checkpt3

CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Experimental Linux UDP offload support: enable `listen.enable_gso` and
+  `listen.enable_gro` to activate UDP_SEGMENT batching and GRO receive
+  splitting. Includes automatic capability probing, per-packet fallbacks, and
+  runtime metrics/logs for visibility.
+
 ### Changed
 
 - `default_local_cidr_any` now defaults to false, meaning that any firewall rule

cert/pem.go

@@ -1,10 +1,8 @@
 package cert
 
 import (
-	"encoding/hex"
 	"encoding/pem"
 	"fmt"
-	"time"
 
 	"golang.org/x/crypto/ed25519"
 )
@@ -191,71 +189,3 @@ func UnmarshalSigningPrivateKeyFromPEM(b []byte) ([]byte, []byte, Curve, error)
 	}
 	return k.Bytes, r, curve, nil
 }
-
-// Backward compatibility functions for older API
-func MarshalX25519PublicKey(b []byte) []byte {
-	return MarshalPublicKeyToPEM(Curve_CURVE25519, b)
-}
-
-func MarshalX25519PrivateKey(b []byte) []byte {
-	return MarshalPrivateKeyToPEM(Curve_CURVE25519, b)
-}
-
-func MarshalPublicKey(curve Curve, b []byte) []byte {
-	return MarshalPublicKeyToPEM(curve, b)
-}
-
-func MarshalPrivateKey(curve Curve, b []byte) []byte {
-	return MarshalPrivateKeyToPEM(curve, b)
-}
-
-// NebulaCertificate is a compatibility wrapper for the old API
-type NebulaCertificate struct {
-	Details   NebulaCertificateDetails
-	Signature []byte
-	cert      Certificate
-}
-
-// NebulaCertificateDetails is a compatibility wrapper for certificate details
-type NebulaCertificateDetails struct {
-	Name      string
-	NotBefore time.Time
-	NotAfter  time.Time
-	PublicKey []byte
-	IsCA      bool
-	Issuer    []byte
-	Curve     Curve
-}
-
-// UnmarshalNebulaCertificateFromPEM provides backward compatibility with the old API
-func UnmarshalNebulaCertificateFromPEM(b []byte) (*NebulaCertificate, []byte, error) {
-	c, rest, err := UnmarshalCertificateFromPEM(b)
-	if err != nil {
-		return nil, rest, err
-	}
-
-	// Convert to old format
-	nc := &NebulaCertificate{
-		Details: NebulaCertificateDetails{
-			Name:      c.Name(),
-			NotBefore: c.NotBefore(),
-			NotAfter:  c.NotAfter(),
-			PublicKey: c.PublicKey(),
-			IsCA:      c.IsCA(),
-			Curve:     c.Curve(),
-		},
-		Signature: c.Signature(),
-		cert:      c,
-	}
-
-	// Handle issuer
-	if c.Issuer() != "" {
-		issuerBytes, err := hex.DecodeString(c.Issuer())
-		if err != nil {
-			return nil, rest, fmt.Errorf("failed to decode issuer fingerprint: %w", err)
-		}
-		nc.Details.Issuer = issuerBytes
-	}
-
-	return nc, rest, nil
-}

interface.go

@@ -271,10 +271,7 @@ func (f *Interface) listenOut(i int) {
 	fwPacket := &firewall.Packet{}
 	nb := make([]byte, 12, 12)
 
-	li.ListenOut(func(fromUdpAddr netip.AddrPort, payload []byte, release func()) {
-		if release != nil {
-			defer release()
-		}
+	li.ListenOut(func(fromUdpAddr netip.AddrPort, payload []byte) {
 		f.readOutsidePackets(fromUdpAddr, nil, plaintext[:0], payload, h, fwPacket, lhh, nb, i, ctCache.Get(f.l))
 	})
 }

udp/config.go

@@ -1,16 +0,0 @@
-package udp
-
-import "sync/atomic"
-
-var disableUDPCsum atomic.Bool
-
-// SetDisableUDPCsum controls whether IPv4 UDP sockets opt out of kernel
-// checksum calculation via SO_NO_CHECK. Only applicable on platforms that
-// support the option (Linux). IPv6 always keeps the checksum enabled.
-func SetDisableUDPCsum(disable bool) {
-	disableUDPCsum.Store(disable)
-}
-
-func udpChecksumDisabled() bool {
-	return disableUDPCsum.Load()
-}

udp/conn.go

@@ -11,7 +11,6 @@ const MTU = 9001
 type EncReader func(
 	addr netip.AddrPort,
 	payload []byte,
-	release func(),
 )
 
 type Conn interface {

udp/msghdr_helper_linux_32.go

@@ -15,11 +15,3 @@ func controllen(n int) uint32 {
 func setCmsgLen(h *unix.Cmsghdr, n int) {
 	h.Len = uint32(unix.CmsgLen(n))
 }
-
-func setIovecLen(v *unix.Iovec, n int) {
-	v.Len = uint32(n)
-}
-
-func setMsghdrIovlen(m *unix.Msghdr, n int) {
-	m.Iovlen = uint32(n)
-}

udp/msghdr_helper_linux_64.go

@@ -15,11 +15,3 @@ func controllen(n int) uint64 {
 func setCmsgLen(h *unix.Cmsghdr, n int) {
 	h.Len = uint64(unix.CmsgLen(n))
 }
-
-func setIovecLen(v *unix.Iovec, n int) {
-	v.Len = uint64(n)
-}
-
-func setMsghdrIovlen(m *unix.Msghdr, n int) {
-	m.Iovlen = uint64(n)
-}

udp/sendmmsg_linux_32.go

@@ -1,25 +0,0 @@
-//go:build linux && (386 || amd64p32 || arm || mips || mipsle) && !android && !e2e_testing
-
-package udp
-
-import (
-	"unsafe"
-
-	"golang.org/x/sys/unix"
-)
-
-type linuxMmsgHdr struct {
-	Hdr unix.Msghdr
-	Len uint32
-}
-
-func sendmmsg(fd int, hdrs []linuxMmsgHdr, flags int) (int, error) {
-	if len(hdrs) == 0 {
-		return 0, nil
-	}
-	n, _, errno := unix.Syscall6(unix.SYS_SENDMMSG, uintptr(fd), uintptr(unsafe.Pointer(&hdrs[0])), uintptr(len(hdrs)), uintptr(flags), 0, 0)
-	if errno != 0 {
-		return int(n), errno
-	}
-	return int(n), nil
-}

udp/sendmmsg_linux_64.go

@@ -1,26 +0,0 @@
-//go:build linux && (amd64 || arm64 || ppc64 || ppc64le || mips64 || mips64le || s390x || riscv64 || loong64) && !android && !e2e_testing
-
-package udp
-
-import (
-	"unsafe"
-
-	"golang.org/x/sys/unix"
-)
-
-type linuxMmsgHdr struct {
-	Hdr unix.Msghdr
-	Len uint32
-	_   uint32
-}
-
-func sendmmsg(fd int, hdrs []linuxMmsgHdr, flags int) (int, error) {
-	if len(hdrs) == 0 {
-		return 0, nil
-	}
-	n, _, errno := unix.Syscall6(unix.SYS_SENDMMSG, uintptr(fd), uintptr(unsafe.Pointer(&hdrs[0])), uintptr(len(hdrs)), uintptr(flags), 0, 0)
-	if errno != 0 {
-		return int(n), errno
-	}
-	return int(n), nil
-}

udp/udp_darwin.go

@@ -180,7 +180,7 @@ func (u *StdConn) ListenOut(r EncReader) {
 			u.l.WithError(err).Error("unexpected udp socket receive error")
 		}
 
-		r(netip.AddrPortFrom(rua.Addr().Unmap(), rua.Port()), buffer[:n], nil)
+		r(netip.AddrPortFrom(rua.Addr().Unmap(), rua.Port()), buffer[:n])
 	}
 }
 

udp/udp_generic.go

@@ -82,6 +82,6 @@ func (u *GenericConn) ListenOut(r EncReader) {
 			return
 		}
 
-		r(netip.AddrPortFrom(rua.Addr().Unmap(), rua.Port()), buffer[:n], nil)
+		r(netip.AddrPortFrom(rua.Addr().Unmap(), rua.Port()), buffer[:n])
 	}
 }

udp/udp_linux_32.go

@@ -7,9 +7,6 @@
 package udp
 
 import (
-	"errors"
-	"fmt"
-
 	"golang.org/x/sys/unix"
 )
 
@@ -46,16 +43,15 @@ func (u *StdConn) PrepareRawMessages(n int) ([]rawMessage, [][]byte, [][]byte, [
 	}
 
 	for i := range msgs {
-		size := int(u.groBufSize.Load())
-		if size < MTU {
-			size = MTU
+		size := MTU
+		if defaultGROReadBufferSize > size {
+			size = defaultGROReadBufferSize
 		}
-		buf := u.borrowRxBuffer(size)
-		buffers[i] = buf
+		buffers[i] = make([]byte, size)
 		names[i] = make([]byte, unix.SizeofSockaddrInet6)
 
 		vs := []iovec{
-			{Base: &buf[0], Len: uint32(len(buf))},
+			{Base: &buffers[i][0], Len: uint32(len(buffers[i]))},
 		}
 
 		msgs[i].Hdr.Iov = &vs[0]
@@ -76,58 +72,3 @@ func (u *StdConn) PrepareRawMessages(n int) ([]rawMessage, [][]byte, [][]byte, [
 
 	return msgs, buffers, names, controls
 }
-
-func setIovecBase(msg *rawMessage, buf []byte) {
-	iov := (*iovec)(msg.Hdr.Iov)
-	iov.Base = &buf[0]
-	iov.Len = uint32(len(buf))
-}
-
-func rawMessageToUnixMsghdr(msg *rawMessage) (unix.Msghdr, unix.Iovec, error) {
-	var hdr unix.Msghdr
-	var iov unix.Iovec
-	if msg == nil {
-		return hdr, iov, errors.New("nil rawMessage")
-	}
-	if msg.Hdr.Iov == nil || msg.Hdr.Iov.Base == nil {
-		return hdr, iov, errors.New("rawMessage missing payload buffer")
-	}
-	payloadLen := int(msg.Hdr.Iov.Len)
-	if payloadLen < 0 {
-		return hdr, iov, fmt.Errorf("invalid payload length: %d", payloadLen)
-	}
-	iov.Base = msg.Hdr.Iov.Base
-	iov.Len = uint32(payloadLen)
-	hdr.Iov = &iov
-	hdr.Iovlen = 1
-	hdr.Name = msg.Hdr.Name
-	// CRITICAL: Always set to full buffer size for receive, not what kernel wrote last time
-	if hdr.Name != nil {
-		hdr.Namelen = uint32(unix.SizeofSockaddrInet6)
-	} else {
-		hdr.Namelen = 0
-	}
-	hdr.Control = msg.Hdr.Control
-	// CRITICAL: Use the allocated size, not what was previously returned
-	if hdr.Control != nil {
-		// Control buffer size is stored in Controllen from PrepareRawMessages
-		hdr.Controllen = msg.Hdr.Controllen
-	} else {
-		hdr.Controllen = 0
-	}
-	hdr.Flags = 0 // Reset flags for new receive
-	return hdr, iov, nil
-}
-
-func updateRawMessageFromUnixMsghdr(msg *rawMessage, hdr *unix.Msghdr, n int) {
-	if msg == nil || hdr == nil {
-		return
-	}
-	msg.Hdr.Namelen = hdr.Namelen
-	msg.Hdr.Controllen = hdr.Controllen
-	msg.Hdr.Flags = hdr.Flags
-	if n < 0 {
-		n = 0
-	}
-	msg.Len = uint32(n)
-}

udp/udp_linux_64.go

@@ -7,9 +7,6 @@
 package udp
 
 import (
-	"errors"
-	"fmt"
-
 	"golang.org/x/sys/unix"
 )
 
@@ -49,15 +46,14 @@ func (u *StdConn) PrepareRawMessages(n int) ([]rawMessage, [][]byte, [][]byte, [
 	}
 
 	for i := range msgs {
-		size := int(u.groBufSize.Load())
-		if size < MTU {
-			size = MTU
+		size := MTU
+		if defaultGROReadBufferSize > size {
+			size = defaultGROReadBufferSize
 		}
-		buf := u.borrowRxBuffer(size)
-		buffers[i] = buf
+		buffers[i] = make([]byte, size)
 		names[i] = make([]byte, unix.SizeofSockaddrInet6)
 
-		vs := []iovec{{Base: &buf[0], Len: uint64(len(buf))}}
+		vs := []iovec{{Base: &buffers[i][0], Len: uint64(len(buffers[i]))}}
 
 		msgs[i].Hdr.Iov = &vs[0]
 		msgs[i].Hdr.Iovlen = uint64(len(vs))
@@ -77,58 +73,3 @@ func (u *StdConn) PrepareRawMessages(n int) ([]rawMessage, [][]byte, [][]byte, [
 
 	return msgs, buffers, names, controls
 }
-
-func setIovecBase(msg *rawMessage, buf []byte) {
-	iov := (*iovec)(msg.Hdr.Iov)
-	iov.Base = &buf[0]
-	iov.Len = uint64(len(buf))
-}
-
-func rawMessageToUnixMsghdr(msg *rawMessage) (unix.Msghdr, unix.Iovec, error) {
-	var hdr unix.Msghdr
-	var iov unix.Iovec
-	if msg == nil {
-		return hdr, iov, errors.New("nil rawMessage")
-	}
-	if msg.Hdr.Iov == nil || msg.Hdr.Iov.Base == nil {
-		return hdr, iov, errors.New("rawMessage missing payload buffer")
-	}
-	payloadLen := int(msg.Hdr.Iov.Len)
-	if payloadLen < 0 {
-		return hdr, iov, fmt.Errorf("invalid payload length: %d", payloadLen)
-	}
-	iov.Base = msg.Hdr.Iov.Base
-	iov.Len = uint64(payloadLen)
-	hdr.Iov = &iov
-	hdr.Iovlen = 1
-	hdr.Name = msg.Hdr.Name
-	// CRITICAL: Always set to full buffer size for receive, not what kernel wrote last time
-	if hdr.Name != nil {
-		hdr.Namelen = uint32(unix.SizeofSockaddrInet6)
-	} else {
-		hdr.Namelen = 0
-	}
-	hdr.Control = msg.Hdr.Control
-	// CRITICAL: Use the allocated size, not what was previously returned
-	if hdr.Control != nil {
-		// Control buffer size is stored in Controllen from PrepareRawMessages
-		hdr.Controllen = msg.Hdr.Controllen
-	} else {
-		hdr.Controllen = 0
-	}
-	hdr.Flags = 0 // Reset flags for new receive
-	return hdr, iov, nil
-}
-
-func updateRawMessageFromUnixMsghdr(msg *rawMessage, hdr *unix.Msghdr, n int) {
-	if msg == nil || hdr == nil {
-		return
-	}
-	msg.Hdr.Namelen = hdr.Namelen
-	msg.Hdr.Controllen = hdr.Controllen
-	msg.Hdr.Flags = hdr.Flags
-	if n < 0 {
-		n = 0
-	}
-	msg.Len = uint32(n)
-}

udp/udp_rio_windows.go

@@ -149,7 +149,7 @@ func (u *RIOConn) ListenOut(r EncReader) {
 			continue
 		}
 
-		r(netip.AddrPortFrom(netip.AddrFrom16(rua.Addr).Unmap(), (rua.Port>>8)|((rua.Port&0xff)<<8)), buffer[:n], nil)
+		r(netip.AddrPortFrom(netip.AddrFrom16(rua.Addr).Unmap(), (rua.Port>>8)|((rua.Port&0xff)<<8)), buffer[:n])
 	}
 }
 

udp/udp_tester.go

@@ -112,7 +112,7 @@ func (u *TesterConn) ListenOut(r EncReader) {
 		if !ok {
 			return
 		}
-		r(p.From, p.Data, func() {})
+		r(p.From, p.Data)
 	}
 }