From: Daniel Lenski <dlenski@gmail.com>
To: David Woodhouse <dwmw2@infradead.org>
Cc: Simon Rozman <simon@rozman.si>,
WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Allowing space for packet headers in Wintun Tx/Rx
Date: Sat, 10 Apr 2021 11:32:03 -0700 [thread overview]
Message-ID: <CAOw_LSGV8V9aLg-UdN4SE5s5o7NFfeyH+Q+mWMrvrBYp06aT=w@mail.gmail.com> (raw)
In-Reply-To: <fb3e80d74068cd8464c44f1cb435b71d1170c659.camel@infradead.org>
On Sat, Apr 10, 2021 at 7:35 AM David Woodhouse <dwmw2@infradead.org> wrote:
> On Sat, 2021-04-10 at 13:38 +0000, Simon Rozman wrote:
> > Hi David,This is my proposal:
> > https://git.zx2c4.com/wintun/commit/?id=eebd6aea4f75551f6e847a1d4fff857450bac6e9
> > Awaiting review and zx2c4 approval.
> > Regards, Simon
>
>
> Looks good to me; thanks. Just need to work out how to cross-build it
> (I can muster up a Windows VM for testing, but *building* on it is
> beyond my tolerance of Windows for now).
+1 to all that.
> We'll also need to be able to WintunAllocateSendPacket() of the full
> possible MTU, then receive and decrypt into that, and send only the
> actual size of the packet we received.
>
> A per-packet tail would have let us do that, but I agree that we don't
> want to expand the TUN_PACKET header if we can avoid doing so.
>
> Perhaps a WintunShrinkAndSendPacket() — which can only *shrink*, of
> course, and which can only be used on the *last* packet allocated,
> checking that its tail *is* the Session->Receive.Tail before adjusting
> the latter accordingly.
In addition to the use case for chopping ESP trailers and
less-than-full-size packets, OpenConnect has the case of "PPP packets
in HDLC-like framing" which need to be "un-HDLC-ed" in a way that can
only cause them to shrink.
(https://gitlab.com/openconnect/openconnect/blob/master/ppp.c#L102-158)
There are two cases worth considering where the packet size could
actually *expand*:
1) Some VPN protocols support compression of the tunneled packets. It
would be bad behavior to use this to stuff a packet of >(advertised
MTU) bytes in <(advertised MTU) bytes, but it wouldn't surprise me if
it exists in the wild. We now deal with receipt of
larger-than-expected-MTU packets in OpenConnect in a relatively
uniform way: allocate MAX(mtu, 16384) bytes for packets coming from
the VPN (if using TLS transport) or MAX(mtu, 2048) if using DTLS.
2) Some VPN protocols concatenate multiple packets into a single
aggregate on the wire. On Linux we can decrypt, truncate, and send to
the tunnel interface without further copying.
Case (1) can be handled with overallocate-and-shrink. Case (2) is
pretty rare among the protocols that OpenConnect supports, so fallback
to memcpy seems fine.
Dan
next prev parent reply other threads:[~2021-04-10 18:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-07 11:49 David Woodhouse
2021-04-07 23:15 ` Daniel Lenski
2021-04-08 14:37 ` David Woodhouse
2021-04-08 16:42 ` Daniel Lenski
2021-04-08 17:10 ` David Woodhouse
2021-04-08 17:37 ` Daniel Lenski
2021-04-10 13:38 ` Simon Rozman
2021-04-10 14:35 ` David Woodhouse
2021-04-10 18:32 ` Daniel Lenski [this message]
2021-04-12 11:38 ` Simon Rozman
2021-04-12 13:00 ` David Woodhouse
2021-04-12 17:03 ` Jason A. Donenfeld
2021-04-13 22:09 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOw_LSGV8V9aLg-UdN4SE5s5o7NFfeyH+Q+mWMrvrBYp06aT=w@mail.gmail.com' \
--to=dlenski@gmail.com \
--cc=dwmw2@infradead.org \
--cc=simon@rozman.si \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).