@@ -143,6 +143,13 @@ AC_ARG_ENABLE(

 )

 AC_ARG_ENABLE(

+	[dco],

+	[AS_HELP_STRING([--enable-dco], [enable data channel offload support using ovpn-dco kernel module @<:@default=no@:>@])],

+	,

+	[enable_dco="no"]

+)

+

+AC_ARG_ENABLE(

 	[iproute2],

 	[AS_HELP_STRING([--enable-iproute2], [enable support for iproute2 @<:@default=no@:>@])],

 	,

@@ -760,6 +767,32 @@ PKG_CHECK_MODULES(

 	[]

 )

+

+if test "$enable_dco" = "yes"; then

+dnl

+dnl Include generic netlink library used to talk to ovpn-dco

+dnl

+

+	case "$host" in

+		*-*-linux*)

+			PKG_CHECK_MODULES([LIBNL_GENL],

+					  [libnl-genl-3.0 >= 3.4.0],

+					  [have_libnl="yes"],

+					  [AC_MSG_ERROR([libnl-genl-3.0 package not found or too old. Is the development package and pkg-config installed? Must be version 3.4.0 or newer])]

+			)

+

+			CFLAGS="${CFLAGS} ${LIBNL_GENL_CFLAGS}"

+			LIBS="${LIBS} ${LIBNL_GENL_LIBS}"

+

+			AC_DEFINE(ENABLE_DCO, 1, [Enable shared data channel offload])

+			AC_MSG_NOTICE([Enabled ovpn-dco support for Linux])

+			;;

+		*)

+			AC_MSG_NOTICE([Ignoring --enable-dco on non Linux platform])

+			;;

+	esac

+fi

+

 if test "${with_crypto_library}" = "openssl"; then

 	AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL])

 	AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL])

@@ -1196,6 +1229,7 @@ fi

 AM_CONDITIONAL([HAVE_SITNL], [false])

 if test "${enable_iproute2}" = "yes"; then

+	test "${enable_dco}" = "yes" && AC_MSG_ERROR([iproute2 support cannot be enabled when using DCO])

 	test -z "${IPROUTE}" && AC_MSG_ERROR([ip utility is required but missing])

 	AC_DEFINE([ENABLE_IPROUTE], [1], [enable iproute2 support])

 else if test "${have_sitnl}" = "yes"; then

@@ -1,3 +1,4 @@

 E:doc/doxygen/doc_key_generation.h     # @verbatim section gets mistreated, exclude it

 E:src/compat/compat-lz4.c              # Preserve LZ4 upstream formatting

 E:src/compat/compat-lz4.h              # Preserve LZ4 upstream formatting

+E:src/openvpn/ovpn_dco_linux.h         # Preserve ovpn-dco upstream formatting

@@ -53,6 +53,8 @@ openvpn_SOURCES = \

 	crypto.c crypto.h crypto_backend.h \

 	crypto_openssl.c crypto_openssl.h \

 	crypto_mbedtls.c crypto_mbedtls.h \

+	dco.h dco_internal.h \

+	dco_linux.c dco_linux.h \

 	dhcp.c dhcp.h \

 	dns.c dns.h \

 	env_set.c env_set.h \

@@ -75,6 +77,7 @@ openvpn_SOURCES = \

 	mbuf.c mbuf.h \

 	memdbg.h \

 	misc.c misc.h \

+	ovpn_dco_linux.h \

 	platform.c platform.h \

 	console.c console.h console_builtin.c console_systemd.c \

 	mroute.c mroute.h \

new file mode 100644

@@ -0,0 +1,165 @@

+/*

+ *  OpenVPN -- An application to securely tunnel IP networks

+ *             over a single TCP/UDP port, with support for SSL/TLS-based

+ *             session authentication and key exchange,

+ *             packet encryption, packet authentication, and

+ *             packet compression.

+ *

+ *  Copyright (C) 2021-2022 Arne Schwabe <arne@rfc2549.org>

+ *  Copyright (C) 2021-2022 Antonio Quartulli <a@unstable.cc>

+ *  Copyright (C) 2021-2022 OpenVPN Inc <sales@openvpn.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program (see the file COPYING included with this

+ *  distribution); if not, write to the Free Software Foundation, Inc.,

+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+ */

+#ifndef DCO_H

+#define DCO_H

+

+#include "buffer.h"

+#include "error.h"

+#include "dco_internal.h"

+#include "networking.h"

+

+/* forward declarations (including other headers leads to nasty include

+ * order problems)

+ */

+struct event_set;

+struct options;

+struct tuntap;

+

+#if defined(ENABLE_DCO)

+

+/**

+ * Check whether ovpn-dco is available on this platform (i.e. kernel support is

+ * there)

+ *

+ * @param msglevel      level to print messages to

+ * @return              true if ovpn-dco is available, false otherwise

+ */

+bool dco_available(int msglevel);

+

+/**

+ * Check whether the options struct has any option that is not supported by

+ * our current dco implementation. If so print a warning at warning level

+ * for the first conflicting option found and return false.

+ *

+ * @param msglevel  the msg level to use to print the warnings

+ * @param o         the options struct that hold the options

+ * @return          true if no conflict was detected, false otherwise

+ */

+bool dco_check_option_conflict(int msglevel, const struct options *o);

+

+/**

+ * Initialize the DCO context

+ *

+ * @param mode      the instance operating mode (P2P or multi-peer)

+ * @param dco       the context to initialize

+ * @return          true on success, false otherwise

+ */

+bool ovpn_dco_init(int mode, dco_context_t *dco);

+

+/**

+ * Open/create a DCO interface

+ *

+ * @param tt        the tuntap context

+ * @param ctx       the networking API context

+ * @param dev       the name of the interface to create

+ * @return          0 on success or a negative error code otherwise

+ */

+int open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev);

+

+/**

+ * Close/destroy a DCO interface

+ *

+ * @param tt        the tuntap context

+ * @param ctx       the networking API context

+ */

+void close_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx);

+

+/**

+ * Read data from the DCO communication channel (i.e. a control packet)

+ *

+ * @param dco       the DCO context

+ * @return          0 on success or a negative error code otherwise

+ */

+int dco_do_read(dco_context_t *dco);

+

+/**

+ * Write data to the DCO communication channel (control packet expected)

+ *

+ * @param dco       the DCO context

+ * @param peer_id   the ID of the peer to send the data to

+ * @param buf       the buffer containing the data to send

+ */

+int dco_do_write(dco_context_t *dco, int peer_id, struct buffer *buf);

+

+/**

+ * Install a DCO in the main event loop

+ */

+void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg);

+

+#else /* if defined(ENABLE_DCO) */

+

+typedef void *dco_context_t;

+

+static inline bool

+dco_available(int msglevel)

+{

+    return false;

+}

+

+static inline bool

+dco_check_option_conflict(int msglevel, const struct options *o)

+{

+    return false;

+}

+

+static inline bool

+ovpn_dco_init(int mode, dco_context_t *dco)

+{

+    return true;

+}

+

+static inline int

+open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)

+{

+    return 0;

+}

+

+static inline void

+close_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx)

+{

+}

+

+static inline int

+dco_do_read(dco_context_t *dco)

+{

+    ASSERT(false);

+    return 0;

+}

+

+static inline int

+dco_do_write(dco_context_t *dco, int peer_id, struct buffer *buf)

+{

+    ASSERT(false);

+    return 0;

+}

+

+static inline void

+dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)

+{

+}

+

+#endif /* defined(ENABLE_DCO) */

+#endif /* ifndef DCO_H */

new file mode 100644

@@ -0,0 +1,78 @@

+/*

+ *  OpenVPN -- An application to securely tunnel IP networks

+ *             over a single TCP/UDP port, with support for SSL/TLS-based

+ *             session authentication and key exchange,

+ *             packet encryption, packet authentication, and

+ *             packet compression.

+ *

+ *  Copyright (C) 2022 Antonio Quartulli <a@unstable.cc>

+ *  Copyright (C) 2022 OpenVPN Inc <sales@openvpn.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program (see the file COPYING included with this

+ *  distribution); if not, write to the Free Software Foundation, Inc.,

+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+ */

+#ifndef DCO_INTERNAL_H

+#define DCO_INTERNAL_H

+

+#if defined(ENABLE_DCO)

+

+#include "dco_linux.h"

+

+/**

+ * This file contains the internal DCO API definition.

+ * It is expected that this file is included only in dco.h.

+ * The OpenVPN code should never directly include this file

+ */

+

+static inline dco_cipher_t

+dco_get_cipher(const char *cipher)

+{

+    if (strcmp(cipher, "AES-256-GCM") == 0 || strcmp(cipher, "AES-128-GCM") == 0

+        || strcmp(cipher, "AES-192-GCM") == 0)

+    {

+        return OVPN_CIPHER_ALG_AES_GCM;

+    }

+    else if (strcmp(cipher, "CHACHA20-POLY1305") == 0)

+    {

+        return OVPN_CIPHER_ALG_CHACHA20_POLY1305;

+    }

+    else

+    {

+        msg(M_FATAL, "DCO: provided unsupported cipher: %s", cipher);

+    }

+}

+

+/**

+ * The following are the DCO APIs used to control the driver.

+ * They are implemented by dco_linux.c

+ */

+

+int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,

+                 struct sockaddr *localaddr, struct sockaddr *remoteaddr,

+                 struct in_addr *remote_in4, struct in6_addr *remote_in6);

+

+int dco_del_peer(dco_context_t *dco, unsigned int peerid);

+

+int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid,

+                dco_key_slot_t slot,

+                const uint8_t *encrypt_key, const uint8_t *encrypt_iv,

+                const uint8_t *decrypt_key, const uint8_t *decrypt_iv,

+                const char *ciphername);

+

+int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot);

+

+int dco_swap_keys(dco_context_t *dco, unsigned int peerid);

+

+#endif /* defined(ENABLE_DCO) */

+#endif /* ifndef DCO_INTERNAL_H */

new file mode 100644

@@ -0,0 +1,934 @@

+/*

+ *  Interface to linux dco networking code

+ *

+ *  Copyright (C) 2020-2022 Antonio Quartulli <a@unstable.cc>

+ *  Copyright (C) 2020-2022 Arne Schwabe <arne@rfc2549.org>

+ *  Copyright (C) 2020-2022 OpenVPN Inc <sales@openvpn.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program (see the file COPYING included with this

+ *  distribution); if not, write to the Free Software Foundation, Inc.,

+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+ */

+

+

+#ifdef HAVE_CONFIG_H

+#include "config.h"

+#elif defined(_MSC_VER)

+#include "config-msvc.h"

+#endif

+

+#if defined(ENABLE_DCO) && defined(TARGET_LINUX)

+

+#include "syshead.h"

+

+#include "dco_linux.h"

+#include "errlevel.h"

+#include "buffer.h"

+#include "networking.h"

+#include "openvpn.h"

+

+#include "socket.h"

+#include "tun.h"

+#include "ssl.h"

+#include "fdmisc.h"

+#include "ssl_verify.h"

+

+#include "ovpn_dco_linux.h"

+

+#include <netlink/socket.h>

+#include <netlink/netlink.h>

+#include <netlink/genl/genl.h>

+#include <netlink/genl/family.h>

+#include <netlink/genl/ctrl.h>

+

+

+/* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we

+ * have to explicitly do it to prevent the kernel from failing upon

+ * parsing of the message

+ */

+#define nla_nest_start(_msg, _type) \

+    nla_nest_start(_msg, (_type) | NLA_F_NESTED)

+

+static int ovpn_get_mcast_id(dco_context_t *dco);

+

+void dco_check_key_ctx(const struct key_ctx_bi *key);

+

+typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg);

+

+/**

+ * @brief resolves the netlink ID for ovpn-dco

+ *

+ * This function queries the kernel via a netlink socket

+ * whether the ovpn-dco netlink namespace is available

+ *

+ * This function can be used to determine if the kernel

+ * supports DCO offloading.

+ *

+ * @return ID on success, negative error code on error

+ */

+static int

+resolve_ovpn_netlink_id(int msglevel)

+{

+    int ret;

+    struct nl_sock *nl_sock = nl_socket_alloc();

+

+    ret = genl_connect(nl_sock);

+    if (ret)

+    {

+        msg(msglevel, "Cannot connect to generic netlink: %s",

+            nl_geterror(ret));

+        goto err_sock;

+    }

+    set_cloexec(nl_socket_get_fd(nl_sock));

+

+    ret = genl_ctrl_resolve(nl_sock, OVPN_NL_NAME);

+    if (ret < 0)

+    {

+        msg(msglevel, "Cannot find ovpn_dco netlink component: %s",

+            nl_geterror(ret));

+    }

+

+err_sock:

+    nl_socket_free(nl_sock);

+    return ret;

+}

+

+static struct nl_msg *

+ovpn_dco_nlmsg_create(dco_context_t *dco, enum ovpn_nl_commands cmd)

+{

+    struct nl_msg *nl_msg = nlmsg_alloc();

+    if (!nl_msg)

+    {

+        msg(M_ERR, "cannot allocate netlink message");

+        return NULL;

+    }

+

+    genlmsg_put(nl_msg, 0, 0, dco->ovpn_dco_id, 0, 0, cmd, 0);

+    NLA_PUT_U32(nl_msg, OVPN_ATTR_IFINDEX, dco->ifindex);

+

+    return nl_msg;

+nla_put_failure:

+    nlmsg_free(nl_msg);

+    msg(M_INFO, "cannot put into netlink message");

+    return NULL;

+}

+

+static int

+ovpn_nl_recvmsgs(dco_context_t *dco, const char *prefix)

+{

+    int ret = nl_recvmsgs(dco->nl_sock, dco->nl_cb);

+

+    switch (ret)

+    {

+        case -NLE_INTR:

+            msg(M_WARN, "%s: netlink received interrupt due to signal - ignoring", prefix);

+            break;

+

+        case -NLE_NOMEM:

+            msg(M_ERR, "%s: netlink out of memory error", prefix);

+            break;

+

+        case -M_ERR:

+            msg(M_WARN, "%s: netlink reports blocking read - aborting wait", prefix);

+            break;

+

+        case -NLE_NODEV:

+            msg(M_ERR, "%s: netlink reports device not found:", prefix);

+            break;

+

+        case -NLE_OBJ_NOTFOUND:

+            msg(M_INFO, "%s: netlink reports object not found, ovpn-dco unloaded?", prefix);

+            break;

+

+        default:

+            if (ret)

+            {

+                msg(M_NONFATAL|M_ERRNO, "%s: netlink reports error (%d): %s", prefix, ret, nl_geterror(-ret));

+            }

+            break;

+    }

+

+    return ret;

+}

+

+/**

+ * Send a prepared netlink message and registers cb as callback if non-null.

+ *

+ * The method will also free nl_msg

+ * @param dco       The dco context to use

+ * @param nl_msg    the message to use

+ * @param cb        An optional callback if the caller expects an answer

+ * @param prefix    A prefix to report in the error message to give the user context

+ * @return          status of sending the message

+ */

+static int

+ovpn_nl_msg_send(dco_context_t *dco, struct nl_msg *nl_msg, ovpn_nl_cb cb,

+                 const char *prefix)

+{

+    dco->status = 1;

+

+    nl_cb_set(dco->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, dco);

+    nl_send_auto(dco->nl_sock, nl_msg);

+

+    while (dco->status == 1)

+    {

+        ovpn_nl_recvmsgs(dco, prefix);

+    }

+

+    if (dco->status < 0)

+    {

+        msg(M_INFO, "%s: failed to send netlink message: %s (%d)",

+            prefix, strerror(-dco->status), dco->status);

+    }

+

+    return dco->status;

+}

+

+struct sockaddr *

+mapped_v4_to_v6(struct sockaddr *sock, struct gc_arena *gc)

+{

+    struct sockaddr_in6 *sock6 = (struct sockaddr_in6 *)sock;

+    if (sock->sa_family == AF_INET6 && IN6_IS_ADDR_V4MAPPED(&sock6->sin6_addr))

+    {

+

+        struct sockaddr_in *sock4;

+        ALLOC_OBJ_CLEAR_GC(sock4, struct sockaddr_in, gc);

+        memcpy(&sock4->sin_addr, sock6->sin6_addr.s6_addr + 12, 4);

+        sock4->sin_port = sock6->sin6_port;

+        sock4->sin_family = AF_INET;

+        return (struct sockaddr *)sock4;

+    }

+    return sock;

+}

+

+int

+dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,

+             struct sockaddr *localaddr, struct sockaddr *remoteaddr,

+             struct in_addr *remote_in4, struct in6_addr *remote_in6)

+{

+    msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d", __func__, peerid, sd);

+

+    struct gc_arena gc = gc_new();

+    struct nl_msg *nl_msg = ovpn_dco_nlmsg_create(dco, OVPN_CMD_NEW_PEER);

+    struct nlattr *attr = nla_nest_start(nl_msg, OVPN_ATTR_NEW_PEER);

+    int ret = -EMSGSIZE;

+

+    NLA_PUT_U32(nl_msg, OVPN_NEW_PEER_ATTR_PEER_ID, peerid);

+    NLA_PUT_U32(nl_msg, OVPN_NEW_PEER_ATTR_SOCKET, sd);

+

+    /* Set the remote endpoint if defined (for UDP) */

+    if (remoteaddr)

+    {

+        remoteaddr = mapped_v4_to_v6(remoteaddr, &gc);

+        int alen = af_addr_size(remoteaddr->sa_family);

+

+        NLA_PUT(nl_msg, OVPN_NEW_PEER_ATTR_SOCKADDR_REMOTE, alen, remoteaddr);

+    }

+

+    if (localaddr)

+    {

+        localaddr = mapped_v4_to_v6(localaddr, &gc);

+        if (localaddr->sa_family == AF_INET)

+        {

+            NLA_PUT(nl_msg, OVPN_NEW_PEER_ATTR_LOCAL_IP, sizeof(struct in_addr),

+                    &((struct sockaddr_in *)localaddr)->sin_addr);

+        }

+        else if (localaddr->sa_family == AF_INET6)

+        {

+            NLA_PUT(nl_msg, OVPN_NEW_PEER_ATTR_LOCAL_IP, sizeof(struct in6_addr),

+                    &((struct sockaddr_in6 *)localaddr)->sin6_addr);

+        }

+    }

+

+    /* Set the primary VPN IP addresses of the peer */

+    if (remote_in4)

+    {

+        NLA_PUT_U32(nl_msg, OVPN_NEW_PEER_ATTR_IPV4, remote_in4->s_addr);

+    }

+    if (remote_in6)

+    {

+        NLA_PUT(nl_msg, OVPN_NEW_PEER_ATTR_IPV6, sizeof(struct in6_addr),

+                remote_in6);

+    }

+    nla_nest_end(nl_msg, attr);

+

+    ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__);

+

+nla_put_failure:

+    nlmsg_free(nl_msg);

+    gc_free(&gc);

+    return ret;

+}

+

+static int

+ovpn_nl_cb_finish(struct nl_msg (*msg) __attribute__ ((unused)), void *arg)

+{

+    int *status = arg;

+

+    *status = 0;

+    return NL_SKIP;

+}

+

+/* This function is used as error callback on the netlink socket.

+ * When something goes wrong and the kernel returns an error, this function is

+ * invoked.

+ *

+ * We pass the error code to the user by means of a variable pointed by *arg

+ * (supplied by the user when setting this callback) and we parse the kernel

+ * reply to see if it contains a human readable error. If found, it is printed.

+ */

+static int

+ovpn_nl_cb_error(struct sockaddr_nl (*nla) __attribute__ ((unused)),

+                 struct nlmsgerr *err, void *arg)

+{

+    struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1;

+    struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1];

+    int len = nlh->nlmsg_len;

+    struct nlattr *attrs;

+    int *ret = arg;

+    int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh);

+

+    *ret = err->error;

+

+    if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS))

+    {

+        return NL_STOP;

+    }

+

+    if (!(nlh->nlmsg_flags & NLM_F_CAPPED))

+    {

+        ack_len += err->msg.nlmsg_len - sizeof(*nlh);

+    }

+

+    if (len <= ack_len)

+    {

+        return NL_STOP;

+    }

+

+    attrs = (void *)((unsigned char *)nlh + ack_len);

+    len -= ack_len;

+

+    nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL);

+    if (tb_msg[NLMSGERR_ATTR_MSG])

+    {

+        len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]),

+                      nla_len(tb_msg[NLMSGERR_ATTR_MSG]));

+        msg(M_WARN, "kernel error: %*s\n", len,

+            (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]));

+    }

+

+    return NL_STOP;

+}

+

+static void

+ovpn_dco_init_netlink(dco_context_t *dco)

+{

+    dco->ovpn_dco_id = resolve_ovpn_netlink_id(M_ERR);

+

+    dco->nl_sock = nl_socket_alloc();

+

+    if (!dco->nl_sock)

+    {

+        msg(M_ERR, "Cannot create netlink socket");

+    }

+

+    /* TODO: Why are we setting this buffer size? */

+    nl_socket_set_buffer_size(dco->nl_sock, 8192, 8192);

+

+    int ret = genl_connect(dco->nl_sock);

+    if (ret)

+    {

+        msg(M_ERR, "Cannot connect to generic netlink: %s",

+            nl_geterror(ret));

+    }

+

+    set_cloexec(nl_socket_get_fd(dco->nl_sock));

+

+    dco->nl_cb = nl_cb_alloc(NL_CB_DEFAULT);

+    if (!dco->nl_cb)

+    {

+        msg(M_ERR, "failed to allocate netlink callback");

+    }

+

+    nl_socket_set_cb(dco->nl_sock, dco->nl_cb);

+

+    nl_cb_err(dco->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &dco->status);

+    nl_cb_set(dco->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish,

+              &dco->status);

+    nl_cb_set(dco->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_finish,

+              &dco->status);

+

+    /* The async PACKET messages confuse libnl and it will drop them with

+     * wrong sequence numbers (NLE_SEQ_MISMATCH), so disable libnl's sequence

+     * number check */

+    nl_socket_disable_seq_check(dco->nl_sock);

+}

+

+bool

+ovpn_dco_init(int mode, dco_context_t *dco)

+{

+    switch (mode)

+    {

+        case CM_TOP:

+            dco->ifmode = OVPN_MODE_MP;

+            break;

+

+        case CM_P2P:

+            dco->ifmode = OVPN_MODE_P2P;

+            break;

+

+        default:

+            ASSERT(false);

+    }

+

+    ovpn_dco_init_netlink(dco);

+    return true;

+}

+

+static void

+ovpn_dco_uninit_netlink(dco_context_t *dco)

+{

+    nl_socket_free(dco->nl_sock);

+    dco->nl_sock = NULL;

+

+    /* Decrease reference count */

+    nl_cb_put(dco->nl_cb);

+

+    CLEAR(dco);

+}

+

+static void

+ovpn_dco_register(dco_context_t *dco)

+{

+    msg(D_DCO_DEBUG, __func__);

+    ovpn_get_mcast_id(dco);

+

+    if (dco->ovpn_dco_mcast_id < 0)

+    {

+        msg(M_ERR, "cannot get mcast group: %s",  nl_geterror(dco->ovpn_dco_mcast_id));

+    }

+

+    /* Register for ovpn-dco specific multicast messages that the kernel may

+     * send

+     */

+    int ret = nl_socket_add_membership(dco->nl_sock, dco->ovpn_dco_mcast_id);

+    if (ret)

+    {

+        msg(M_ERR, "%s: failed to join groups: %d", __func__, ret);

+    }

+

+    /* Register for non-data packets that ovpn-dco may receive. They will be

+     * forwarded to userspace

+     */

+    struct nl_msg *nl_msg = ovpn_dco_nlmsg_create(dco, OVPN_CMD_REGISTER_PACKET);

+    if (!nl_msg)

+    {

+        msg(M_ERR, "%s: cannot allocate message to register for control packets",

+            __func__);

+    }

+

+    ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__);

+    if (ret)

+    {

+        msg(M_ERR, "%s: failed to register for control packets: %d", __func__,

+            ret);

+    }

+    nlmsg_free(nl_msg);

+}

+

+int

+open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)

+{

+    msg(D_DCO_DEBUG, "%s: %s", __func__, dev);

+    ASSERT(tt->type == DEV_TYPE_TUN);

+

+    int ret = net_iface_new(ctx, dev, "ovpn-dco", &tt->dco);

+    if (ret < 0)

+    {

+        msg(D_DCO_DEBUG, "Cannot create DCO interface %s: %d", dev, ret);

+        return ret;

+    }

+

+    tt->dco.ifindex = if_nametoindex(dev);

+    if (!tt->dco.ifindex)

+    {

+        msg(M_FATAL, "DCO: cannot retrieve ifindex for interface %s", dev);

+    }

+

+    tt->actual_name = string_alloc(dev, NULL);

+    uint8_t *dcobuf = malloc(65536);

+    buf_set_write(&tt->dco.dco_packet_in, dcobuf, 65536);

+    tt->dco.dco_message_peer_id = -1;

+

+    ovpn_dco_register(&tt->dco);

+

+    return 0;

+}

+

+void

+close_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx)

+{

+    msg(D_DCO_DEBUG, __func__);

+

+    net_iface_del(ctx, tt->actual_name);

+    ovpn_dco_uninit_netlink(&tt->dco);

+    free(tt->dco.dco_packet_in.data);

+}

+

+int

+dco_swap_keys(dco_context_t *dco, unsigned int peerid)

+{

+    msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peerid);

+

+    struct nl_msg *nl_msg = ovpn_dco_nlmsg_create(dco, OVPN_CMD_SWAP_KEYS);

+    if (!nl_msg)

+    {

+        return -ENOMEM;

+    }

+

+    struct nlattr *attr = nla_nest_start(nl_msg, OVPN_ATTR_SWAP_KEYS);

+    int ret = -EMSGSIZE;

+    NLA_PUT_U32(nl_msg, OVPN_SWAP_KEYS_ATTR_PEER_ID, peerid);

+    nla_nest_end(nl_msg, attr);

+

+    ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__);

+

+nla_put_failure:

+    nlmsg_free(nl_msg);

+    return ret;

+}

+

+

+int

+dco_del_peer(dco_context_t *dco, unsigned int peerid)

+{

+    msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peerid);

+

+    struct nl_msg *nl_msg = ovpn_dco_nlmsg_create(dco, OVPN_CMD_DEL_PEER);

+    if (!nl_msg)

+    {

+        return -ENOMEM;

+    }

+

+    struct nlattr *attr = nla_nest_start(nl_msg, OVPN_ATTR_DEL_PEER);

+    int ret = -EMSGSIZE;

+    NLA_PUT_U32(nl_msg, OVPN_DEL_PEER_ATTR_PEER_ID, peerid);

+    nla_nest_end(nl_msg, attr);

+

+    ret = ovpn_nl_msg_send(dco, nl_msg, NULL, __func__);

+

+nla_put_failure:

+    nlmsg_free(nl_msg);

+    return ret;

+}

+

+

+int

+dco_del_key(dco_context_t *dco, unsigned int peerid,

+            dco_key_slot_t slot)

+{

+    msg(D_DCO_DEBUG, "%s: peer-id %d, slot %d", __func__, peerid, slot);

+

+    struct nl_msg *nl_msg = ovpn_dco_nlmsg_create(dco, OVPN_CMD_DEL_KEY);

+    if (!nl_msg)

+    {

+        return -ENOMEM;

+    }

+

+    struct nlattr *attr = nla_nest_start(nl_msg, OVPN_ATTR_DEL_KEY);