Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

This caused certain packets to be rejected that shouldn't be rejected,
in the case of certain scatter-gather ethernet drivers doing GRO pulling
right up to the UDP bounds but not beyond. This caused certain TCP
connections to fail.

Thanks very much to Reuben for providing access to the machine to debug
this regression.

Reported-by: Reuben Martin <reuben.m@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

This way is more correct and ensures we're within the skb head.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

This logic belongs upstream.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

This helps "unstick" stuck source addresses, when changing routes
dynamically.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

This not only removes the depenency on x_tables, but it also gives us
much better performance and memory usage. Now, systems are able to have
millions of WireGuard interfaces, without having to worry about a
thundering herd of garbage collection.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

We can let the compiler optimize how it sees fit.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

This greatly improves performance when adding and removing interfaces,
since the power registration function does a linear search each time.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

We can let userspace configure wireguard interfaces before the RNG is
fully initialized, since what we mostly care about is having good
randomness for ephemerals and xchacha nonces. By deferring the wait to
actually asking for the randomness, we give a lot more opportunity for
gathering entropy. This won't cover entropy for hash table secrets or
cookie secrets (which rotate anyway), but those have far less
catastrophic failure modes, so ensuring good randomness for elliptic
curve points and nonces should be sufficient.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

It's possible that get_random_bytes() will return bad randomness if it
hasn't been seeded. This patch makes configuration block until the RNG
is properly initialized.

Reference: http://www.openwall.com/lists/kernel-hardening/2017/06/02/2


Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Replacing an entry that's already been replaced is something that could
happen when processing handshake messages in parallel, when starting up
multiple instances on the same machine.

Reported-by: Hubert Goisern <zweizweizwoelf@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

It's different on different kernel versions, and we're not using it
anyway, so it's easiest to just get rid of it, rather than having
another ifdef maze.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>