[ANNOUNCE] WireGuard Snapshot `0.0.20171001` Available

Jason A. Donenfeld Jason at zx2c4.com
Mon Oct 2 03:06:42 CEST 2017

Hash: SHA256


A new snapshot, `0.0.20171001`, has been tagged in the git repository.

Please note that this snapshot is, like the rest of the project at this point
in time, experimental, and does not consitute a real release that would be
considered secure and bug-free. WireGuard is generally thought to be fairly
stable, and most likely will not crash your computer (though it may).
However, as this is a pre-release snapshot, it comes with no guarantees, and
its security is not yet to be depended on; it is not applicable for CVEs.

With all that said, if you'd like to test this snapshot out, there are a
few relevent changes.

== Changes ==

  * receive: use netif_receive_skb instead of netif_rx
  netif_rx queues things up to a per-cpu backlog, whereas
  netif_receive_skb immediately delivers the packet to the underlying
  network device and mostly never fails. In the event where decrypting
  packets is actually happening faster than the networking subsystem
  receive them -- like with 65k packets with UDPv6 in `make test-qemu`
  -- then this backlog fills up and we wind up dropping some packets.
  This is fine and not all together terrible, but it does raise the
  question of why we bothered spending CPU cycles decrypting those
  packets if they were just going to be dropped anyway. So, moving from
  netif_rx to netif_receive_skb means that whatever time netif_receive_skb
  needs winds up slowing down the dequeuing of decryption packets, which
  in turn means the decryption receive queue fills up sooner, so that we
  drop packets before decryption, rather than after, thus saving precious
  CPU cycles.
  * contrib: add sticky sockets example code
  A description of how our socket roaming algorithm works by translating it
  into userspace as an example for others.
  * queueing: no need to memzero struct
  * send: don't take uninitialized lock
  * device: properly arrange structs
  * peer: rearrange structs
  * queueing: clean up worthless helper
  * queueing: rename cpumask function
  * timers: convert to use netif_running
  * config: do not reset device port
  * tools: use key_is_zero for comparing to zeros
  * queueing: more standard init/uninit names
  * receive: mark function static
  * tools: uapi: only make sure socket file is socket
  * receive: do not consider netfilter drop a real drop
  * peer: ensure that lookup tables are added last
  * timers: ensure safe timer removal
  * peer: remove from RCU lists when the kref is zero
  * noise: use spinlock for rotating keys
  * messages: reduce maximum staged packets per peer
  * ratelimiter: wait for destruction, not for read_unlock
  * tools: do not warn on unrecognized items
  * wg-quick: anchor sysctl regex to start and end
  * wg-quick: verify wireguard interface in more clever way
  * wg-quick: check permissions of parent directory
  Tons of bug fixes and cleanups, some of which were quite important. This
  was a very important development life-cycle for shaking out some subtle
  * netns: disable rp_filter for final test
  * debug: add better insert target
  * qemu: add watchdog for not hanging on oops
  Some improvements to our debugging tools, most notably a watchdog timer
  so that build.wireguard.com can properly report OOPSes.
  * netlink: switch from ioctl to netlink for configuration
  This is fairly huge, and one of the most important things we needed
  to do for reaching mainline inclusion. Rather than ioctl, we now use
  netlink. This was mostly a terrible experience, adding bloat and
  complexity, and making things a lot harder to understand. But upstream
  requires it. I think we did an okay job, and things should go smoothly,
  but all and all I was unimpressed by the clunkiness of the whole
  endeavour. Implementors wishing to integrate WireGuard into their
  network managers can refer to the uapi/wireguard.h documentation header:

As always, the source is available at https://git.zx2c4.com/WireGuard/ and
information about the project is available at https://www.wireguard.com/ .

This snapshot is available in tarball form here:
  SHA2-256: ecff9a184685b7dd2d81576eba5bd96bb59031c9e9b5eeee05d6dc298f30998e
  BLAKE2b-256: c2a8532f6940fbfe9e554402b4a8896c6b8809c20eca394f3adef7a0e9a040a0

If you're a snapshot package maintainer, please bump your package version. If
you're a user, the WireGuard team welcomes any and all feedback on this latest

Finally, WireGuard development thrives on donations. By popular demand, we
have a webpage for this: https://www.wireguard.com/donations/

Thank you,
Jason Donenfeld



More information about the WireGuard mailing list