Fixing wg-quick's DNS= directive with a hatchet

Martin Hauke mardnh at gmx.de
Fri Oct 27 12:07:58 CEST 2017 

Hi Jason,

On Thu, Oct 26, 2017 at 11:22:42PM +0200, Jason A. Donenfeld wrote:
> The latest proposal for what we're discussing lives here:
> https://git.zx2c4.com/WireGuard/commit/?h=jd/dns-hatchet
> 
> > The hatchet proposal sounds fine for a short term solution,

I also like this approach.

> The Debian maintainer of WireGuard has been talking me out of doing
> this. If I don't ship the hatchet, the solution will be:
> 
> - Things work fine on
> arch/gentoo/nix/slackware/void/alpine/exherbo/freebsd/netbsd/normallinuxdistros.
> - DNS entries aren't exclusive but otherwise work on debian/ubuntu, if
> the debian resolvconf is installed rather than openresolv.
> - Everything is broken on Fedora (and OpenSUSE?), where there's no
> openresolv or resolvconf of any kind.

SUSE/openSUSE also does not ship resolvconf/openresolvconf so it's also
affected.

> In other words, the situation is split down the traditional lines of
> the linux distro political landscape. Most distros do the sensible
> thing. Debian does something bizarre and different but that is vaguely
> compatible though not entirely. Redhat holds out in favor of
> systemdnetworkmanagerblabla rather than going with the established
> standard.

SUSE has it's own system called netconfig for handling changes to the
name resolution.

https://github.com/openSUSE/sysconfig/blob/master/doc/README.netconfig
https://github.com/openSUSE/sysconfig/blob/master/doc/netconfig.8

For the interface-handling SUSE is using wicked:
https://github.com/openSUSE/wicked
https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.basicnet.html#sec.basicnet.nameres
https://www.suse.com/documentation/sles-12/book_sle_admin/data/sec_basicnet_manconf.html

The long term solution should be a proper integration into these frameworks.
That's also something on my personal TODO-list since some time :-)

I also have to speak with some SUSE-people since I remember
discussions some of the functions of netconfig should be replaced with
someting else (maybe even systemd).

> So, if I don't ship the hatchet, then I'll leave it to you to handle
> making things not totally fail in Fedora, as they do now. Is this
> okay? You could choose to fix this by just shipping the hatchet patch
> yourself. Or you could try to integrate things a bit deeper with
> whatever networkmanagersystemdresolveddhclientscript situation is
> being used there. (Probably the hatchet is a bit easier though.) What
> would you think of doing that?

Shipping the hatchet will give the affected distributions some time
for a proper distro-specific integration.

best regards,
Martin

More information about the WireGuard mailing list