[PATCH v5 00/11] Allow changing the transit namespace

Julian Orth ju.orth at gmail.com
Sat Dec 15 17:56:02 CET 2018 

Hi,

This is v5 of this series. This series makes the following changes:

* wg(1) can now access devices in another network namespace. The syntax
  is
    
    wg --netns <pid|file-path> <subcommand>

  For example

    wg --netns 5363 show wg0

* wg(1) can now change the network namespace of the UDP socket of a
  device. The syntax is

    wg set <device> transit-netns <pid|file-path>

  For example

    wg set wg0 transit-netns 5363

* When retrieving or modifying properties of the UDP socket (its
  incoming port or its network namespace), the netlink code now checks
  that the calling process has at least one of the following properties:

  * The calling process' network namespace is the same as the (new)
    network namespace of the socket.
  * The calling process has the CAP_NET_ADMIN capability in the (new)
    network namespace of the socket.

These changes allow a user to create a wg device in a user namespace and
to set the network namespace of the UDP socket to the init namespace.
This allows the user to communicate over a wg device even if the user
does not have root in the init namespace.

The code of this version is almost identical to the previous version
except that

* the first commit has been dropped and
* the code has been rebased on master.

Julian

Julian Orth (11):
  netlink: check for CAP_NET_ADMIN manually
  netlink: allow specifying the device namespace
  netlink: restrict access to the UDP socket
  device: rename creating_net to transit_net
  device: store a copy of the device net
  socket: allow modification of transit_net
  netlink: allow modification of transit net
  tools: add framework for shared options
  tools: allow specifying the device namespace
  tools: allow modification of transit net
  tests: add test for transit-net

 src/device.c            |  35 ++++++----
 src/device.h            |   6 +-
 src/netlink.c           | 150 ++++++++++++++++++++++++++++++++--------
 src/socket.c            |  18 ++---
 src/socket.h            |   6 +-
 src/tests/netns.sh      |  40 +++++++++++
 src/tools/config.c      |   8 +++
 src/tools/containers.h  |  22 +++++-
 src/tools/genkey.c      |   3 +-
 src/tools/ipc.c         |  26 +++++--
 src/tools/ipc.h         |   7 +-
 src/tools/man/wg.8      |   9 ++-
 src/tools/netns.c       |  62 +++++++++++++++++
 src/tools/netns.h       |  18 +++++
 src/tools/pubkey.c      |   3 +-
 src/tools/set.c         |   6 +-
 src/tools/setconf.c     |   4 +-
 src/tools/show.c        |  35 +++++++---
 src/tools/showconf.c    |   4 +-
 src/tools/subcommands.h |  14 ++--
 src/tools/wg.c          |  64 +++++++++++++++--
 src/uapi/wireguard.h    |  39 ++++++++++-
 22 files changed, 477 insertions(+), 102 deletions(-)
 create mode 100644 src/tools/netns.c
 create mode 100644 src/tools/netns.h

-- 
2.19.2

More information about the WireGuard mailing list