1 // SPDX-License-Identifier: GPL-2.0 2 /* OpenVPN data channel offload 3 * 4 * Copyright (C) 2019-2025 OpenVPN, Inc. 5 * 6 * Author: Antonio Quartulli <antonio@openvpn.net> 7 */ 8 9 #include <linux/netdevice.h> 10 #include <linux/inetdevice.h> 11 #include <linux/skbuff.h> 12 #include <linux/socket.h> 13 #include <linux/udp.h> 14 #include <net/addrconf.h> 15 #include <net/dst_cache.h> 16 #include <net/route.h> 17 #include <net/ipv6_stubs.h> 18 #include <net/transp_v6.h> 19 #include <net/udp.h> 20 #include <net/udp_tunnel.h> 21 22 #include "ovpnpriv.h" 23 #include "main.h" 24 #include "bind.h" 25 #include "io.h" 26 #include "peer.h" 27 #include "proto.h" 28 #include "socket.h" 29 #include "udp.h" 30 31 /* Retrieve the corresponding ovpn object from a UDP socket 32 * rcu_read_lock must be held on entry 33 */ 34 static struct ovpn_socket *ovpn_socket_from_udp_sock(struct sock *sk) 35 { 36 struct ovpn_socket *ovpn_sock; 37 38 if (unlikely(READ_ONCE(udp_sk(sk)->encap_type) != UDP_ENCAP_OVPNINUDP)) 39 return NULL; 40 41 ovpn_sock = rcu_dereference_sk_user_data(sk); 42 if (unlikely(!ovpn_sock)) 43 return NULL; 44 45 /* make sure that sk matches our stored transport socket */ 46 if (unlikely(!ovpn_sock->sk || sk != ovpn_sock->sk)) 47 return NULL; 48 49 return ovpn_sock; 50 } 51 52 /** 53 * ovpn_udp_encap_recv - Start processing a received UDP packet. 54 * @sk: socket over which the packet was received 55 * @skb: the received packet 56 * 57 * If the first byte of the payload is: 58 * - DATA_V2 the packet is accepted for further processing, 59 * - DATA_V1 the packet is dropped as not supported, 60 * - anything else the packet is forwarded to the UDP stack for 61 * delivery to user space. 62 * 63 * Return: 64 * 0 if skb was consumed or dropped 65 * >0 if skb should be passed up to userspace as UDP (packet not consumed) 66 * <0 if skb should be resubmitted as proto -N (packet not consumed) 67 */ 68 static int ovpn_udp_encap_recv(struct sock *sk, struct sk_buff *skb) 69 { 70 struct ovpn_socket *ovpn_sock; 71 struct ovpn_priv *ovpn; 72 struct ovpn_peer *peer; 73 u32 peer_id; 74 u8 opcode; 75 76 ovpn_sock = ovpn_socket_from_udp_sock(sk); 77 if (unlikely(!ovpn_sock)) { 78 net_err_ratelimited("ovpn: %s invoked on non ovpn socket\n", 79 __func__); 80 goto drop_noovpn; 81 } 82 83 ovpn = ovpn_sock->ovpn; 84 if (unlikely(!ovpn)) { 85 net_err_ratelimited("ovpn: cannot obtain ovpn object from UDP socket\n"); 86 goto drop_noovpn; 87 } 88 89 /* Make sure the first 4 bytes of the skb data buffer after the UDP 90 * header are accessible. 91 * They are required to fetch the OP code, the key ID and the peer ID. 92 */ 93 if (unlikely(!pskb_may_pull(skb, sizeof(struct udphdr) + 94 OVPN_OPCODE_SIZE))) { 95 net_dbg_ratelimited("%s: packet too small from UDP socket\n", 96 netdev_name(ovpn->dev)); 97 goto drop; 98 } 99 100 opcode = ovpn_opcode_from_skb(skb, sizeof(struct udphdr)); 101 if (unlikely(opcode != OVPN_DATA_V2)) { 102 /* DATA_V1 is not supported */ 103 if (opcode == OVPN_DATA_V1) 104 goto drop; 105 106 /* unknown or control packet: let it bubble up to userspace */ 107 return 1; 108 } 109 110 peer_id = ovpn_peer_id_from_skb(skb, sizeof(struct udphdr)); 111 /* some OpenVPN server implementations send data packets with the 112 * peer-id set to UNDEF. In this case we skip the peer lookup by peer-id 113 * and we try with the transport address 114 */ 115 if (peer_id == OVPN_PEER_ID_UNDEF) 116 peer = ovpn_peer_get_by_transp_addr(ovpn, skb); 117 else 118 peer = ovpn_peer_get_by_id(ovpn, peer_id); 119 120 if (unlikely(!peer)) 121 goto drop; 122 123 /* pop off outer UDP header */ 124 __skb_pull(skb, sizeof(struct udphdr)); 125 ovpn_recv(peer, skb); 126 return 0; 127 128 drop: 129 dev_dstats_rx_dropped(ovpn->dev); 130 drop_noovpn: 131 kfree_skb(skb); 132 return 0; 133 } 134 135 /** 136 * ovpn_udp4_output - send IPv4 packet over udp socket 137 * @peer: the destination peer 138 * @bind: the binding related to the destination peer 139 * @cache: dst cache 140 * @sk: the socket to send the packet over 141 * @skb: the packet to send 142 * 143 * Return: 0 on success or a negative error code otherwise 144 */ 145 static int ovpn_udp4_output(struct ovpn_peer *peer, struct ovpn_bind *bind, 146 struct dst_cache *cache, struct sock *sk, 147 struct sk_buff *skb) 148 { 149 struct rtable *rt; 150 struct flowi4 fl = { 151 .saddr = bind->local.ipv4.s_addr, 152 .daddr = bind->remote.in4.sin_addr.s_addr, 153 .fl4_sport = inet_sk(sk)->inet_sport, 154 .fl4_dport = bind->remote.in4.sin_port, 155 .flowi4_proto = sk->sk_protocol, 156 .flowi4_mark = sk->sk_mark, 157 }; 158 int ret; 159 160 local_bh_disable(); 161 rt = dst_cache_get_ip4(cache, &fl.saddr); 162 if (rt) 163 goto transmit; 164 165 if (unlikely(!inet_confirm_addr(sock_net(sk), NULL, 0, fl.saddr, 166 RT_SCOPE_HOST))) { 167 /* we may end up here when the cached address is not usable 168 * anymore. In this case we reset address/cache and perform a 169 * new look up 170 */ 171 fl.saddr = 0; 172 spin_lock_bh(&peer->lock); 173 bind->local.ipv4.s_addr = 0; 174 spin_unlock_bh(&peer->lock); 175 dst_cache_reset(cache); 176 } 177 178 rt = ip_route_output_flow(sock_net(sk), &fl, sk); 179 if (IS_ERR(rt) && PTR_ERR(rt) == -EINVAL) { 180 fl.saddr = 0; 181 spin_lock_bh(&peer->lock); 182 bind->local.ipv4.s_addr = 0; 183 spin_unlock_bh(&peer->lock); 184 dst_cache_reset(cache); 185 186 rt = ip_route_output_flow(sock_net(sk), &fl, sk); 187 } 188 189 if (IS_ERR(rt)) { 190 ret = PTR_ERR(rt); 191 net_dbg_ratelimited("%s: no route to host %pISpc: %d\n", 192 netdev_name(peer->ovpn->dev), 193 &bind->remote.in4, 194 ret); 195 goto err; 196 } 197 dst_cache_set_ip4(cache, &rt->dst, fl.saddr); 198 199 transmit: 200 udp_tunnel_xmit_skb(rt, sk, skb, fl.saddr, fl.daddr, 0, 201 ip4_dst_hoplimit(&rt->dst), 0, fl.fl4_sport, 202 fl.fl4_dport, false, sk->sk_no_check_tx); 203 ret = 0; 204 err: 205 local_bh_enable(); 206 return ret; 207 } 208 209 #if IS_ENABLED(CONFIG_IPV6) 210 /** 211 * ovpn_udp6_output - send IPv6 packet over udp socket 212 * @peer: the destination peer 213 * @bind: the binding related to the destination peer 214 * @cache: dst cache 215 * @sk: the socket to send the packet over 216 * @skb: the packet to send 217 * 218 * Return: 0 on success or a negative error code otherwise 219 */ 220 static int ovpn_udp6_output(struct ovpn_peer *peer, struct ovpn_bind *bind, 221 struct dst_cache *cache, struct sock *sk, 222 struct sk_buff *skb) 223 { 224 struct dst_entry *dst; 225 int ret; 226 227 struct flowi6 fl = { 228 .saddr = bind->local.ipv6, 229 .daddr = bind->remote.in6.sin6_addr, 230 .fl6_sport = inet_sk(sk)->inet_sport, 231 .fl6_dport = bind->remote.in6.sin6_port, 232 .flowi6_proto = sk->sk_protocol, 233 .flowi6_mark = sk->sk_mark, 234 .flowi6_oif = bind->remote.in6.sin6_scope_id, 235 }; 236 237 local_bh_disable(); 238 dst = dst_cache_get_ip6(cache, &fl.saddr); 239 if (dst) 240 goto transmit; 241 242 if (unlikely(!ipv6_chk_addr(sock_net(sk), &fl.saddr, NULL, 0))) { 243 /* we may end up here when the cached address is not usable 244 * anymore. In this case we reset address/cache and perform a 245 * new look up 246 */ 247 fl.saddr = in6addr_any; 248 spin_lock_bh(&peer->lock); 249 bind->local.ipv6 = in6addr_any; 250 spin_unlock_bh(&peer->lock); 251 dst_cache_reset(cache); 252 } 253 254 dst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(sk), sk, &fl, NULL); 255 if (IS_ERR(dst)) { 256 ret = PTR_ERR(dst); 257 net_dbg_ratelimited("%s: no route to host %pISpc: %d\n", 258 netdev_name(peer->ovpn->dev), 259 &bind->remote.in6, ret); 260 goto err; 261 } 262 dst_cache_set_ip6(cache, dst, &fl.saddr); 263 264 transmit: 265 /* user IPv6 packets may be larger than the transport interface 266 * MTU (after encapsulation), however, since they are locally 267 * generated we should ensure they get fragmented. 268 * Setting the ignore_df flag to 1 will instruct ip6_fragment() to 269 * fragment packets if needed. 270 * 271 * NOTE: this is not needed for IPv4 because we pass df=0 to 272 * udp_tunnel_xmit_skb() 273 */ 274 skb->ignore_df = 1; 275 udp_tunnel6_xmit_skb(dst, sk, skb, skb->dev, &fl.saddr, &fl.daddr, 0, 276 ip6_dst_hoplimit(dst), 0, fl.fl6_sport, 277 fl.fl6_dport, udp_get_no_check6_tx(sk)); 278 ret = 0; 279 err: 280 local_bh_enable(); 281 return ret; 282 } 283 #endif 284 285 /** 286 * ovpn_udp_output - transmit skb using udp-tunnel 287 * @peer: the destination peer 288 * @cache: dst cache 289 * @sk: the socket to send the packet over 290 * @skb: the packet to send 291 * 292 * rcu_read_lock should be held on entry. 293 * On return, the skb is consumed. 294 * 295 * Return: 0 on success or a negative error code otherwise 296 */ 297 static int ovpn_udp_output(struct ovpn_peer *peer, struct dst_cache *cache, 298 struct sock *sk, struct sk_buff *skb) 299 { 300 struct ovpn_bind *bind; 301 int ret; 302 303 /* set sk to null if skb is already orphaned */ 304 if (!skb->destructor) 305 skb->sk = NULL; 306 307 rcu_read_lock(); 308 bind = rcu_dereference(peer->bind); 309 if (unlikely(!bind)) { 310 net_warn_ratelimited("%s: no bind for remote peer %u\n", 311 netdev_name(peer->ovpn->dev), peer->id); 312 ret = -ENODEV; 313 goto out; 314 } 315 316 switch (bind->remote.in4.sin_family) { 317 case AF_INET: 318 ret = ovpn_udp4_output(peer, bind, cache, sk, skb); 319 break; 320 #if IS_ENABLED(CONFIG_IPV6) 321 case AF_INET6: 322 ret = ovpn_udp6_output(peer, bind, cache, sk, skb); 323 break; 324 #endif 325 default: 326 ret = -EAFNOSUPPORT; 327 break; 328 } 329 330 out: 331 rcu_read_unlock(); 332 return ret; 333 } 334 335 /** 336 * ovpn_udp_send_skb - prepare skb and send it over via UDP 337 * @peer: the destination peer 338 * @sk: peer socket 339 * @skb: the packet to send 340 */ 341 void ovpn_udp_send_skb(struct ovpn_peer *peer, struct sock *sk, 342 struct sk_buff *skb) 343 { 344 int ret; 345 346 skb->dev = peer->ovpn->dev; 347 /* no checksum performed at this layer */ 348 skb->ip_summed = CHECKSUM_NONE; 349 350 /* crypto layer -> transport (UDP) */ 351 ret = ovpn_udp_output(peer, &peer->dst_cache, sk, skb); 352 if (unlikely(ret < 0)) 353 kfree_skb(skb); 354 } 355 356 static void ovpn_udp_encap_destroy(struct sock *sk) 357 { 358 struct ovpn_socket *sock; 359 struct ovpn_priv *ovpn; 360 361 rcu_read_lock(); 362 sock = rcu_dereference_sk_user_data(sk); 363 if (!sock || !sock->ovpn) { 364 rcu_read_unlock(); 365 return; 366 } 367 ovpn = sock->ovpn; 368 rcu_read_unlock(); 369 370 ovpn_peers_free(ovpn, sk, OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT); 371 } 372 373 /** 374 * ovpn_udp_socket_attach - set udp-tunnel CBs on socket and link it to ovpn 375 * @ovpn_sock: socket to configure 376 * @sock: the socket container to be passed to setup_udp_tunnel_sock() 377 * @ovpn: the openvp instance to link 378 * 379 * After invoking this function, the sock will be controlled by ovpn so that 380 * any incoming packet may be processed by ovpn first. 381 * 382 * Return: 0 on success or a negative error code otherwise 383 */ 384 int ovpn_udp_socket_attach(struct ovpn_socket *ovpn_sock, struct socket *sock, 385 struct ovpn_priv *ovpn) 386 { 387 struct udp_tunnel_sock_cfg cfg = { 388 .encap_type = UDP_ENCAP_OVPNINUDP, 389 .encap_rcv = ovpn_udp_encap_recv, 390 .encap_destroy = ovpn_udp_encap_destroy, 391 }; 392 struct ovpn_socket *old_data; 393 int ret; 394 395 /* make sure no pre-existing encapsulation handler exists */ 396 rcu_read_lock(); 397 old_data = rcu_dereference_sk_user_data(ovpn_sock->sk); 398 if (!old_data) { 399 /* socket is currently unused - we can take it */ 400 rcu_read_unlock(); 401 setup_udp_tunnel_sock(sock_net(ovpn_sock->sk), sock, &cfg); 402 return 0; 403 } 404 405 /* socket is in use. We need to understand if it's owned by this ovpn 406 * instance or by something else. 407 * In the former case, we can increase the refcounter and happily 408 * use it, because the same UDP socket is expected to be shared among 409 * different peers. 410 * 411 * Unlikely TCP, a single UDP socket can be used to talk to many remote 412 * hosts and therefore openvpn instantiates one only for all its peers 413 */ 414 if ((READ_ONCE(udp_sk(ovpn_sock->sk)->encap_type) == UDP_ENCAP_OVPNINUDP) && 415 old_data->ovpn == ovpn) { 416 netdev_dbg(ovpn->dev, 417 "provided socket already owned by this interface\n"); 418 ret = -EALREADY; 419 } else { 420 netdev_dbg(ovpn->dev, 421 "provided socket already taken by other user\n"); 422 ret = -EBUSY; 423 } 424 rcu_read_unlock(); 425 426 return ret; 427 } 428 429 /** 430 * ovpn_udp_socket_detach - clean udp-tunnel status for this socket 431 * @ovpn_sock: the socket to clean 432 */ 433 void ovpn_udp_socket_detach(struct ovpn_socket *ovpn_sock) 434 { 435 struct sock *sk = ovpn_sock->sk; 436 437 /* Re-enable multicast loopback */ 438 inet_set_bit(MC_LOOP, sk); 439 /* Disable CHECKSUM_UNNECESSARY to CHECKSUM_COMPLETE conversion */ 440 inet_dec_convert_csum(sk); 441 442 WRITE_ONCE(udp_sk(sk)->encap_type, 0); 443 WRITE_ONCE(udp_sk(sk)->encap_rcv, NULL); 444 WRITE_ONCE(udp_sk(sk)->encap_destroy, NULL); 445 446 rcu_assign_sk_user_data(sk, NULL); 447 } 448