ovpn: Introduce OpenVPN DCO support
OpenVPN Data Channel Offload (DCO) moves OpenVPN data plane processing
(i.e. tunneling and cryptography) into the kernel, rather than using tap
devices.
This avoids significant copying and context switching overhead between
kernel and user space and improves OpenVPN throughput.
In my test setup throughput improved from around 660Mbit/s to around
2Gbit/s.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34340
This commit is contained in:
Kristof Provost
parent
a25818eb28
commit
ab91feabcc
@ -418,6 +418,7 @@ MAN= aac.4 \
|
||||
ow.4 \
|
||||
ow_temp.4 \
|
||||
owc.4 \
|
||||
ovpn.4 \
|
||||
${_padlock.4} \
|
||||
pass.4 \
|
||||
pca954x.4 \
|
||||
|
||||
54
share/man/man4/ovpn.4
Normal file
54
share/man/man4/ovpn.4
Normal file
@ -0,0 +1,54 @@
|
||||
.\" Copyright (c) 2022 Rubicon Communications, LLC ("Netgate")
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd April 22, 2022
|
||||
.Dt OVPN 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm ovpn
|
||||
.Nd OpenVPN DCO driver
|
||||
.Sh SYNOPSIS
|
||||
To compile this driver into the kernel,
|
||||
place the following lines in your
|
||||
kernel configuration file:
|
||||
.Bd -ragged -offset indent
|
||||
.Cd "device ovpn"
|
||||
.Ed
|
||||
.Pp
|
||||
Alternatively, to load the driver as a
|
||||
module at boot time, place the following line in
|
||||
.Xr loader.conf 5 :
|
||||
.Bd -literal -offset indent
|
||||
if_ovpn_load="YES"
|
||||
.Ed
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
device driver provides support for OpenVPN DCO.
|
||||
DCO, or Data Channel Offload, moves the OpenVPN data path into the kernel.
|
||||
This can improve performance.
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
interface is created automatically by the OpenVPN daemon.
|
||||
It requires no configuration other than that done by OpenVPN.
|
||||
@ -4141,6 +4141,7 @@ net/if_llatbl.c standard
|
||||
net/if_me.c optional me inet
|
||||
net/if_media.c standard
|
||||
net/if_mib.c standard
|
||||
net/if_ovpn.c optional ovpn inet | ovpn inet6
|
||||
net/if_stf.c optional stf inet inet6
|
||||
net/if_tuntap.c optional tuntap
|
||||
net/if_vlan.c optional vlan
|
||||
|
||||
@ -3675,6 +3675,7 @@ prison_priv_check(struct ucred *cred, int priv)
|
||||
case PRIV_NET_GIF:
|
||||
case PRIV_NET_SETIFVNET:
|
||||
case PRIV_NET_SETIFFIB:
|
||||
case PRIV_NET_OVPN:
|
||||
|
||||
/*
|
||||
* 802.11-related privileges.
|
||||
|
||||
@ -158,6 +158,7 @@ SUBDIR= \
|
||||
${_if_me} \
|
||||
if_infiniband \
|
||||
if_lagg \
|
||||
if_ovpn \
|
||||
${_if_stf} \
|
||||
if_tuntap \
|
||||
if_vlan \
|
||||
|
||||
6
sys/modules/if_ovpn/Makefile
Normal file
6
sys/modules/if_ovpn/Makefile
Normal file
@ -0,0 +1,6 @@
|
||||
.PATH: ${SRCTOP}/sys/net
|
||||
|
||||
KMOD= if_ovpn
|
||||
SRCS= if_ovpn.c opt_inet.h opt_inet6.h
|
||||
|
||||
.include <bsd.kmod.mk>
|
||||
2437
sys/net/if_ovpn.c
Normal file
2437
sys/net/if_ovpn.c
Normal file
File diff suppressed because it is too large
Load Diff
64
sys/net/if_ovpn.h
Normal file
64
sys/net/if_ovpn.h
Normal file
@ -0,0 +1,64 @@
|
||||
/*-
|
||||
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
|
||||
*
|
||||
* Copyright (c) 2021-2022 Rubicon Communications, LLC (Netgate)
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef _NET_IF_OVPN_H_
|
||||
#define _NET_IF_OVPN_H_
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <netinet/in.h>
|
||||
|
||||
/* Maximum size of an ioctl request. */
|
||||
#define OVPN_MAX_REQUEST_SIZE 4096
|
||||
|
||||
enum ovpn_notif_type {
|
||||
OVPN_NOTIF_DEL_PEER,
|
||||
};
|
||||
|
||||
enum ovpn_key_slot {
|
||||
OVPN_KEY_SLOT_PRIMARY = 0,
|
||||
OVPN_KEY_SLOT_SECONDARY = 1
|
||||
};
|
||||
|
||||
enum ovpn_key_cipher {
|
||||
OVPN_CIPHER_ALG_NONE = 0,
|
||||
OVPN_CIPHER_ALG_AES_GCM = 1,
|
||||
OVPN_CIPHER_ALG_CHACHA20_POLY1305 = 2
|
||||
};
|
||||
|
||||
#define OVPN_NEW_PEER _IO ('D', 1)
|
||||
#define OVPN_DEL_PEER _IO ('D', 2)
|
||||
#define OVPN_GET_STATS _IO ('D', 3)
|
||||
#define OVPN_NEW_KEY _IO ('D', 4)
|
||||
#define OVPN_SWAP_KEYS _IO ('D', 5)
|
||||
#define OVPN_DEL_KEY _IO ('D', 6)
|
||||
#define OVPN_SET_PEER _IO ('D', 7)
|
||||
#define OVPN_START_VPN _IO ('D', 8)
|
||||
#define OVPN_SEND_PKT _IO ('D', 9)
|
||||
#define OVPN_POLL_PKT _IO ('D', 10)
|
||||
#define OVPN_GET_PKT _IO ('D', 11)
|
||||
|
||||
#endif
|
||||
@ -348,6 +348,7 @@
|
||||
#define PRIV_NET_VXLAN 420 /* Administer vxlan. */
|
||||
#define PRIV_NET_SETLANPCP 421 /* Set LAN priority. */
|
||||
#define PRIV_NET_SETVLANPCP PRIV_NET_SETLANPCP /* Alias Set VLAN priority */
|
||||
#define PRIV_NET_OVPN 422 /* Administer OpenVPN DCO. */
|
||||
|
||||
/*
|
||||
* 802.11-related privileges.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user