2019-01-02 00:55:51 +00:00
|
|
|
/* SPDX-License-Identifier: MIT
|
2018-05-03 13:04:00 +00:00
|
|
|
*
|
2021-01-28 16:52:15 +00:00
|
|
|
* Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
|
2018-05-03 13:04:00 +00:00
|
|
|
*/
|
|
|
|
|
2019-03-03 03:04:41 +00:00
|
|
|
package device
|
2017-05-30 20:36:49 +00:00
|
|
|
|
|
|
|
import (
|
2017-06-28 21:45:45 +00:00
|
|
|
"runtime"
|
2017-05-30 20:36:49 +00:00
|
|
|
"sync"
|
2017-07-15 14:27:59 +00:00
|
|
|
"sync/atomic"
|
2017-08-11 14:18:20 +00:00
|
|
|
"time"
|
2019-05-14 07:09:52 +00:00
|
|
|
|
2019-11-07 16:13:05 +00:00
|
|
|
"golang.org/x/net/ipv4"
|
|
|
|
"golang.org/x/net/ipv6"
|
2021-01-29 17:24:45 +00:00
|
|
|
|
2019-11-07 16:13:05 +00:00
|
|
|
"golang.zx2c4.com/wireguard/conn"
|
2019-05-14 07:09:52 +00:00
|
|
|
"golang.zx2c4.com/wireguard/ratelimiter"
|
2019-11-07 16:13:05 +00:00
|
|
|
"golang.zx2c4.com/wireguard/rwcancel"
|
2019-05-14 07:09:52 +00:00
|
|
|
"golang.zx2c4.com/wireguard/tun"
|
2017-05-30 20:36:49 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type Device struct {
|
2021-01-19 17:02:16 +00:00
|
|
|
log *Logger
|
2018-02-02 15:40:14 +00:00
|
|
|
|
|
|
|
// synchronized resources (locks acquired in order)
|
|
|
|
|
2018-01-26 21:52:32 +00:00
|
|
|
state struct {
|
2021-01-19 17:02:16 +00:00
|
|
|
// state holds the device's state. It is accessed atomically.
|
|
|
|
// Use the device.deviceState method to read it.
|
|
|
|
// If state.mu is (r)locked, state is the current state of the device.
|
|
|
|
// Without state.mu (r)locked, state is either the current state
|
|
|
|
// of the device or the intended future state of the device.
|
|
|
|
// For example, while executing a call to Up, state will be deviceStateUp.
|
|
|
|
// There is no guarantee that that intended future state of the device
|
|
|
|
// will become the actual state; Up can fail.
|
|
|
|
// The device can also change state multiple times between time of check and time of use.
|
|
|
|
// Unsynchronized uses of state must therefore be advisory/best-effort only.
|
|
|
|
state uint32 // actually a deviceState, but typed uint32 for conveniene
|
|
|
|
// stopping blocks until all inputs to Device have been closed.
|
2018-05-05 04:00:38 +00:00
|
|
|
stopping sync.WaitGroup
|
2021-01-19 17:02:16 +00:00
|
|
|
// mu protects state changes.
|
|
|
|
mu sync.Mutex
|
2018-01-26 21:52:32 +00:00
|
|
|
}
|
2018-02-02 15:40:14 +00:00
|
|
|
|
2017-07-14 12:25:18 +00:00
|
|
|
net struct {
|
2018-05-20 04:19:29 +00:00
|
|
|
stopping sync.WaitGroup
|
2019-01-03 18:04:00 +00:00
|
|
|
sync.RWMutex
|
2019-11-07 16:13:05 +00:00
|
|
|
bind conn.Bind // bind interface
|
|
|
|
netlinkCancel *rwcancel.RWCancel
|
|
|
|
port uint16 // listening port
|
|
|
|
fwmark uint32 // mark value (0 = disabled)
|
2017-06-30 12:41:08 +00:00
|
|
|
}
|
2018-02-02 15:40:14 +00:00
|
|
|
|
2018-05-13 21:14:43 +00:00
|
|
|
staticIdentity struct {
|
2019-01-03 18:04:00 +00:00
|
|
|
sync.RWMutex
|
2018-02-02 15:40:14 +00:00
|
|
|
privateKey NoisePrivateKey
|
|
|
|
publicKey NoisePublicKey
|
|
|
|
}
|
|
|
|
|
|
|
|
peers struct {
|
2020-12-16 01:44:21 +00:00
|
|
|
empty AtomicBool // empty reports whether len(keyMap) == 0
|
|
|
|
sync.RWMutex // protects keyMap
|
|
|
|
keyMap map[NoisePublicKey]*Peer
|
2018-02-02 15:40:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// unprotected / "self-synchronising resources"
|
|
|
|
|
2018-05-13 21:14:43 +00:00
|
|
|
allowedips AllowedIPs
|
|
|
|
indexTable IndexTable
|
|
|
|
cookieChecker CookieChecker
|
2018-02-02 15:40:14 +00:00
|
|
|
|
|
|
|
rate struct {
|
2021-01-29 17:54:19 +00:00
|
|
|
underLoadUntil int64
|
2018-02-12 21:29:11 +00:00
|
|
|
limiter ratelimiter.Ratelimiter
|
2018-02-02 15:40:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
pool struct {
|
2021-02-02 17:37:49 +00:00
|
|
|
messageBuffers *WaitPool
|
|
|
|
inboundElements *WaitPool
|
|
|
|
outboundElements *WaitPool
|
2018-02-02 15:40:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
queue struct {
|
2021-01-29 13:54:11 +00:00
|
|
|
encryption *outboundQueue
|
|
|
|
decryption *inboundQueue
|
2021-01-29 17:24:45 +00:00
|
|
|
handshake *handshakeQueue
|
2017-06-28 21:45:45 +00:00
|
|
|
}
|
2018-02-02 15:40:14 +00:00
|
|
|
|
|
|
|
tun struct {
|
2019-06-10 21:33:40 +00:00
|
|
|
device tun.Device
|
2018-02-02 15:40:14 +00:00
|
|
|
mtu int32
|
|
|
|
}
|
2021-01-28 14:26:22 +00:00
|
|
|
|
|
|
|
ipcMutex sync.RWMutex
|
2021-01-29 17:24:45 +00:00
|
|
|
closed chan struct{}
|
2017-06-01 19:31:30 +00:00
|
|
|
}
|
|
|
|
|
2021-01-19 17:02:16 +00:00
|
|
|
// deviceState represents the state of a Device.
|
|
|
|
// There are four states: new, down, up, closed.
|
|
|
|
// However, state new should never be observable.
|
|
|
|
// Transitions:
|
|
|
|
//
|
|
|
|
// new -> down -----+
|
|
|
|
// ↑↓ ↓
|
|
|
|
// up -> closed
|
|
|
|
//
|
|
|
|
type deviceState uint32
|
|
|
|
|
|
|
|
//go:generate stringer -type deviceState -trimprefix=deviceState
|
|
|
|
const (
|
|
|
|
deviceStateNew deviceState = iota
|
|
|
|
deviceStateDown
|
|
|
|
deviceStateUp
|
|
|
|
deviceStateClosed
|
|
|
|
)
|
|
|
|
|
|
|
|
// deviceState returns device.state.state as a deviceState
|
|
|
|
// See those docs for how to interpret this value.
|
|
|
|
func (device *Device) deviceState() deviceState {
|
|
|
|
return deviceState(atomic.LoadUint32(&device.state.state))
|
|
|
|
}
|
|
|
|
|
|
|
|
// isClosed reports whether the device is closed (or is closing).
|
|
|
|
// See device.state.state comments for how to interpret this value.
|
|
|
|
func (device *Device) isClosed() bool {
|
|
|
|
return device.deviceState() == deviceStateClosed
|
|
|
|
}
|
|
|
|
|
|
|
|
// isUp reports whether the device is up (or is attempting to come up).
|
|
|
|
// See device.state.state comments for how to interpret this value.
|
|
|
|
func (device *Device) isUp() bool {
|
|
|
|
return device.deviceState() == deviceStateUp
|
|
|
|
}
|
|
|
|
|
2021-01-29 13:54:11 +00:00
|
|
|
// An outboundQueue is a channel of QueueOutboundElements awaiting encryption.
|
|
|
|
// An outboundQueue is ref-counted using its wg field.
|
|
|
|
// An outboundQueue created with newOutboundQueue has one reference.
|
2020-12-14 23:07:23 +00:00
|
|
|
// Every additional writer must call wg.Add(1).
|
|
|
|
// Every completed writer must call wg.Done().
|
|
|
|
// When no further writers will be added,
|
|
|
|
// call wg.Done to remove the initial reference.
|
|
|
|
// When the refcount hits 0, the queue's channel is closed.
|
2021-01-29 13:54:11 +00:00
|
|
|
type outboundQueue struct {
|
2020-12-14 23:07:23 +00:00
|
|
|
c chan *QueueOutboundElement
|
|
|
|
wg sync.WaitGroup
|
|
|
|
}
|
|
|
|
|
2021-01-29 13:54:11 +00:00
|
|
|
func newOutboundQueue() *outboundQueue {
|
|
|
|
q := &outboundQueue{
|
2020-12-14 23:07:23 +00:00
|
|
|
c: make(chan *QueueOutboundElement, QueueOutboundSize),
|
|
|
|
}
|
|
|
|
q.wg.Add(1)
|
|
|
|
go func() {
|
|
|
|
q.wg.Wait()
|
|
|
|
close(q.c)
|
|
|
|
}()
|
|
|
|
return q
|
|
|
|
}
|
|
|
|
|
2021-01-29 13:54:11 +00:00
|
|
|
// A inboundQueue is similar to an outboundQueue; see those docs.
|
|
|
|
type inboundQueue struct {
|
2021-01-12 01:34:02 +00:00
|
|
|
c chan *QueueInboundElement
|
|
|
|
wg sync.WaitGroup
|
|
|
|
}
|
|
|
|
|
2021-01-29 13:54:11 +00:00
|
|
|
func newInboundQueue() *inboundQueue {
|
|
|
|
q := &inboundQueue{
|
2021-01-12 01:34:02 +00:00
|
|
|
c: make(chan *QueueInboundElement, QueueInboundSize),
|
|
|
|
}
|
|
|
|
q.wg.Add(1)
|
|
|
|
go func() {
|
|
|
|
q.wg.Wait()
|
|
|
|
close(q.c)
|
|
|
|
}()
|
|
|
|
return q
|
|
|
|
}
|
|
|
|
|
2021-01-29 17:24:45 +00:00
|
|
|
// A handshakeQueue is similar to an outboundQueue; see those docs.
|
|
|
|
type handshakeQueue struct {
|
|
|
|
c chan QueueHandshakeElement
|
|
|
|
wg sync.WaitGroup
|
|
|
|
}
|
|
|
|
|
|
|
|
func newHandshakeQueue() *handshakeQueue {
|
|
|
|
q := &handshakeQueue{
|
|
|
|
c: make(chan QueueHandshakeElement, QueueHandshakeSize),
|
|
|
|
}
|
|
|
|
q.wg.Add(1)
|
|
|
|
go func() {
|
|
|
|
q.wg.Wait()
|
|
|
|
close(q.c)
|
|
|
|
}()
|
|
|
|
return q
|
|
|
|
}
|
|
|
|
|
2018-02-02 15:40:14 +00:00
|
|
|
/* Converts the peer into a "zombie", which remains in the peer map,
|
|
|
|
* but processes no packets and does not exists in the routing table.
|
|
|
|
*
|
2019-01-03 18:04:00 +00:00
|
|
|
* Must hold device.peers.Mutex
|
2018-02-02 15:40:14 +00:00
|
|
|
*/
|
|
|
|
func unsafeRemovePeer(device *Device, peer *Peer, key NoisePublicKey) {
|
|
|
|
// stop routing and processing of packets
|
2018-05-13 21:14:43 +00:00
|
|
|
device.allowedips.RemoveByPeer(peer)
|
2018-02-02 15:40:14 +00:00
|
|
|
peer.Stop()
|
|
|
|
|
|
|
|
// remove from peer map
|
|
|
|
delete(device.peers.keyMap, key)
|
2020-12-16 01:44:21 +00:00
|
|
|
device.peers.empty.Set(len(device.peers.keyMap) == 0)
|
2018-02-02 15:40:14 +00:00
|
|
|
}
|
|
|
|
|
2021-01-19 17:02:16 +00:00
|
|
|
// changeState attempts to change the device state to match want.
|
|
|
|
func (device *Device) changeState(want deviceState) {
|
|
|
|
device.state.mu.Lock()
|
|
|
|
defer device.state.mu.Unlock()
|
|
|
|
old := device.deviceState()
|
|
|
|
if old == deviceStateClosed {
|
|
|
|
// once closed, always closed
|
|
|
|
device.log.Verbosef("Interface closed, ignored requested state %s", want)
|
2018-01-26 21:52:32 +00:00
|
|
|
return
|
|
|
|
}
|
2021-01-19 17:02:16 +00:00
|
|
|
switch want {
|
|
|
|
case old:
|
|
|
|
device.log.Verbosef("Interface already in state %s", want)
|
2018-02-04 15:46:24 +00:00
|
|
|
return
|
2021-01-19 17:02:16 +00:00
|
|
|
case deviceStateUp:
|
|
|
|
atomic.StoreUint32(&device.state.state, uint32(deviceStateUp))
|
|
|
|
if ok := device.upLocked(); ok {
|
2018-02-04 15:46:24 +00:00
|
|
|
break
|
|
|
|
}
|
2021-01-19 17:02:16 +00:00
|
|
|
fallthrough // up failed; bring the device all the way back down
|
|
|
|
case deviceStateDown:
|
|
|
|
atomic.StoreUint32(&device.state.state, uint32(deviceStateDown))
|
|
|
|
device.downLocked()
|
2018-02-04 15:46:24 +00:00
|
|
|
}
|
2021-01-19 17:02:16 +00:00
|
|
|
device.log.Verbosef("Interface state was %s, requested %s, now %s", old, want, device.deviceState())
|
|
|
|
}
|
2018-01-26 21:52:32 +00:00
|
|
|
|
2021-01-19 17:02:16 +00:00
|
|
|
// upLocked attempts to bring the device up and reports whether it succeeded.
|
|
|
|
// The caller must hold device.state.mu and is responsible for updating device.state.state.
|
|
|
|
func (device *Device) upLocked() bool {
|
|
|
|
if err := device.BindUpdate(); err != nil {
|
|
|
|
device.log.Errorf("Unable to update bind: %v", err)
|
|
|
|
return false
|
|
|
|
}
|
2018-01-26 21:52:32 +00:00
|
|
|
|
2021-01-19 17:02:16 +00:00
|
|
|
device.peers.RLock()
|
|
|
|
for _, peer := range device.peers.keyMap {
|
|
|
|
peer.Start()
|
|
|
|
if atomic.LoadUint32(&peer.persistentKeepaliveInterval) > 0 {
|
|
|
|
peer.SendKeepalive()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
device.peers.RUnlock()
|
|
|
|
return true
|
2017-12-29 16:42:09 +00:00
|
|
|
}
|
|
|
|
|
2021-01-19 17:02:16 +00:00
|
|
|
// downLocked attempts to bring the device down.
|
|
|
|
// The caller must hold device.state.mu and is responsible for updating device.state.state.
|
|
|
|
func (device *Device) downLocked() {
|
|
|
|
err := device.BindClose()
|
|
|
|
if err != nil {
|
|
|
|
device.log.Errorf("Bind close failed: %v", err)
|
|
|
|
}
|
2017-12-29 16:42:09 +00:00
|
|
|
|
2021-01-19 17:02:16 +00:00
|
|
|
device.peers.RLock()
|
|
|
|
for _, peer := range device.peers.keyMap {
|
|
|
|
peer.Stop()
|
2018-01-13 08:00:37 +00:00
|
|
|
}
|
2021-01-19 17:02:16 +00:00
|
|
|
device.peers.RUnlock()
|
|
|
|
}
|
2018-01-13 08:00:37 +00:00
|
|
|
|
2021-01-19 17:02:16 +00:00
|
|
|
func (device *Device) Up() {
|
|
|
|
device.changeState(deviceStateUp)
|
2018-01-26 21:52:32 +00:00
|
|
|
}
|
2018-01-13 08:00:37 +00:00
|
|
|
|
2018-01-26 21:52:32 +00:00
|
|
|
func (device *Device) Down() {
|
2021-01-19 17:02:16 +00:00
|
|
|
device.changeState(deviceStateDown)
|
2017-12-29 16:42:09 +00:00
|
|
|
}
|
|
|
|
|
2017-08-11 14:18:20 +00:00
|
|
|
func (device *Device) IsUnderLoad() bool {
|
|
|
|
// check if currently under load
|
|
|
|
now := time.Now()
|
2021-01-29 17:24:45 +00:00
|
|
|
underLoad := len(device.queue.handshake.c) >= UnderLoadQueueSize
|
2017-08-11 14:18:20 +00:00
|
|
|
if underLoad {
|
2021-01-29 17:54:19 +00:00
|
|
|
atomic.StoreInt64(&device.rate.underLoadUntil, now.Add(UnderLoadAfterTime).UnixNano())
|
2017-08-11 14:18:20 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
// check if recently under load
|
2021-01-29 17:54:19 +00:00
|
|
|
return atomic.LoadInt64(&device.rate.underLoadUntil) > now.UnixNano()
|
2017-08-11 14:18:20 +00:00
|
|
|
}
|
|
|
|
|
2017-08-04 14:15:53 +00:00
|
|
|
func (device *Device) SetPrivateKey(sk NoisePrivateKey) error {
|
2018-02-02 15:40:14 +00:00
|
|
|
// lock required resources
|
|
|
|
|
2019-01-03 18:04:00 +00:00
|
|
|
device.staticIdentity.Lock()
|
|
|
|
defer device.staticIdentity.Unlock()
|
2018-02-02 15:40:14 +00:00
|
|
|
|
2019-07-11 15:36:36 +00:00
|
|
|
if sk.Equals(device.staticIdentity.privateKey) {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-01-03 18:04:00 +00:00
|
|
|
device.peers.Lock()
|
|
|
|
defer device.peers.Unlock()
|
2018-02-02 15:40:14 +00:00
|
|
|
|
2019-08-05 15:46:34 +00:00
|
|
|
lockedPeers := make([]*Peer, 0, len(device.peers.keyMap))
|
2018-02-02 15:40:14 +00:00
|
|
|
for _, peer := range device.peers.keyMap {
|
|
|
|
peer.handshake.mutex.RLock()
|
2019-08-05 15:46:34 +00:00
|
|
|
lockedPeers = append(lockedPeers, peer)
|
2018-02-02 15:40:14 +00:00
|
|
|
}
|
2017-06-24 13:34:17 +00:00
|
|
|
|
2017-08-07 13:25:04 +00:00
|
|
|
// remove peers with matching public keys
|
2017-08-04 14:15:53 +00:00
|
|
|
|
|
|
|
publicKey := sk.publicKey()
|
2018-02-02 15:40:14 +00:00
|
|
|
for key, peer := range device.peers.keyMap {
|
|
|
|
if peer.handshake.remoteStatic.Equals(publicKey) {
|
2021-01-27 14:53:21 +00:00
|
|
|
peer.handshake.mutex.RUnlock()
|
2018-02-02 15:40:14 +00:00
|
|
|
unsafeRemovePeer(device, peer, key)
|
2021-01-27 14:53:21 +00:00
|
|
|
peer.handshake.mutex.RLock()
|
2017-08-04 14:15:53 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-06-24 13:34:17 +00:00
|
|
|
// update key material
|
|
|
|
|
2018-05-13 21:14:43 +00:00
|
|
|
device.staticIdentity.privateKey = sk
|
|
|
|
device.staticIdentity.publicKey = publicKey
|
|
|
|
device.cookieChecker.Init(publicKey)
|
2017-06-24 13:34:17 +00:00
|
|
|
|
2018-02-02 15:40:14 +00:00
|
|
|
// do static-static DH pre-computations
|
|
|
|
|
2019-08-05 15:46:34 +00:00
|
|
|
expiredPeers := make([]*Peer, 0, len(device.peers.keyMap))
|
2020-02-04 17:08:51 +00:00
|
|
|
for _, peer := range device.peers.keyMap {
|
2018-05-14 10:27:29 +00:00
|
|
|
handshake := &peer.handshake
|
2020-02-04 17:08:51 +00:00
|
|
|
handshake.precomputedStaticStatic = device.staticIdentity.privateKey.sharedSecret(handshake.remoteStatic)
|
|
|
|
expiredPeers = append(expiredPeers, peer)
|
2017-06-23 11:41:59 +00:00
|
|
|
}
|
2017-08-04 14:15:53 +00:00
|
|
|
|
2019-08-05 15:46:34 +00:00
|
|
|
for _, peer := range lockedPeers {
|
|
|
|
peer.handshake.mutex.RUnlock()
|
|
|
|
}
|
|
|
|
for _, peer := range expiredPeers {
|
|
|
|
peer.ExpireCurrentKeypairs()
|
|
|
|
}
|
|
|
|
|
2017-08-04 14:15:53 +00:00
|
|
|
return nil
|
2017-06-23 11:41:59 +00:00
|
|
|
}
|
|
|
|
|
2019-06-10 21:33:40 +00:00
|
|
|
func NewDevice(tunDevice tun.Device, logger *Logger) *Device {
|
2017-06-28 21:45:45 +00:00
|
|
|
device := new(Device)
|
2021-01-19 17:02:16 +00:00
|
|
|
device.state.state = uint32(deviceStateDown)
|
2021-01-29 17:24:45 +00:00
|
|
|
device.closed = make(chan struct{})
|
2017-11-14 17:26:28 +00:00
|
|
|
device.log = logger
|
2018-05-23 00:10:54 +00:00
|
|
|
device.tun.device = tunDevice
|
2018-04-18 14:39:14 +00:00
|
|
|
mtu, err := device.tun.device.MTU()
|
|
|
|
if err != nil {
|
2021-01-26 22:05:48 +00:00
|
|
|
device.log.Errorf("Trouble determining MTU, assuming default: %v", err)
|
2018-04-19 13:52:59 +00:00
|
|
|
mtu = DefaultMTU
|
2018-04-18 14:39:14 +00:00
|
|
|
}
|
|
|
|
device.tun.mtu = int32(mtu)
|
2018-02-02 15:40:14 +00:00
|
|
|
device.peers.keyMap = make(map[NoisePublicKey]*Peer)
|
|
|
|
device.rate.limiter.Init()
|
2018-05-13 16:23:40 +00:00
|
|
|
device.indexTable.Init()
|
2018-09-22 04:29:02 +00:00
|
|
|
device.PopulatePools()
|
2017-07-14 12:25:18 +00:00
|
|
|
|
2017-06-30 12:41:08 +00:00
|
|
|
// create queues
|
|
|
|
|
2021-01-29 17:24:45 +00:00
|
|
|
device.queue.handshake = newHandshakeQueue()
|
2021-01-29 13:54:11 +00:00
|
|
|
device.queue.encryption = newOutboundQueue()
|
|
|
|
device.queue.decryption = newInboundQueue()
|
2017-07-01 21:29:22 +00:00
|
|
|
|
2017-11-11 14:43:55 +00:00
|
|
|
// prepare net
|
|
|
|
|
|
|
|
device.net.port = 0
|
|
|
|
device.net.bind = nil
|
|
|
|
|
2017-06-28 21:45:45 +00:00
|
|
|
// start workers
|
|
|
|
|
2018-05-05 04:00:38 +00:00
|
|
|
cpus := runtime.NumCPU()
|
2018-05-16 20:20:15 +00:00
|
|
|
device.state.stopping.Wait()
|
2020-12-22 19:38:24 +00:00
|
|
|
for i := 0; i < cpus; i++ {
|
2017-06-28 21:45:45 +00:00
|
|
|
go device.RoutineEncryption()
|
2017-07-01 21:29:22 +00:00
|
|
|
go device.RoutineDecryption()
|
|
|
|
go device.RoutineHandshake()
|
2017-06-28 21:45:45 +00:00
|
|
|
}
|
2017-12-01 22:37:26 +00:00
|
|
|
|
2021-02-08 18:19:28 +00:00
|
|
|
device.state.stopping.Add(1) // read from TUN
|
2017-10-07 20:35:23 +00:00
|
|
|
go device.RoutineReadFromTUN()
|
2017-08-07 13:25:04 +00:00
|
|
|
go device.RoutineTUNEventReader()
|
2017-12-01 22:37:26 +00:00
|
|
|
|
2017-06-28 21:45:45 +00:00
|
|
|
return device
|
2017-06-24 13:34:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (device *Device) LookupPeer(pk NoisePublicKey) *Peer {
|
2019-01-03 18:04:00 +00:00
|
|
|
device.peers.RLock()
|
|
|
|
defer device.peers.RUnlock()
|
2018-02-02 15:40:14 +00:00
|
|
|
|
|
|
|
return device.peers.keyMap[pk]
|
2017-06-24 13:34:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (device *Device) RemovePeer(key NoisePublicKey) {
|
2019-01-03 18:04:00 +00:00
|
|
|
device.peers.Lock()
|
|
|
|
defer device.peers.Unlock()
|
2018-02-02 15:40:14 +00:00
|
|
|
// stop peer and remove from routing
|
|
|
|
|
|
|
|
peer, ok := device.peers.keyMap[key]
|
|
|
|
if ok {
|
|
|
|
unsafeRemovePeer(device, peer, key)
|
|
|
|
}
|
2017-06-01 19:31:30 +00:00
|
|
|
}
|
|
|
|
|
2017-06-24 13:34:17 +00:00
|
|
|
func (device *Device) RemoveAllPeers() {
|
2019-01-03 18:04:00 +00:00
|
|
|
device.peers.Lock()
|
|
|
|
defer device.peers.Unlock()
|
2018-02-02 15:40:14 +00:00
|
|
|
|
|
|
|
for key, peer := range device.peers.keyMap {
|
|
|
|
unsafeRemovePeer(device, peer, key)
|
2017-06-01 19:31:30 +00:00
|
|
|
}
|
2018-02-02 15:40:14 +00:00
|
|
|
|
|
|
|
device.peers.keyMap = make(map[NoisePublicKey]*Peer)
|
2017-05-30 20:36:49 +00:00
|
|
|
}
|
2017-06-30 12:41:08 +00:00
|
|
|
|
|
|
|
func (device *Device) Close() {
|
2021-01-19 17:02:16 +00:00
|
|
|
device.state.mu.Lock()
|
|
|
|
defer device.state.mu.Unlock()
|
|
|
|
if device.isClosed() {
|
2017-11-17 16:25:45 +00:00
|
|
|
return
|
|
|
|
}
|
2021-01-19 17:02:16 +00:00
|
|
|
atomic.StoreUint32(&device.state.state, uint32(deviceStateClosed))
|
2021-01-26 22:05:48 +00:00
|
|
|
device.log.Verbosef("Device closing")
|
2018-05-01 14:59:13 +00:00
|
|
|
|
2017-11-11 22:26:44 +00:00
|
|
|
device.tun.device.Close()
|
2021-01-19 17:02:16 +00:00
|
|
|
device.downLocked()
|
2018-05-01 14:59:13 +00:00
|
|
|
|
2021-02-02 18:46:34 +00:00
|
|
|
// Remove peers before closing queues,
|
|
|
|
// because peers assume that queues are active.
|
|
|
|
device.RemoveAllPeers()
|
|
|
|
|
2021-01-12 01:34:02 +00:00
|
|
|
// We kept a reference to the encryption and decryption queues,
|
|
|
|
// in case we started any new peers that might write to them.
|
|
|
|
// No new peers are coming; we are done with these queues.
|
2020-12-14 23:07:23 +00:00
|
|
|
device.queue.encryption.wg.Done()
|
2021-01-12 01:34:02 +00:00
|
|
|
device.queue.decryption.wg.Done()
|
2021-01-29 17:24:45 +00:00
|
|
|
device.queue.handshake.wg.Done()
|
2020-06-24 05:35:41 +00:00
|
|
|
device.state.stopping.Wait()
|
2018-05-01 14:59:13 +00:00
|
|
|
|
2018-02-11 21:53:39 +00:00
|
|
|
device.rate.limiter.Close()
|
2018-05-01 14:59:13 +00:00
|
|
|
|
2021-01-19 17:02:16 +00:00
|
|
|
device.log.Verbosef("Device closed")
|
2021-01-29 17:24:45 +00:00
|
|
|
close(device.closed)
|
2017-07-13 12:32:40 +00:00
|
|
|
}
|
|
|
|
|
2017-12-01 22:37:26 +00:00
|
|
|
func (device *Device) Wait() chan struct{} {
|
2021-01-29 17:24:45 +00:00
|
|
|
return device.closed
|
2017-06-30 12:41:08 +00:00
|
|
|
}
|
2019-05-30 13:15:54 +00:00
|
|
|
|
|
|
|
func (device *Device) SendKeepalivesToPeersWithCurrentKeypair() {
|
2021-01-19 17:02:16 +00:00
|
|
|
if !device.isUp() {
|
2019-05-30 13:15:54 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
device.peers.RLock()
|
|
|
|
for _, peer := range device.peers.keyMap {
|
|
|
|
peer.keypairs.RLock()
|
|
|
|
sendKeepalive := peer.keypairs.current != nil && !peer.keypairs.current.created.Add(RejectAfterTime).Before(time.Now())
|
|
|
|
peer.keypairs.RUnlock()
|
|
|
|
if sendKeepalive {
|
|
|
|
peer.SendKeepalive()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
device.peers.RUnlock()
|
|
|
|
}
|
2019-11-07 16:13:05 +00:00
|
|
|
|
|
|
|
func unsafeCloseBind(device *Device) error {
|
|
|
|
var err error
|
|
|
|
netc := &device.net
|
|
|
|
if netc.netlinkCancel != nil {
|
|
|
|
netc.netlinkCancel.Cancel()
|
|
|
|
}
|
|
|
|
if netc.bind != nil {
|
|
|
|
err = netc.bind.Close()
|
|
|
|
netc.bind = nil
|
|
|
|
}
|
|
|
|
netc.stopping.Wait()
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2020-06-22 00:42:28 +00:00
|
|
|
func (device *Device) Bind() conn.Bind {
|
|
|
|
device.net.Lock()
|
|
|
|
defer device.net.Unlock()
|
|
|
|
return device.net.bind
|
|
|
|
}
|
|
|
|
|
2019-11-07 16:13:05 +00:00
|
|
|
func (device *Device) BindSetMark(mark uint32) error {
|
|
|
|
device.net.Lock()
|
|
|
|
defer device.net.Unlock()
|
|
|
|
|
|
|
|
// check if modified
|
|
|
|
if device.net.fwmark == mark {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// update fwmark on existing bind
|
|
|
|
device.net.fwmark = mark
|
2021-01-19 17:02:16 +00:00
|
|
|
if device.isUp() && device.net.bind != nil {
|
2019-11-07 16:13:05 +00:00
|
|
|
if err := device.net.bind.SetMark(mark); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// clear cached source addresses
|
|
|
|
device.peers.RLock()
|
|
|
|
for _, peer := range device.peers.keyMap {
|
|
|
|
peer.Lock()
|
|
|
|
defer peer.Unlock()
|
|
|
|
if peer.endpoint != nil {
|
|
|
|
peer.endpoint.ClearSrc()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
device.peers.RUnlock()
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (device *Device) BindUpdate() error {
|
|
|
|
device.net.Lock()
|
|
|
|
defer device.net.Unlock()
|
|
|
|
|
|
|
|
// close existing sockets
|
|
|
|
if err := unsafeCloseBind(device); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// open new sockets
|
2021-01-19 17:02:16 +00:00
|
|
|
if !device.isUp() {
|
|
|
|
return nil
|
|
|
|
}
|
2019-11-07 16:13:05 +00:00
|
|
|
|
2021-01-19 17:02:16 +00:00
|
|
|
// bind to new port
|
|
|
|
var err error
|
|
|
|
netc := &device.net
|
|
|
|
netc.bind, netc.port, err = conn.CreateBind(netc.port)
|
|
|
|
if err != nil {
|
|
|
|
netc.bind = nil
|
|
|
|
netc.port = 0
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
netc.netlinkCancel, err = device.startRouteListener(netc.bind)
|
|
|
|
if err != nil {
|
|
|
|
netc.bind.Close()
|
|
|
|
netc.bind = nil
|
|
|
|
netc.port = 0
|
|
|
|
return err
|
|
|
|
}
|
2019-11-07 16:13:05 +00:00
|
|
|
|
2021-01-19 17:02:16 +00:00
|
|
|
// set fwmark
|
|
|
|
if netc.fwmark != 0 {
|
|
|
|
err = netc.bind.SetMark(netc.fwmark)
|
2019-11-07 16:13:05 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-01-19 17:02:16 +00:00
|
|
|
}
|
2019-11-07 16:13:05 +00:00
|
|
|
|
2021-01-19 17:02:16 +00:00
|
|
|
// clear cached source addresses
|
|
|
|
device.peers.RLock()
|
|
|
|
for _, peer := range device.peers.keyMap {
|
|
|
|
peer.Lock()
|
|
|
|
defer peer.Unlock()
|
|
|
|
if peer.endpoint != nil {
|
|
|
|
peer.endpoint.ClearSrc()
|
2019-11-07 16:13:05 +00:00
|
|
|
}
|
|
|
|
}
|
2021-01-19 17:02:16 +00:00
|
|
|
device.peers.RUnlock()
|
|
|
|
|
|
|
|
// start receiving routines
|
|
|
|
device.net.stopping.Add(2)
|
|
|
|
device.queue.decryption.wg.Add(2) // each RoutineReceiveIncoming goroutine writes to device.queue.decryption
|
|
|
|
device.queue.handshake.wg.Add(2) // each RoutineReceiveIncoming goroutine writes to device.queue.handshake
|
|
|
|
go device.RoutineReceiveIncoming(ipv4.Version, netc.bind)
|
|
|
|
go device.RoutineReceiveIncoming(ipv6.Version, netc.bind)
|
2019-11-07 16:13:05 +00:00
|
|
|
|
2021-01-19 17:02:16 +00:00
|
|
|
device.log.Verbosef("UDP bind has been updated")
|
2019-11-07 16:13:05 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (device *Device) BindClose() error {
|
|
|
|
device.net.Lock()
|
|
|
|
err := unsafeCloseBind(device)
|
|
|
|
device.net.Unlock()
|
|
|
|
return err
|
|
|
|
}
|