Merge branch 'introducing-openvpn-data-channel-offload' (9a0b084a) · Commits · git / linux-nf

Documentation/netlink/specs/ovpn.yaml

0 → 100644

+367 −0

Original line number	Diff line number	Diff line
		# SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)
		#
		# Author: Antonio Quartulli <antonio@openvpn.net>
		#
		# Copyright (c) 2024-2025, OpenVPN Inc.
		#

		name: ovpn

		protocol: genetlink

		doc: Netlink protocol to control OpenVPN network devices

		definitions:
		-
		type: const
		name: nonce-tail-size
		value: 8
		-
		type: enum
		name: cipher-alg
		entries: [ none, aes-gcm, chacha20-poly1305 ]
		-
		type: enum
		name: del-peer-reason
		entries:
		- teardown
		- userspace
		- expired
		- transport-error
		- transport-disconnect
		-
		type: enum
		name: key-slot
		entries: [ primary, secondary ]

		attribute-sets:
		-
		name: peer
		attributes:
		-
		name: id
		type: u32
		doc: >-
		The unique ID of the peer in the device context. To be used to identify
		peers during operations for a specific device
		checks:
		max: 0xFFFFFF
		-
		name: remote-ipv4
		type: u32
		doc: The remote IPv4 address of the peer
		byte-order: big-endian
		display-hint: ipv4
		-
		name: remote-ipv6
		type: binary
		doc: The remote IPv6 address of the peer
		display-hint: ipv6
		checks:
		exact-len: 16
		-
		name: remote-ipv6-scope-id
		type: u32
		doc: The scope id of the remote IPv6 address of the peer (RFC2553)
		-
		name: remote-port
		type: u16
		doc: The remote port of the peer
		byte-order: big-endian
		checks:
		min: 1
		-
		name: socket
		type: u32
		doc: The socket to be used to communicate with the peer
		-
		name: socket-netnsid
		type: s32
		doc: The ID of the netns the socket assigned to this peer lives in
		-
		name: vpn-ipv4
		type: u32
		doc: The IPv4 address assigned to the peer by the server
		byte-order: big-endian
		display-hint: ipv4
		-
		name: vpn-ipv6
		type: binary
		doc: The IPv6 address assigned to the peer by the server
		display-hint: ipv6
		checks:
		exact-len: 16
		-
		name: local-ipv4
		type: u32
		doc: The local IPv4 to be used to send packets to the peer (UDP only)
		byte-order: big-endian
		display-hint: ipv4
		-
		name: local-ipv6
		type: binary
		doc: The local IPv6 to be used to send packets to the peer (UDP only)
		display-hint: ipv6
		checks:
		exact-len: 16
		-
		name: local-port
		type: u16
		doc: The local port to be used to send packets to the peer (UDP only)
		byte-order: big-endian
		checks:
		min: 1
		-
		name: keepalive-interval
		type: u32
		doc: >-
		The number of seconds after which a keep alive message is sent to the
		peer
		-
		name: keepalive-timeout
		type: u32
		doc: >-
		The number of seconds from the last activity after which the peer is
		assumed dead
		-
		name: del-reason
		type: u32
		doc: The reason why a peer was deleted
		enum: del-peer-reason
		-
		name: vpn-rx-bytes
		type: uint
		doc: Number of bytes received over the tunnel
		-
		name: vpn-tx-bytes
		type: uint
		doc: Number of bytes transmitted over the tunnel
		-
		name: vpn-rx-packets
		type: uint
		doc: Number of packets received over the tunnel
		-
		name: vpn-tx-packets
		type: uint
		doc: Number of packets transmitted over the tunnel
		-
		name: link-rx-bytes
		type: uint
		doc: Number of bytes received at the transport level
		-
		name: link-tx-bytes
		type: uint
		doc: Number of bytes transmitted at the transport level
		-
		name: link-rx-packets
		type: uint
		doc: Number of packets received at the transport level
		-
		name: link-tx-packets
		type: uint
		doc: Number of packets transmitted at the transport level
		-
		name: keyconf
		attributes:
		-
		name: peer-id
		type: u32
		doc: >-
		The unique ID of the peer in the device context. To be used to
		identify peers during key operations
		checks:
		max: 0xFFFFFF
		-
		name: slot
		type: u32
		doc: The slot where the key should be stored
		enum: key-slot
		-
		name: key-id
		doc: >-
		The unique ID of the key in the peer context. Used to fetch the
		correct key upon decryption
		type: u32
		checks:
		max: 7
		-
		name: cipher-alg
		type: u32
		doc: The cipher to be used when communicating with the peer
		enum: cipher-alg
		-
		name: encrypt-dir
		type: nest
		doc: Key material for encrypt direction
		nested-attributes: keydir
		-
		name: decrypt-dir
		type: nest
		doc: Key material for decrypt direction
		nested-attributes: keydir
		-
		name: keydir
		attributes:
		-
		name: cipher-key
		type: binary
		doc: The actual key to be used by the cipher
		checks:
		max-len: 256
		-
		name: nonce-tail
		type: binary
		doc: >-
		Random nonce to be concatenated to the packet ID, in order to
		obtain the actual cipher IV
		checks:
		exact-len: nonce-tail-size
		-
		name: ovpn
		attributes:
		-
		name: ifindex
		type: u32
		doc: Index of the ovpn interface to operate on
		-
		name: peer
		type: nest
		doc: >-
		The peer object containing the attributed of interest for the specific
		operation
		nested-attributes: peer
		-
		name: keyconf
		type: nest
		doc: Peer specific cipher configuration
		nested-attributes: keyconf

		operations:
		list:
		-
		name: peer-new
		attribute-set: ovpn
		flags: [ admin-perm ]
		doc: Add a remote peer
		do:
		pre: ovpn-nl-pre-doit
		post: ovpn-nl-post-doit
		request:
		attributes:
		- ifindex
		- peer
		-
		name: peer-set
		attribute-set: ovpn
		flags: [ admin-perm ]
		doc: modify a remote peer
		do:
		pre: ovpn-nl-pre-doit
		post: ovpn-nl-post-doit
		request:
		attributes:
		- ifindex
		- peer
		-
		name: peer-get
		attribute-set: ovpn
		flags: [ admin-perm ]
		doc: Retrieve data about existing remote peers (or a specific one)
		do:
		pre: ovpn-nl-pre-doit
		post: ovpn-nl-post-doit
		request:
		attributes:
		- ifindex
		- peer
		reply:
		attributes:
		- peer
		dump:
		request:
		attributes:
		- ifindex
		reply:
		attributes:
		- peer
		-
		name: peer-del
		attribute-set: ovpn
		flags: [ admin-perm ]
		doc: Delete existing remote peer
		do:
		pre: ovpn-nl-pre-doit
		post: ovpn-nl-post-doit
		request:
		attributes:
		- ifindex
		- peer
		-
		name: peer-del-ntf
		doc: Notification about a peer being deleted
		notify: peer-get
		mcgrp: peers

		-
		name: key-new
		attribute-set: ovpn
		flags: [ admin-perm ]
		doc: Add a cipher key for a specific peer
		do:
		pre: ovpn-nl-pre-doit
		post: ovpn-nl-post-doit
		request:
		attributes:
		- ifindex
		- keyconf
		-
		name: key-get
		attribute-set: ovpn
		flags: [ admin-perm ]
		doc: Retrieve non-sensitive data about peer key and cipher
		do:
		pre: ovpn-nl-pre-doit
		post: ovpn-nl-post-doit
		request:
		attributes:
		- ifindex
		- keyconf
		reply:
		attributes:
		- keyconf
		-
		name: key-swap
		attribute-set: ovpn
		flags: [ admin-perm ]
		doc: Swap primary and secondary session keys for a specific peer
		do:
		pre: ovpn-nl-pre-doit
		post: ovpn-nl-post-doit
		request:
		attributes:
		- ifindex
		- keyconf
		-
		name: key-swap-ntf
		notify: key-get
		doc: >-
		Notification about key having exhausted its IV space and requiring
		renegotiation
		mcgrp: peers
		-
		name: key-del
		attribute-set: ovpn
		flags: [ admin-perm ]
		doc: Delete cipher key for a specific peer
		do:
		pre: ovpn-nl-pre-doit
		post: ovpn-nl-post-doit
		request:
		attributes:
		- ifindex
		- keyconf

		mcast-groups:
		list:
		-
		name: peers

Documentation/netlink/specs/rt-link.yaml

+16 −0

Original line number	Diff line number	Diff line
		@@ -938,6 +938,12 @@ definitions:
		entries:
		- name: none
		- name: default
		-
		name: ovpn-mode
		type: enum
		entries:
		- p2p
		- mp

		attribute-sets:
		-
		@@ -2272,6 +2278,13 @@ attribute-sets:
		-
		name: tailroom
		type: u16
		-
		name: linkinfo-ovpn-attrs
		attributes:
		-
		name: mode
		type: u8
		enum: ovpn-mode

		sub-messages:
		-
		@@ -2322,6 +2335,9 @@ sub-messages:
		-
		value: netkit
		attribute-set: linkinfo-netkit-attrs
		-
		value: ovpn
		attribute-set: linkinfo-ovpn-attrs
		-
		name: linkinfo-member-data-msg
		formats:

MAINTAINERS

+11 −0

Original line number	Diff line number	Diff line
		@@ -18125,6 +18125,17 @@ F: arch/openrisc/
		F: drivers/irqchip/irq-ompic.c
		F: drivers/irqchip/irq-or1k-*

		OPENVPN DATA CHANNEL OFFLOAD
		M: Antonio Quartulli <antonio@openvpn.net>
		L: openvpn-devel@lists.sourceforge.net (subscribers-only)
		L: netdev@vger.kernel.org
		S: Supported
		T: git https://github.com/OpenVPN/linux-kernel-ovpn.git
		F: Documentation/netlink/specs/ovpn.yaml
		F: drivers/net/ovpn/
		F: include/uapi/linux/ovpn.h
		F: tools/testing/selftests/net/ovpn/

		OPENVSWITCH
		M: Aaron Conole <aconole@redhat.com>
		M: Eelco Chaudron <echaudro@redhat.com>

drivers/net/Kconfig

+15 −0

Original line number	Diff line number	Diff line
		@@ -115,6 +115,21 @@ config WIREGUARD_DEBUG

		Say N here unless you know what you're doing.

		config OVPN
		tristate "OpenVPN data channel offload"
		depends on NET && INET
		depends on IPV6 \|\| !IPV6
		select DST_CACHE
		select NET_UDP_TUNNEL
		select CRYPTO
		select CRYPTO_AES
		select CRYPTO_GCM
		select CRYPTO_CHACHA20POLY1305
		select STREAM_PARSER
		help
		This module enhances the performance of the OpenVPN userspace software
		by offloading the data channel processing to kernelspace.

		config EQUALIZER
		tristate "EQL (serial line load balancing) support"
		help

drivers/net/Makefile

+1 −0

Original line number	Diff line number	Diff line
		@@ -11,6 +11,7 @@ obj-$(CONFIG_IPVLAN) += ipvlan/
		obj-$(CONFIG_IPVTAP) += ipvlan/
		obj-$(CONFIG_DUMMY) += dummy.o
		obj-$(CONFIG_WIREGUARD) += wireguard/
		obj-$(CONFIG_OVPN) += ovpn/
		obj-$(CONFIG_EQUALIZER) += eql.o
		obj-$(CONFIG_IFB) += ifb.o
		obj-$(CONFIG_MACSEC) += macsec.o