Commit 08857b5e authored by Antonio Quartulli's avatar Antonio Quartulli Committed by Paolo Abeni
Browse files

ovpn: implement basic TX path (UDP) 



Packets sent over the ovpn interface are processed and transmitted to the
connected peer, if any.

Implementation is UDP only. TCP will be added by a later patch.

Note: no crypto/encapsulation exists yet. Packets are just captured and
sent.

Signed-off-by: default avatarAntonio Quartulli <antonio@openvpn.net>
Link: https://patch.msgid.link/20250415-b4-ovpn-v26-7-577f6097b964@openvpn.net


Reviewed-by: default avatarSabrina Dubroca <sd@queasysnail.net>
Tested-by: default avatarOleksandr Natalenko <oleksandr@natalenko.name>
Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parent f6226ae7

drivers/net/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -120,6 +120,7 @@ config OVPN 
	depends on NET && INET

	depends on IPV6 || !IPV6

	select DST_CACHE

	select NET_UDP_TUNNEL

	help

	  This module enhances the performance of the OpenVPN userspace software

	  by offloading the data channel processing to kernelspace.

drivers/net/ovpn/io.c

+136 −1
Original line number Diff line number Diff line
@@ -9,14 +9,149 @@ 


#include <linux/netdevice.h>

#include <linux/skbuff.h>

#include <net/gso.h>



#include "io.h"

#include "ovpnpriv.h"

#include "peer.h"

#include "udp.h"

#include "skb.h"

#include "socket.h"



static void ovpn_encrypt_post(struct sk_buff *skb, int ret)

{

	struct ovpn_peer *peer = ovpn_skb_cb(skb)->peer;

	struct ovpn_socket *sock;



	if (unlikely(ret < 0))

		goto err;



	skb_mark_not_on_list(skb);



	rcu_read_lock();

	sock = rcu_dereference(peer->sock);

	if (unlikely(!sock))

		goto err_unlock;



	switch (sock->sock->sk->sk_protocol) {

	case IPPROTO_UDP:

		ovpn_udp_send_skb(peer, sock->sock, skb);

		break;

	default:

		/* no transport configured yet */

		goto err_unlock;

	}

	/* skb passed down the stack - don't free it */

	skb = NULL;

err_unlock:

	rcu_read_unlock();

err:

	if (unlikely(skb))

		dev_dstats_tx_dropped(peer->ovpn->dev);

	ovpn_peer_put(peer);

	kfree_skb(skb);

}



static bool ovpn_encrypt_one(struct ovpn_peer *peer, struct sk_buff *skb)

{

	ovpn_skb_cb(skb)->peer = peer;



	/* take a reference to the peer because the crypto code may run async.

	 * ovpn_encrypt_post() will release it upon completion

	 */

	if (unlikely(!ovpn_peer_hold(peer))) {

		DEBUG_NET_WARN_ON_ONCE(1);

		return false;

	}



	ovpn_encrypt_post(skb, 0);

	return true;

}



/* send skb to connected peer, if any */

static void ovpn_send(struct ovpn_priv *ovpn, struct sk_buff *skb,

		      struct ovpn_peer *peer)

{

	struct sk_buff *curr, *next;



	/* this might be a GSO-segmented skb list: process each skb

	 * independently

	 */

	skb_list_walk_safe(skb, curr, next) {

		if (unlikely(!ovpn_encrypt_one(peer, curr))) {

			dev_dstats_tx_dropped(ovpn->dev);

			kfree_skb(curr);

		}

	}



	ovpn_peer_put(peer);

}



/* Send user data to the network

 */

netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev)

{

	struct ovpn_priv *ovpn = netdev_priv(dev);

	struct sk_buff *segments, *curr, *next;

	struct sk_buff_head skb_list;

	struct ovpn_peer *peer;

	__be16 proto;

	int ret;



	/* reset netfilter state */

	nf_reset_ct(skb);



	/* verify IP header size in network packet */

	proto = ovpn_ip_check_protocol(skb);

	if (unlikely(!proto || skb->protocol != proto))

		goto drop;



	if (skb_is_gso(skb)) {

		segments = skb_gso_segment(skb, 0);

		if (IS_ERR(segments)) {

			ret = PTR_ERR(segments);

			net_err_ratelimited("%s: cannot segment payload packet: %d\n",

					    netdev_name(dev), ret);

			goto drop;

		}



		consume_skb(skb);

		skb = segments;

	}



	/* from this moment on, "skb" might be a list */



	__skb_queue_head_init(&skb_list);

	skb_list_walk_safe(skb, curr, next) {

		skb_mark_not_on_list(curr);



		curr = skb_share_check(curr, GFP_ATOMIC);

		if (unlikely(!curr)) {

			net_err_ratelimited("%s: skb_share_check failed for payload packet\n",

					    netdev_name(dev));

			dev_dstats_tx_dropped(ovpn->dev);

			continue;

		}



		__skb_queue_tail(&skb_list, curr);

	}

	skb_list.prev->next = NULL;



	/* retrieve peer serving the destination IP of this packet */

	peer = ovpn_peer_get_by_dst(ovpn, skb);

	if (unlikely(!peer)) {

		net_dbg_ratelimited("%s: no peer to send data to\n",

				    netdev_name(ovpn->dev));

		goto drop;

	}



	ovpn_send(ovpn, skb_list.next, peer);



	return NETDEV_TX_OK;



drop:

	dev_dstats_tx_dropped(ovpn->dev);

	skb_tx_error(skb);

	kfree_skb(skb);

	kfree_skb_list(skb);

	return NET_XMIT_DROP;

}

drivers/net/ovpn/peer.c

+32 −0
Original line number Diff line number Diff line
@@ -294,6 +294,38 @@ static void ovpn_peer_remove(struct ovpn_peer *peer, 
	llist_add(&peer->release_entry, release_list);

}



/**

 * ovpn_peer_get_by_dst - Lookup peer to send skb to

 * @ovpn: the private data representing the current VPN session

 * @skb: the skb to extract the destination address from

 *

 * This function takes a tunnel packet and looks up the peer to send it to

 * after encapsulation. The skb is expected to be the in-tunnel packet, without

 * any OpenVPN related header.

 *

 * Assume that the IP header is accessible in the skb data.

 *

 * Return: the peer if found or NULL otherwise.

 */

struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn,

				       struct sk_buff *skb)

{

	struct ovpn_peer *peer = NULL;



	/* in P2P mode, no matter the destination, packets are always sent to

	 * the single peer listening on the other side

	 */

	if (ovpn->mode == OVPN_MODE_P2P) {

		rcu_read_lock();

		peer = rcu_dereference(ovpn->peer);

		if (unlikely(peer && !ovpn_peer_hold(peer)))

			peer = NULL;

		rcu_read_unlock();

	}



	return peer;

}



/**

 * ovpn_peer_add_p2p - add peer to related tables in a P2P instance

 * @ovpn: the instance to add the peer to

drivers/net/ovpn/peer.h

+2 −0
Original line number Diff line number Diff line
@@ -80,5 +80,7 @@ void ovpn_peer_release_p2p(struct ovpn_priv *ovpn, struct sock *sk, 
struct ovpn_peer *ovpn_peer_get_by_transp_addr(struct ovpn_priv *ovpn,

					       struct sk_buff *skb);

struct ovpn_peer *ovpn_peer_get_by_id(struct ovpn_priv *ovpn, u32 peer_id);

struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn,

				       struct sk_buff *skb);



#endif /* _NET_OVPN_OVPNPEER_H_ */

drivers/net/ovpn/skb.h

0 → 100644
+55 −0
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0-only */

/*  OpenVPN data channel offload

 *

 *  Copyright (C) 2020-2025 OpenVPN, Inc.

 *

 *  Author:	Antonio Quartulli <antonio@openvpn.net>

 *		James Yonan <james@openvpn.net>

 */



#ifndef _NET_OVPN_SKB_H_

#define _NET_OVPN_SKB_H_



#include <linux/in.h>

#include <linux/in6.h>

#include <linux/ip.h>

#include <linux/ipv6.h>

#include <linux/skbuff.h>

#include <linux/socket.h>

#include <linux/types.h>



struct ovpn_cb {

	struct ovpn_peer *peer;

};



static inline struct ovpn_cb *ovpn_skb_cb(struct sk_buff *skb)

{

	BUILD_BUG_ON(sizeof(struct ovpn_cb) > sizeof(skb->cb));

	return (struct ovpn_cb *)skb->cb;

}



/* Return IP protocol version from skb header.

 * Return 0 if protocol is not IPv4/IPv6 or cannot be read.

 */

static inline __be16 ovpn_ip_check_protocol(struct sk_buff *skb)

{

	__be16 proto = 0;



	/* skb could be non-linear,

	 * make sure IP header is in non-fragmented part

	 */

	if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))

		return 0;



	if (ip_hdr(skb)->version == 4) {

		proto = htons(ETH_P_IP);

	} else if (ip_hdr(skb)->version == 6) {

		if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))

			return 0;

		proto = htons(ETH_P_IPV6);

	}



	return proto;

}



#endif /* _NET_OVPN_SKB_H_ */