25 #if defined(ENABLE_DCO) && defined(TARGET_FREEBSD)
29 #include <sys/param.h>
30 #include <sys/linker.h>
32 #include <sys/utsname.h>
34 #include <netinet/in.h>
44 sockaddr_to_nvlist(
const struct sockaddr *sa)
46 nvlist_t *nvl = nvlist_create(0);
48 nvlist_add_number(nvl,
"af", sa->sa_family);
50 switch (sa->sa_family)
54 const struct sockaddr_in *in = (
const struct sockaddr_in *)sa;
55 nvlist_add_binary(nvl,
"address", &in->sin_addr,
sizeof(in->sin_addr));
56 nvlist_add_number(nvl,
"port", in->sin_port);
62 const struct sockaddr_in6 *in6 = (
const struct sockaddr_in6 *)sa;
63 nvlist_add_binary(nvl,
"address", &in6->sin6_addr,
sizeof(in6->sin6_addr));
64 nvlist_add_number(nvl,
"port", in6->sin6_port);
77 struct sockaddr *localaddr,
struct sockaddr *remoteaddr,
78 struct in_addr *remote_in4,
struct in6_addr *remote_in6)
84 nvl = nvlist_create(0);
90 nvlist_add_nvlist(nvl,
"local", sockaddr_to_nvlist(localaddr));
95 nvlist_add_nvlist(nvl,
"remote", sockaddr_to_nvlist(remoteaddr));
100 nvlist_add_binary(nvl,
"vpn_ipv4", &remote_in4->s_addr,
101 sizeof(remote_in4->s_addr));
106 nvlist_add_binary(nvl,
"vpn_ipv6", remote_in6,
sizeof(*remote_in6));
109 nvlist_add_number(nvl,
"fd", sd);
110 nvlist_add_number(nvl,
"peerid", peerid);
113 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
115 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
117 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
134 ret = pipe2(dco->pipefd, O_CLOEXEC | O_NONBLOCK);
140 dco->fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
152 close(dco->pipefd[0]);
153 close(dco->pipefd[1]);
160 if (open_fd(dco) < 0)
162 msg(
M_ERR,
"Failed to open socket");
175 nvl = nvlist_create(0);
176 nvlist_add_number(nvl,
"ifmode", ifmode);
179 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
181 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
183 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
196 create_interface(
struct tuntap *tt,
const char *dev)
204 snprintf(ifr.ifr_name, IFNAMSIZ,
"ovpn");
205 ret = ioctl(tt->
dco.fd, SIOCIFCREATE2, &ifr);
209 msg(
M_WARN|
M_ERRNO,
"Failed to create interface %s (SIOCIFCREATE2)", ifr.ifr_name);
214 if (!strcmp(dev,
"tun"))
216 ifr.ifr_data =
"ovpn";
220 ifr.ifr_data = (
char *)dev;
222 ret = ioctl(tt->
dco.fd, SIOCSIFNAME, &ifr);
227 (void)ioctl(tt->
dco.fd, SIOCIFDESTROY, &ifr);
228 msg(
M_WARN|
M_ERRNO,
"Failed to create interface %s (SIOCSIFNAME)", ifr.ifr_data);
232 snprintf(tt->
dco.ifname, IFNAMSIZ,
"%s", ifr.ifr_data);
235 int i = IFF_POINTOPOINT | IFF_MULTICAST;
238 i = IFF_BROADCAST | IFF_MULTICAST;
240 dco_set_ifmode(&tt->
dco, i);
246 remove_interface(
struct tuntap *tt)
252 snprintf(ifr.ifr_name, IFNAMSIZ,
"%s", tt->
dco.ifname);
254 ret = ioctl(tt->
dco.fd, SIOCIFDESTROY, &ifr);
260 tt->
dco.ifname[0] = 0;
268 return create_interface(tt, dev);
274 remove_interface(tt);
287 nvl = nvlist_create(0);
288 nvlist_add_number(nvl,
"peerid", peerid);
291 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
293 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
295 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
316 nvl = nvlist_create(0);
317 nvlist_add_number(nvl,
"peerid", peerid);
320 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
322 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
324 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
344 msg(
D_DCO_DEBUG,
"%s: peer-id %d, slot %d", __func__, peerid, slot);
346 nvl = nvlist_create(0);
347 nvlist_add_number(nvl,
"slot", slot);
348 nvlist_add_number(nvl,
"peerid", peerid);
351 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
353 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
355 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
368 key_to_nvlist(
const uint8_t *
key,
const uint8_t *implicit_iv,
const char *ciphername)
373 nvl = nvlist_create(0);
375 nvlist_add_string(nvl,
"cipher", ciphername);
377 if (strcmp(ciphername,
"none") != 0)
381 nvlist_add_binary(nvl,
"key",
key, key_len);
382 nvlist_add_binary(nvl,
"iv", implicit_iv, 8);
395 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
398 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
410 const uint8_t *encrypt_key,
const uint8_t *encrypt_iv,
411 const uint8_t *decrypt_key,
const uint8_t *decrypt_iv,
412 const char *ciphername)
419 __func__, slot, keyid, peerid, ciphername);
421 nvl = nvlist_create(0);
423 nvlist_add_number(nvl,
"slot", slot);
424 nvlist_add_number(nvl,
"keyid", keyid);
425 nvlist_add_number(nvl,
"peerid", peerid);
427 nvlist_add_nvlist(nvl,
"encrypt",
428 key_to_nvlist(encrypt_key, encrypt_iv, ciphername));
429 nvlist_add_nvlist(nvl,
"decrypt",
430 key_to_nvlist(decrypt_key, decrypt_iv, ciphername));
433 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
435 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
437 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
444 ret = start_tun(dco);
455 int keepalive_interval,
int keepalive_timeout,
462 msg(
D_DCO_DEBUG,
"%s: peer-id %d, ping interval %d, ping timeout %d",
463 __func__, peerid, keepalive_interval, keepalive_timeout);
465 nvl = nvlist_create(0);
466 nvlist_add_number(nvl,
"peerid", peerid);
467 nvlist_add_number(nvl,
"interval", keepalive_interval);
468 nvlist_add_number(nvl,
"timeout", keepalive_timeout);
471 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
473 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
475 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
497 (void)
read(dco->pipefd[1], buf,
sizeof(buf));
500 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
503 drv.ifd_len =
sizeof(buf);
505 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
512 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
519 dco->dco_message_peer_id = nvlist_get_number(nvl,
"peerid");
521 type = nvlist_get_number(nvl,
"notification");
527 if (nvlist_exists_number(nvl,
"del_reason"))
529 uint32_t reason = nvlist_get_number(nvl,
"del_reason");
540 if (nvlist_exists_nvlist(nvl,
"bytes"))
542 const nvlist_t *bytes = nvlist_get_nvlist(nvl,
"bytes");
544 dco->dco_read_bytes = nvlist_get_number(bytes,
"in");
545 dco->dco_write_bytes = nvlist_get_number(bytes,
"out");
556 msg(
M_WARN,
"Unknown kernel notification %d", type);
568 struct if_clonereq ifcr;
572 bool available =
false;
576 (void)kldload(
"if_ovpn");
578 fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
588 ret = ioctl(fd, SIOCIFGCLONERS, &ifcr);
594 buf = malloc(ifcr.ifcr_total * IFNAMSIZ);
600 ifcr.ifcr_count = ifcr.ifcr_total;
601 ifcr.ifcr_buffer = buf;
602 ret = ioctl(fd, SIOCIFGCLONERS, &ifcr);
608 for (
int i = 0; i < ifcr.ifcr_total; i++)
610 if (strcmp(buf + (i * IFNAMSIZ),
"openvpn") == 0)
646 if (!dco || !dco->open)
652 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
654 drv.ifd_len =
sizeof(buf);
657 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
664 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
671 if (nvlist_get_number(nvl,
"pending") > 0)
673 (void)
write(dco->pipefd[0],
" ", 1);
681 dco_update_peer_stat(
struct multi_context *m, uint32_t peerid,
const nvlist_t *nvl)
686 msg(
M_WARN,
"dco_update_peer_stat: invalid peer ID %d returned by kernel", peerid);
702 size_t buf_size = 4096;
704 const nvlist_t *
const *nvpeers;
708 if (!dco || !dco->open)
714 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
718 buf = realloc(buf, buf_size);
719 drv.ifd_len = buf_size;
722 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
723 if (ret && errno == ENOSPC)
736 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
744 if (!nvlist_exists_nvlist_array(nvl,
"peers"))
750 nvpeers = nvlist_get_nvlist_array(nvl,
"peers", &npeers);
751 for (
size_t i = 0; i < npeers; i++)
753 const nvlist_t *peer = nvpeers[i];
754 uint32_t peerid = nvlist_get_number(peer,
"peerid");
756 dco_update_peer_stat(m, peerid, nvlist_get_nvlist(peer,
"bytes"));
772 return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305";