Skip to content

Commit 9f33e05

Browse files
jukkarjukkar
committed
net: if: Add special handling for IPv4/6 address check for VPN
This is a hack that is used until we have proper IP routing in place. The code has now special check that makes sure that we only route IP packets to VPN interface when the packet is destined to that subnet. So if destination IP address does not belong to VPN interface subnet, it is not routed there. Signed-off-by: Jukka Rissanen <[email protected]>
1 parent 4e300e2 commit 9f33e05

File tree

1 file changed

+46
-0
lines changed

1 file changed

+46
-0
lines changed

subsys/net/ip/net_if.c

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3130,6 +3130,29 @@ static struct in6_addr *net_if_ipv6_get_best_match(struct net_if *iface,
31303130
continue;
31313131
}
31323132

3133+
/* This is a dirty hack until we have proper IPv6 routing.
3134+
* Without this the IPv6 packets might go to VPN interface for
3135+
* subnets that are not on the same subnet as the VPN interface
3136+
* which typically is not desired.
3137+
* TODO: Implement IPv6 routing support and remove this hack.
3138+
*/
3139+
if (IS_ENABLED(CONFIG_WIREGUARD)) {
3140+
/* For Wireguard VPN interface, we need to check if
3141+
* address matches exactly the address of the interface.
3142+
*/
3143+
if (net_if_l2(iface) == &NET_L2_GET_NAME(VIRTUAL) &&
3144+
net_virtual_get_iface_capabilities(iface) == VIRTUAL_INTERFACE_VPN) {
3145+
/* FIXME: Do not hard code the prefix length */
3146+
if (!net_ipv6_is_prefix(
3147+
(const uint8_t *)&ipv6->unicast[i].address.in6_addr,
3148+
(const uint8_t *)dst,
3149+
64)) {
3150+
/* Skip this address as it is no match */
3151+
continue;
3152+
}
3153+
}
3154+
}
3155+
31333156
len = get_diff_ipv6(dst, &ipv6->unicast[i].address.in6_addr);
31343157
if (len >= prefix_len) {
31353158
len = prefix_len;
@@ -3679,6 +3702,29 @@ static struct in_addr *net_if_ipv4_get_best_match(struct net_if *iface,
36793702
continue;
36803703
}
36813704

3705+
/* This is a dirty hack until we have proper IPv4 routing.
3706+
* Without this the IPv4 packets might go to VPN interface for
3707+
* subnets that are not on the same subnet as the VPN interface
3708+
* which typically is not desired.
3709+
* TODO: Implement IPv4 routing support and remove this hack.
3710+
*/
3711+
if (IS_ENABLED(CONFIG_WIREGUARD)) {
3712+
/* For Wireguard VPN interface, we need to check if
3713+
* address matches exactly the address of the interface.
3714+
*/
3715+
if (net_if_l2(iface) == &NET_L2_GET_NAME(VIRTUAL) &&
3716+
net_virtual_get_iface_capabilities(iface) == VIRTUAL_INTERFACE_VPN) {
3717+
subnet.s_addr = ipv4->unicast[i].ipv4.address.in_addr.s_addr &
3718+
ipv4->unicast[i].netmask.s_addr;
3719+
3720+
if (subnet.s_addr !=
3721+
(dst->s_addr & ipv4->unicast[i].netmask.s_addr)) {
3722+
/* Skip this address as it is no match */
3723+
continue;
3724+
}
3725+
}
3726+
}
3727+
36823728
subnet.s_addr = ipv4->unicast[i].ipv4.address.in_addr.s_addr &
36833729
ipv4->unicast[i].netmask.s_addr;
36843730
len = get_diff_ipv4(dst, &subnet);

0 commit comments

Comments
 (0)