk_vxlan_cmp (const NMPlatformLnkVxlan *a, const NMPlatformLnkVxlan
return 0;
}
+void
+nm_platform_lnk_wireguard_hash_update (const NMPlatformLnkWireguard *obj, NMHashState *h)
+{
+ nm_hash_update_vals (h,
+ obj->private_key,
+ obj->public_key,
+ obj->listen_port,
+ obj->fwmark);
+}
+
+int
+nm_platform_lnk_wireguard_cmp (const NMPlatformLnkWireguard *a, const NMPlatformLnkWireguard *b)
+{
+ NM_CMP_SELF (a, b);
+ NM_CMP_FIELD_MEMCMP (a, b, private_key);
+ NM_CMP_FIELD_MEMCMP (a, b, public_key);
+ NM_CMP_FIELD (a, b, listen_port);
+ NM_CMP_FIELD (a, b, fwmark);
+ return 0;
+}
+
void
nm_platform_ip4_address_hash_update (const NMPlatformIP4Address *obj, NMHashState *h)
{
diff --git a/src/platform/nm-platform.h b/src/platform/nm-platform.h
index 866df7362..5b3783812 100644
--- a/src/platform/nm-platform.h
+++ b/src/platform/nm-platform.h
@@ -723,6 +723,13 @@ typedef struct {
bool l3miss:1;
} NMPlatformLnkVxlan;
+typedef struct {
+ guint8 private_key[NM_WG_PUBLIC_KEY_LEN];
+ guint8 public_key[NM_WG_PUBLIC_KEY_LEN];
+ guint16 listen_port;
+ guint32 fwmark;
+} NMPlatformLnkWireguard;
+
typedef enum {
NM_PLATFORM_LINK_DUPLEX_UNKNOWN,
NM_PLATFORM_LINK_DUPLEX_HALF,
@@ -1198,6 +1205,7 @@ const NMPlatformLnkSit *nm_platform_link_get_lnk_sit (NMPlatform *self, int ifin
const NMPlatformLnkTun *nm_platform_link_get_lnk_tun (NMPlatform *self, int ifindex, const NMPlatformLink
**out_link);
const NMPlatformLnkVlan *nm_platform_link_get_lnk_vlan (NMPlatform *self, int ifindex, const NMPlatformLink
**out_link);
const NMPlatformLnkVxlan *nm_platform_link_get_lnk_vxlan (NMPlatform *self, int ifindex, const
NMPlatformLink **out_link);
+const NMPlatformLnkWireguard *nm_platform_link_get_lnk_wireguard (NMPlatform *self, int ifindex, const
NMPlatformLink **out_link);
NMPlatformError nm_platform_link_vlan_add (NMPlatform *self,
const char *name,
@@ -1375,6 +1383,7 @@ const char *nm_platform_lnk_sit_to_string (const NMPlatformLnkSit *lnk, char *bu
const char *nm_platform_lnk_tun_to_string (const NMPlatformLnkTun *lnk, char *buf, gsize len);
const char *nm_platform_lnk_vlan_to_string (const NMPlatformLnkVlan *lnk, char *buf, gsize len);
const char *nm_platform_lnk_vxlan_to_string (const NMPlatformLnkVxlan *lnk, char *buf, gsize len);
+const char *nm_platform_lnk_wireguard_to_string (const NMPlatformLnkWireguard *lnk, char *buf, gsize len);
const char *nm_platform_ip4_address_to_string (const NMPlatformIP4Address *address, char *buf, gsize len);
const char *nm_platform_ip6_address_to_string (const NMPlatformIP6Address *address, char *buf, gsize len);
const char *nm_platform_ip4_route_to_string (const NMPlatformIP4Route *route, char *buf, gsize len);
@@ -1388,6 +1397,10 @@ const char *nm_platform_vlan_qos_mapping_to_string (const char *name,
char *buf,
gsize len);
+const char *nm_platform_wireguard_peer_to_string (const NMWireguardPeer *peer,
+ char *buf,
+ gsize len);
+
int nm_platform_link_cmp (const NMPlatformLink *a, const NMPlatformLink *b);
int nm_platform_lnk_gre_cmp (const NMPlatformLnkGre *a, const NMPlatformLnkGre *b);
int nm_platform_lnk_infiniband_cmp (const NMPlatformLnkInfiniband *a, const NMPlatformLnkInfiniband *b);
@@ -1399,6 +1412,7 @@ int nm_platform_lnk_sit_cmp (const NMPlatformLnkSit *a, const NMPlatformLnkSit *
int nm_platform_lnk_tun_cmp (const NMPlatformLnkTun *a, const NMPlatformLnkTun *b);
int nm_platform_lnk_vlan_cmp (const NMPlatformLnkVlan *a, const NMPlatformLnkVlan *b);
int nm_platform_lnk_vxlan_cmp (const NMPlatformLnkVxlan *a, const NMPlatformLnkVxlan *b);
+int nm_platform_lnk_wireguard_cmp (const NMPlatformLnkWireguard *a, const NMPlatformLnkWireguard *b);
int nm_platform_ip4_address_cmp (const NMPlatformIP4Address *a, const NMPlatformIP4Address *b);
int nm_platform_ip6_address_cmp (const NMPlatformIP6Address *a, const NMPlatformIP6Address *b);
@@ -1435,6 +1449,7 @@ void nm_platform_lnk_sit_hash_update (const NMPlatformLnkSit *obj, NMHashState *
void nm_platform_lnk_tun_hash_update (const NMPlatformLnkTun *obj, NMHashState *h);
void nm_platform_lnk_vlan_hash_update (const NMPlatformLnkVlan *obj, NMHashState *h);
void nm_platform_lnk_vxlan_hash_update (const NMPlatformLnkVxlan *obj, NMHashState *h);
+void nm_platform_lnk_wireguard_hash_update (const NMPlatformLnkWireguard *obj, NMHashState *h);
void nm_platform_qdisc_hash_update (const NMPlatformQdisc *obj, NMHashState *h);
void nm_platform_tfilter_hash_update (const NMPlatformTfilter *obj, NMHashState *h);
diff --git a/src/platform/nmp-object.c b/src/platform/nmp-object.c
index 50e6825bf..943dcff16 100644
--- a/src/platform/nmp-object.c
+++ b/src/platform/nmp-object.c
@@ -343,6 +343,122 @@ _vlan_xgress_qos_mappings_cpy (guint *dst_n_map,
/*****************************************************************************/
+static void
+_wireguard_peers_hash_update (gsize n_peers,
+ const NMWireguardPeer *peers,
+ NMHashState *h)
+{
+ gsize i, j;
+
+ nm_hash_update_val (h, n_peers);
+ for (i = 0; i < n_peers; i++) {
+ const NMWireguardPeer *p = &peers[i];
+
+ nm_hash_update (h, p->public_key, sizeof (p->public_key));
+ nm_hash_update (h, p->preshared_key, sizeof (p->preshared_key));
+ nm_hash_update_vals (h,
+ p->persistent_keepalive_interval,
+ p->allowedips_len,
+ p->rx_bytes,
+ p->tx_bytes,
+ p->last_handshake_time.tv_sec,
+ p->last_handshake_time.tv_nsec,
+ p->endpoint.addr.sa_family);
+
+ if (p->endpoint.addr.sa_family == AF_INET)
+ nm_hash_update_val (h, p->endpoint.addr4);
+ else if (p->endpoint.addr.sa_family == AF_INET6)
+ nm_hash_update_val (h, p->endpoint.addr6);
+ else if (p->endpoint.addr.sa_family != AF_UNSPEC)
+ g_assert_not_reached ();
+
+ for (j = 0; j < p->allowedips_len; j++) {
+ const NMWireguardAllowedIP *ip = &p->allowedips[j];
+
+ nm_hash_update_vals (h, ip->family, ip->cidr);
+
+ if (ip->family == AF_INET)
+ nm_hash_update_val (h, ip->ip.addr4);
+ else if (ip->family == AF_INET6)
+ nm_hash_update_val (h, ip->ip.addr6);
+ else if (ip->family != AF_UNSPEC)
+ g_assert_not_reached ();
+ }
+ }
+}
+
+static int
+_wireguard_peers_cmp (gsize n_peers,
+ const NMWireguardPeer *p1,
+ const NMWireguardPeer *p2)
+{
+ gsize i, j;
+
+ for (i = 0; i < n_peers; i++) {
+ const NMWireguardPeer *a = &p1[i];
+ const NMWireguardPeer *b = &p2[i];
+
+ NM_CMP_FIELD (a, b, last_handshake_time.tv_sec);
+ NM_CMP_FIELD (a, b, last_handshake_time.tv_nsec);
+ NM_CMP_FIELD (a, b, rx_bytes);
+ NM_CMP_FIELD (a, b, tx_bytes);
+ NM_CMP_FIELD (a, b, allowedips_len);
+ NM_CMP_FIELD (a, b, persistent_keepalive_interval);
+ NM_CMP_FIELD (a, b, endpoint.addr.sa_family);
+ NM_CMP_FIELD_MEMCMP (a, b, public_key);
+ NM_CMP_FIELD_MEMCMP (a, b, preshared_key);
+
+ if (a->endpoint.addr.sa_family == AF_INET)
+ NM_CMP_FIELD_MEMCMP (a, b, endpoint.addr4);
+ else if (a->endpoint.addr.sa_family == AF_INET6)
+ NM_CMP_FIELD_MEMCMP (a, b, endpoint.addr6);
+ else if (a->endpoint.addr.sa_family != AF_UNSPEC)
+ g_assert_not_reached ();
+
+ for (j = 0; j < a->allowedips_len; j++) {
+ const NMWireguardAllowedIP *aip = &a->allowedips[j];
+ const NMWireguardAllowedIP *bip = &b->allowedips[j];
+
+ NM_CMP_FIELD (aip, bip, family);
+ NM_CMP_FIELD (aip, bip, cidr);
+
+ if (aip->family == AF_INET)
+ NM_CMP_FIELD_MEMCMP (&aip->ip, &bip->ip, addr4);
+ else if (aip->family == AF_INET6)
+ NM_CMP_FIELD_MEMCMP (&aip->ip, &bip->ip, addr6);
+ else if (aip->family != AF_UNSPEC)
+ g_assert_not_reached ();
+ }
+ }
+
+ return 0;
+}
+
+static void
+_wireguard_peers_cpy (gsize *dst_n_peers,
+ NMWireguardPeer **dst_peers,
+ gsize src_n_peers,
+ const NMWireguardPeer *src_peers)
+{
+ if (src_n_peers == 0) {
+ g_clear_pointer (dst_peers, g_free);
+ *dst_n_peers = 0;
+ } else if ( src_n_peers != *dst_n_peers
+ || _wireguard_peers_cmp (src_n_peers, *dst_peers, src_peers) != 0) {
+ gsize i;
+ g_clear_pointer (dst_peers, g_free);
+ *dst_n_peers = src_n_peers;
+ if (src_n_peers > 0)
+ *dst_peers = g_memdup (src_peers, sizeof (*src_peers) * src_n_peers);
+ for (i = 0; i < src_n_peers; i++) {
+ dst_peers[i]->allowedips = g_memdup (src_peers[i].allowedips, sizeof
(src_peers[i].allowedips) * src_peers[i].allowedips_len);
+ dst_peers[i]->allowedips_len = src_peers[i].allowedips_len;
+ }
+ }
+}
+
+/*****************************************************************************/
+
static const char *
_link_get_driver (struct udev_device *udevice, const char *kind, int ifindex)
{
@@ -466,6 +582,15 @@ _vt_cmd_obj_dispose_lnk_vlan (NMPObject *obj)
g_free ((gpointer) obj->_lnk_vlan.egress_qos_map);
}
+static void
+_vt_cmd_obj_dispose_lnk_wireguard (NMPObject *obj)
+{
+ if (obj->_lnk_wireguard.peers_len)
+ g_free (obj->_lnk_wireguard.peers[0].allowedips);
+
+ g_free (obj->_lnk_wireguard.peers);
+}
+
static NMPObject *
_nmp_object_new_from_class (const NMPClass *klass)
{
@@ -720,6 +845,52 @@ _vt_cmd_obj_to_string_lnk_vlan (const NMPObject *obj, NMPObjectToStringMode to_s
}
}
+static const char *
+_vt_cmd_obj_to_string_lnk_wireguard (const NMPObject *obj, NMPObjectToStringMode to_string_mode, char *buf,
gsize buf_size)
+{
+ const NMPClass *klass;
+ char buf2[sizeof (_nm_utils_to_string_buffer)];
+ char *b;
+ gsize i, l;
+
+ klass = NMP_OBJECT_GET_CLASS (obj);
+
+ switch (to_string_mode) {
+ case NMP_OBJECT_TO_STRING_ID:
+ g_snprintf (buf, buf_size, "%p", obj);
+ return buf;
+ case NMP_OBJECT_TO_STRING_ALL:
+ b = buf;
+
+ nm_utils_strbuf_append (&b, &buf_size,
+ "[%s,%p,%u,%calive,%cvisible; %s "
+ "peers (%" G_GSIZE_FORMAT ") {",
+ klass->obj_type_name, obj, obj->parent._ref_count,
+ nmp_object_is_alive (obj) ? '+' : '-',
+ nmp_object_is_visible (obj) ? '+' : '-',
+ nmp_object_to_string (obj, NMP_OBJECT_TO_STRING_PUBLIC, buf2, sizeof
(buf2)),
+ obj->_lnk_wireguard.peers_len);
+
+ for (i = 0; i < obj->_lnk_wireguard.peers_len; i++) {
+ const NMWireguardPeer *peer = &obj->_lnk_wireguard.peers[i];
+ nm_platform_wireguard_peer_to_string (peer, b, buf_size);
+ l = strlen (b);
+ b += l;
+ buf_size -= l;
+ }
+
+ nm_utils_strbuf_append_str (&b, &buf_size, " }");
+
+ return buf;
+ case NMP_OBJECT_TO_STRING_PUBLIC:
+ NMP_OBJECT_GET_CLASS (obj)->cmd_plobj_to_string (&obj->object, buf, buf_size);
+
+ return buf;
+ default:
+ g_return_val_if_reached ("ERROR");
+ }
+}
+
#define _vt_cmd_plobj_to_string_id(type, plat_type, ...) \
static const char * \
_vt_cmd_plobj_to_string_id_##type (const NMPlatformObject *_obj, char *buf, gsize buf_len) \
@@ -787,6 +958,15 @@ _vt_cmd_obj_hash_update_lnk_vlan (const NMPObject *obj, NMHashState *h)
h);
}
+static void
+_vt_cmd_obj_hash_update_lnk_wireguard (const NMPObject *obj, NMHashState *h)
+{
+ nm_assert (NMP_OBJECT_GET_TYPE (obj) == NMP_OBJECT_TYPE_LNK_WIREGUARD);
+
+ nm_platform_lnk_wireguard_hash_update (&obj->lnk_wireguard, h);
+ _wireguard_peers_hash_update (obj->_lnk_wireguard.peers_len, obj->_lnk_wireguard.peers, h);
+}
+
int
nmp_object_cmp (const NMPObject *obj1, const NMPObject *obj2)
{
@@ -865,6 +1045,21 @@ _vt_cmd_obj_cmp_lnk_vlan (const NMPObject *obj1, const NMPObject *obj2)
return c;
}
+static int
+_vt_cmd_obj_cmp_lnk_wireguard (const NMPObject *obj1, const NMPObject *obj2)
+{
+ int c;
+
+ c = nm_platform_lnk_wireguard_cmp (&obj1->lnk_wireguard, &obj2->lnk_wireguard);
+ if (c)
+ return c;
+
+ if (obj1->_lnk_wireguard.peers_len != obj2->_lnk_wireguard.peers_len)
+ return obj1->_lnk_wireguard.peers_len < obj2->_lnk_wireguard.peers_len ? -1 : 1;
+
+ return _wireguard_peers_cmp(obj1->_lnk_wireguard.peers_len, obj1->_lnk_wireguard.peers,
obj2->_lnk_wireguard.peers);
+}
+
/* @src is a const object, which is not entirely correct for link types, where
* we increase the ref count for src->_link.udev.device.
* Hence, nmp_object_copy() can violate the const promise of @src.
@@ -925,6 +1120,14 @@ _vt_cmd_obj_copy_lnk_vlan (NMPObject *dst, const NMPObject *src)
src->_lnk_vlan.egress_qos_map);
}
+static void
+_vt_cmd_obj_copy_lnk_wireguard (NMPObject *dst, const NMPObject *src)
+{
+ dst->lnk_wireguard = src->lnk_wireguard;
+ _wireguard_peers_cpy (&dst->_lnk_wireguard.peers_len, &dst->_lnk_wireguard.peers,
+ src->_lnk_wireguard.peers_len, src->_lnk_wireguard.peers);
+}
+
#define _vt_cmd_plobj_id_copy(type, plat_type, cmd) \
static void \
_vt_cmd_plobj_id_copy_##type (NMPlatformObject *_dst, const NMPlatformObject *_src) \
@@ -2817,5 +3020,21 @@ const NMPClass _nmp_classes[NMP_OBJECT_TYPE_MAX] = {
.cmd_plobj_hash_update = (void (*) (const NMPlatformObject *obj, NMHashState
*h)) nm_platform_lnk_vxlan_hash_update,
.cmd_plobj_cmp = (int (*) (const NMPlatformObject *obj1, const
NMPlatformObject *obj2)) nm_platform_lnk_vxlan_cmp,
},
+ [NMP_OBJECT_TYPE_LNK_WIREGUARD - 1] = {
+ .parent = DEDUP_MULTI_OBJ_CLASS_INIT(),
+ .obj_type = NMP_OBJECT_TYPE_LNK_WIREGUARD,
+ .sizeof_data = sizeof (NMPObjectLnkWireguard),
+ .sizeof_public = sizeof (NMPlatformLnkWireguard),
+ .obj_type_name = "wireguard",
+ .lnk_link_type = NM_LINK_TYPE_WIREGUARD,
+ .cmd_obj_hash_update = _vt_cmd_obj_hash_update_lnk_wireguard,
+ .cmd_obj_cmp = _vt_cmd_obj_cmp_lnk_wireguard,
+ .cmd_obj_copy = _vt_cmd_obj_copy_lnk_wireguard,
+ .cmd_obj_dispose = _vt_cmd_obj_dispose_lnk_wireguard,
+ .cmd_obj_to_string = _vt_cmd_obj_to_string_lnk_wireguard,
+ .cmd_plobj_to_string = (const char *(*) (const NMPlatformObject *obj, char
*buf, gsize len)) nm_platform_lnk_wireguard_to_string,
+ .cmd_plobj_hash_update = (void (*) (const NMPlatformObject *obj, NMHashState
*h)) nm_platform_lnk_vlan_hash_update,
+ .cmd_plobj_cmp = (int (*) (const NMPlatformObject *obj1, const
NMPlatformObject *obj2)) nm_platform_lnk_vlan_cmp,
+ },
};
diff --git a/src/platform/nmp-object.h b/src/platform/nmp-object.h
index f473f4628..31adb4ae6 100644
--- a/src/platform/nmp-object.h
+++ b/src/platform/nmp-object.h
@@ -213,6 +213,13 @@ typedef struct {
NMPlatformLnkVxlan _public;
} NMPObjectLnkVxlan;
+typedef struct {
+ NMPlatformLnkWireguard _public;
+
+ gsize peers_len;
+ NMWireguardPeer *peers;
+} NMPObjectLnkWireguard;
+
typedef struct {
NMPlatformIP4Address _public;
} NMPObjectIP4Address;
@@ -278,6 +285,9 @@ struct _NMPObject {
NMPlatformLnkVxlan lnk_vxlan;
NMPObjectLnkVxlan _lnk_vxlan;
+ NMPlatformLnkWireguard lnk_wireguard;
+ NMPObjectLnkWireguard _lnk_wireguard;
+
NMPlatformIPAddress ip_address;
NMPlatformIPXAddress ipx_address;
NMPlatformIP4Address ip4_address;
--
2.17.1
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]