From jrife at google.com Tue Mar 4 00:39:13 2025 From: jrife at google.com (Jordan Rife) Date: Tue, 04 Mar 2025 00:39:13 -0000 Subject: [PATCH v4 net-next] wireguard: allowedips: Add WGALLOWEDIP_F_REMOVE_ME flag Message-ID: <20250304003900.1416866-1-jrife@google.com> The current netlink API for WireGuard does not directly support removal of allowed ips from a peer. A user can remove an allowed ip from a peer in one of two ways: 1. By using the WGPEER_F_REPLACE_ALLOWEDIPS flag and providing a new list of allowed ips which omits the allowed ip that is to be removed. 2. By reassigning an allowed ip to a "dummy" peer then removing that peer with WGPEER_F_REMOVE_ME. With the first approach, the driver completely rebuilds the allowed ip list for a peer. If my current configuration is such that a peer has allowed ips 192.168.0.2 and 192.168.0.3 and I want to remove 192.168.0.2 the actual transition looks like this. [192.168.0.2, 192.168.0.3] <-- Initial state [] <-- Step 1: Allowed ips removed for peer [192.168.0.3] <-- Step 2: Allowed ips added back for peer This is true even if the allowed ip list is small and the update does not need to be batched into multiple WG_CMD_SET_DEVICE requests, as the removal and subsequent addition of ips is non-atomic within a single request. Consequently, wg_allowedips_lookup_dst and wg_allowedips_lookup_src may return NULL while reconfiguring a peer even for packets bound for ips a user did not intend to remove leading to unintended interruptions in connectivity. This presents in userspace as failed calls to sendto and sendmsg for UDP sockets. In my case, I ran netperf while repeatedly reconfiguring the allowed ips for a peer with wg. /usr/local/bin/netperf -H 10.102.73.72 -l 10m -t UDP_STREAM -- -R 1 -m 1024 send_data: data send error: No route to host (errno 113) netperf: send_omni: send_data failed: No route to host While this may not be of particular concern for environments where peers and allowed ips are mostly static, systems like Cilium manage peers and allowed ips in a dynamic environment where peers (i.e. Kubernetes nodes) and allowed ips (i.e. pods running on those nodes) can frequently change making WGPEER_F_REPLACE_ALLOWEDIPS problematic. The second approach avoids any possible connectivity interruptions but is hacky and less direct, requiring the creation of a temporary peer just to dispose of an allowed ip. Introduce a new flag called WGALLOWEDIP_F_REMOVE_ME which in the same way that WGPEER_F_REMOVE_ME allows a user to remove a single peer from a WireGuard device's configuration allows a user to remove an ip from a peer's set of allowed ips. This enables incremental updates to a device's configuration without any connectivity blips or messy workarounds. NOTE ---- I've addressed Jason's feedback from v2, but have been unable to get in touch with him about v3 after several attempts. If there are no objections, can we accept this into net-next? v3->v4 ------ * Remove selftests. In [1], Jason suggested that support should be added to wg to exercise this new flag and that this should be used in lieu of the custom remove-ip program used in v2 to implement the self tests. I sent a corresponding patch for wireguard-tools (wg), but that remains unreviewed and unmerged. Hence, I'm removing the self tests that rely on the new wg features until we can finalize that portion, after which point we can bring back the self tests that use it. v2->v3 ------ * Revert WG_GENL_VERSION back to 1. * Rename _remove() to remove_node(). * Remove unnecessary !peer guard from remove(). * Adjust line length for calls to wg_allowedips_(remove|insert)_v(4|6). * Fix punctuation inside uapi docs for WGALLOWEDIP_A_FLAGS. * Get rid of remove-ip program and use wg instead in selftests. * Use NLA_POLICY_MASK for WGALLOWEDIP_A_FLAGS validation. v1->v2 ------ * Fixed some Sparse warnings. [1]: https://lore.kernel.org/netdev/ZzpXE8GlhjDYTa5l at zx2c4.com/ Signed-off-by: Jordan Rife --- drivers/net/wireguard/allowedips.c | 106 ++++++++++++++------ drivers/net/wireguard/allowedips.h | 4 + drivers/net/wireguard/netlink.c | 37 ++++--- drivers/net/wireguard/selftest/allowedips.c | 48 +++++++++ include/uapi/linux/wireguard.h | 9 ++ 5 files changed, 161 insertions(+), 43 deletions(-) diff --git a/drivers/net/wireguard/allowedips.c b/drivers/net/wireguard/allowedips.c index 4b8528206cc8..dcf068ba2881 100644 --- a/drivers/net/wireguard/allowedips.c +++ b/drivers/net/wireguard/allowedips.c @@ -249,6 +249,56 @@ static int add(struct allowedips_node __rcu **trie, u8 bits, const u8 *key, return 0; } +static void remove_node(struct allowedips_node *node, struct mutex *lock) +{ + struct allowedips_node *child, **parent_bit, *parent; + bool free_parent; + + list_del_init(&node->peer_list); + RCU_INIT_POINTER(node->peer, NULL); + if (node->bit[0] && node->bit[1]) + return; + child = rcu_dereference_protected(node->bit[!rcu_access_pointer(node->bit[0])], + lockdep_is_held(lock)); + if (child) + child->parent_bit_packed = node->parent_bit_packed; + parent_bit = (struct allowedips_node **)(node->parent_bit_packed & ~3UL); + *parent_bit = child; + parent = (void *)parent_bit - + offsetof(struct allowedips_node, bit[node->parent_bit_packed & 1]); + free_parent = !rcu_access_pointer(node->bit[0]) && + !rcu_access_pointer(node->bit[1]) && + (node->parent_bit_packed & 3) <= 1 && + !rcu_access_pointer(parent->peer); + if (free_parent) + child = rcu_dereference_protected(parent->bit[!(node->parent_bit_packed & 1)], + lockdep_is_held(lock)); + call_rcu(&node->rcu, node_free_rcu); + if (!free_parent) + return; + if (child) + child->parent_bit_packed = parent->parent_bit_packed; + *(struct allowedips_node **)(parent->parent_bit_packed & ~3UL) = child; + call_rcu(&parent->rcu, node_free_rcu); +} + +static int remove(struct allowedips_node __rcu **trie, u8 bits, const u8 *key, + u8 cidr, struct wg_peer *peer, struct mutex *lock) +{ + struct allowedips_node *node; + + if (unlikely(cidr > bits)) + return -EINVAL; + if (!rcu_access_pointer(*trie) || + !node_placement(*trie, key, cidr, bits, &node, lock) || + peer != rcu_access_pointer(node->peer)) + return 0; + + remove_node(node, lock); + + return 0; +} + void wg_allowedips_init(struct allowedips *table) { table->root4 = table->root6 = NULL; @@ -300,44 +350,38 @@ int wg_allowedips_insert_v6(struct allowedips *table, const struct in6_addr *ip, return add(&table->root6, 128, key, cidr, peer, lock); } +int wg_allowedips_remove_v4(struct allowedips *table, const struct in_addr *ip, + u8 cidr, struct wg_peer *peer, struct mutex *lock) +{ + /* Aligned so it can be passed to fls */ + u8 key[4] __aligned(__alignof(u32)); + + ++table->seq; + swap_endian(key, (const u8 *)ip, 32); + return remove(&table->root4, 32, key, cidr, peer, lock); +} + +int wg_allowedips_remove_v6(struct allowedips *table, const struct in6_addr *ip, + u8 cidr, struct wg_peer *peer, struct mutex *lock) +{ + /* Aligned so it can be passed to fls64 */ + u8 key[16] __aligned(__alignof(u64)); + + ++table->seq; + swap_endian(key, (const u8 *)ip, 128); + return remove(&table->root6, 128, key, cidr, peer, lock); +} + void wg_allowedips_remove_by_peer(struct allowedips *table, struct wg_peer *peer, struct mutex *lock) { - struct allowedips_node *node, *child, **parent_bit, *parent, *tmp; - bool free_parent; + struct allowedips_node *node, *tmp; if (list_empty(&peer->allowedips_list)) return; ++table->seq; - list_for_each_entry_safe(node, tmp, &peer->allowedips_list, peer_list) { - list_del_init(&node->peer_list); - RCU_INIT_POINTER(node->peer, NULL); - if (node->bit[0] && node->bit[1]) - continue; - child = rcu_dereference_protected(node->bit[!rcu_access_pointer(node->bit[0])], - lockdep_is_held(lock)); - if (child) - child->parent_bit_packed = node->parent_bit_packed; - parent_bit = (struct allowedips_node **)(node->parent_bit_packed & ~3UL); - *parent_bit = child; - parent = (void *)parent_bit - - offsetof(struct allowedips_node, bit[node->parent_bit_packed & 1]); - free_parent = !rcu_access_pointer(node->bit[0]) && - !rcu_access_pointer(node->bit[1]) && - (node->parent_bit_packed & 3) <= 1 && - !rcu_access_pointer(parent->peer); - if (free_parent) - child = rcu_dereference_protected( - parent->bit[!(node->parent_bit_packed & 1)], - lockdep_is_held(lock)); - call_rcu(&node->rcu, node_free_rcu); - if (!free_parent) - continue; - if (child) - child->parent_bit_packed = parent->parent_bit_packed; - *(struct allowedips_node **)(parent->parent_bit_packed & ~3UL) = child; - call_rcu(&parent->rcu, node_free_rcu); - } + list_for_each_entry_safe(node, tmp, &peer->allowedips_list, peer_list) + remove_node(node, lock); } int wg_allowedips_read_node(struct allowedips_node *node, u8 ip[16], u8 *cidr) diff --git a/drivers/net/wireguard/allowedips.h b/drivers/net/wireguard/allowedips.h index 2346c797eb4d..931958cb6e10 100644 --- a/drivers/net/wireguard/allowedips.h +++ b/drivers/net/wireguard/allowedips.h @@ -38,6 +38,10 @@ int wg_allowedips_insert_v4(struct allowedips *table, const struct in_addr *ip, u8 cidr, struct wg_peer *peer, struct mutex *lock); int wg_allowedips_insert_v6(struct allowedips *table, const struct in6_addr *ip, u8 cidr, struct wg_peer *peer, struct mutex *lock); +int wg_allowedips_remove_v4(struct allowedips *table, const struct in_addr *ip, + u8 cidr, struct wg_peer *peer, struct mutex *lock); +int wg_allowedips_remove_v6(struct allowedips *table, const struct in6_addr *ip, + u8 cidr, struct wg_peer *peer, struct mutex *lock); void wg_allowedips_remove_by_peer(struct allowedips *table, struct wg_peer *peer, struct mutex *lock); /* The ip input pointer should be __aligned(__alignof(u64))) */ diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c index f7055180ba4a..386f65042072 100644 --- a/drivers/net/wireguard/netlink.c +++ b/drivers/net/wireguard/netlink.c @@ -46,7 +46,8 @@ static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = { static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = { [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 }, [WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(sizeof(struct in_addr)), - [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 } + [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 }, + [WGALLOWEDIP_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, __WGALLOWEDIP_F_ALL), }; static struct wg_device *lookup_interface(struct nlattr **attrs, @@ -329,6 +330,7 @@ static int set_port(struct wg_device *wg, u16 port) static int set_allowedip(struct wg_peer *peer, struct nlattr **attrs) { int ret = -EINVAL; + u32 flags = 0; u16 family; u8 cidr; @@ -337,19 +339,30 @@ static int set_allowedip(struct wg_peer *peer, struct nlattr **attrs) return ret; family = nla_get_u16(attrs[WGALLOWEDIP_A_FAMILY]); cidr = nla_get_u8(attrs[WGALLOWEDIP_A_CIDR_MASK]); + if (attrs[WGALLOWEDIP_A_FLAGS]) + flags = nla_get_u32(attrs[WGALLOWEDIP_A_FLAGS]); if (family == AF_INET && cidr <= 32 && - nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in_addr)) - ret = wg_allowedips_insert_v4( - &peer->device->peer_allowedips, - nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, peer, - &peer->device->device_update_lock); - else if (family == AF_INET6 && cidr <= 128 && - nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in6_addr)) - ret = wg_allowedips_insert_v6( - &peer->device->peer_allowedips, - nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, peer, - &peer->device->device_update_lock); + nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in_addr)) { + if (flags & WGALLOWEDIP_F_REMOVE_ME) + ret = wg_allowedips_remove_v4(&peer->device->peer_allowedips, + nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, + peer, &peer->device->device_update_lock); + else + ret = wg_allowedips_insert_v4(&peer->device->peer_allowedips, + nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, + peer, &peer->device->device_update_lock); + } else if (family == AF_INET6 && cidr <= 128 && + nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in6_addr)) { + if (flags & WGALLOWEDIP_F_REMOVE_ME) + ret = wg_allowedips_remove_v6(&peer->device->peer_allowedips, + nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, + peer, &peer->device->device_update_lock); + else + ret = wg_allowedips_insert_v6(&peer->device->peer_allowedips, + nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, + peer, &peer->device->device_update_lock); + } return ret; } diff --git a/drivers/net/wireguard/selftest/allowedips.c b/drivers/net/wireguard/selftest/allowedips.c index 25de7058701a..41837efa70cb 100644 --- a/drivers/net/wireguard/selftest/allowedips.c +++ b/drivers/net/wireguard/selftest/allowedips.c @@ -460,6 +460,10 @@ static __init struct wg_peer *init_peer(void) wg_allowedips_insert_v##version(&t, ip##version(ipa, ipb, ipc, ipd), \ cidr, mem, &mutex) +#define remove(version, mem, ipa, ipb, ipc, ipd, cidr) \ + wg_allowedips_remove_v##version(&t, ip##version(ipa, ipb, ipc, ipd), \ + cidr, mem, &mutex) + #define maybe_fail() do { \ ++i; \ if (!_s) { \ @@ -585,6 +589,50 @@ bool __init wg_allowedips_selftest(void) test_negative(4, a, 192, 0, 0, 0); test_negative(4, a, 255, 0, 0, 0); + insert(4, a, 1, 0, 0, 0, 32); + insert(4, a, 192, 0, 0, 0, 24); + insert(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef, 128); + insert(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0, 98); + test(4, a, 1, 0, 0, 0); + test(4, a, 192, 0, 0, 1); + test(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef); + test(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0x10101010); + /* Must be an exact match to remove */ + remove(4, a, 192, 0, 0, 0, 32); + test(4, a, 192, 0, 0, 1); + /* NULL peer should have no effect and return 0 */ + test_boolean(!remove(4, NULL, 192, 0, 0, 0, 24)); + test(4, a, 192, 0, 0, 1); + /* different peer should have no effect and return 0 */ + test_boolean(!remove(4, b, 192, 0, 0, 0, 24)); + test(4, a, 192, 0, 0, 1); + /* invalid CIDR should have no effect and return -EINVAL */ + test_boolean(remove(4, b, 192, 0, 0, 0, 33) == -EINVAL); + test(4, a, 192, 0, 0, 1); + remove(4, a, 192, 0, 0, 0, 24); + test_negative(4, a, 192, 0, 0, 1); + remove(4, a, 1, 0, 0, 0, 32); + test_negative(4, a, 1, 0, 0, 0); + /* Must be an exact match to remove */ + remove(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef, 96); + test(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef); + /* NULL peer should have no effect and return 0 */ + test_boolean(!remove(6, NULL, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef, 128)); + test(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef); + /* different peer should have no effect and return 0 */ + test_boolean(!remove(6, b, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef, 128)); + test(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef); + /* invalid CIDR should have no effect and return -EINVAL */ + test_boolean(remove(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef, 129) == -EINVAL); + test(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef); + remove(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef, 128); + test_negative(6, a, 0x24446801, 0x40e40800, 0xdeaebeef, 0xdefbeef); + /* Must match the peer to remove */ + remove(6, b, 0x24446800, 0xf0e40800, 0xeeaebeef, 0, 98); + test(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0x10101010); + remove(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0, 98); + test_negative(6, a, 0x24446800, 0xf0e40800, 0xeeaebeef, 0x10101010); + wg_allowedips_free(&t, &mutex); wg_allowedips_init(&t); insert(4, a, 192, 168, 0, 0, 16); diff --git a/include/uapi/linux/wireguard.h b/include/uapi/linux/wireguard.h index ae88be14c947..8c26391196d5 100644 --- a/include/uapi/linux/wireguard.h +++ b/include/uapi/linux/wireguard.h @@ -101,6 +101,10 @@ * WGALLOWEDIP_A_FAMILY: NLA_U16 * WGALLOWEDIP_A_IPADDR: struct in_addr or struct in6_addr * WGALLOWEDIP_A_CIDR_MASK: NLA_U8 + * WGALLOWEDIP_A_FLAGS: NLA_U32, WGALLOWEDIP_F_REMOVE_ME if + * the specified IP should be removed; + * otherwise, this IP will be added if + * it is not already present. * 0: NLA_NESTED * ... * 0: NLA_NESTED @@ -184,11 +188,16 @@ enum wgpeer_attribute { }; #define WGPEER_A_MAX (__WGPEER_A_LAST - 1) +enum wgallowedip_flag { + WGALLOWEDIP_F_REMOVE_ME = 1U << 0, + __WGALLOWEDIP_F_ALL = WGALLOWEDIP_F_REMOVE_ME +}; enum wgallowedip_attribute { WGALLOWEDIP_A_UNSPEC, WGALLOWEDIP_A_FAMILY, WGALLOWEDIP_A_IPADDR, WGALLOWEDIP_A_CIDR_MASK, + WGALLOWEDIP_A_FLAGS, __WGALLOWEDIP_A_LAST }; #define WGALLOWEDIP_A_MAX (__WGALLOWEDIP_A_LAST - 1) -- 2.48.1.711.g2feabab25a-goog From Jason at zx2c4.com Tue Mar 4 03:38:47 2025 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Tue, 04 Mar 2025 03:38:47 -0000 Subject: [PATCH v4 net-next] wireguard: allowedips: Add WGALLOWEDIP_F_REMOVE_ME flag In-Reply-To: <20250304003900.1416866-1-jrife@google.com> References: <20250304003900.1416866-1-jrife@google.com> Message-ID: On Tue, Mar 04, 2025 at 12:38:55AM +0000, Jordan Rife wrote: > NOTE > ---- > I've addressed Jason's feedback from v2, but have been unable to > get in touch with him about v3 after several attempts. If there are no > objections, can we accept this into net-next? No. I'll take this through the wireguard tree like usual. This patch and the wg(8) patches ARE going in; I like them a lot. I've been very behind as of late but am catching up. Jason From jrife at google.com Tue Mar 4 17:46:34 2025 From: jrife at google.com (Jordan Rife) Date: Tue, 04 Mar 2025 17:46:34 -0000 Subject: [PATCH v4 net-next] wireguard: allowedips: Add WGALLOWEDIP_F_REMOVE_ME flag In-Reply-To: References: <20250304003900.1416866-1-jrife@google.com> Message-ID: Hi Jason, > No. I'll take this through the wireguard tree like usual. This patch and > the wg(8) patches ARE going in; I like them a lot. I've been very behind > as of late but am catching up. Sounds good, that would be my preference as well. I assume you're referring to v3 with the wg-based self tests and everything? -Jordan From kees at kernel.org Mon Mar 10 22:22:55 2025 From: kees at kernel.org (Kees Cook) Date: Mon, 10 Mar 2025 22:22:55 -0000 Subject: [PATCH] wireguard: noise: Add __nonstring annotations for unterminated strings Message-ID: <20250310222249.work.154-kees@kernel.org> When a character array without a terminating NUL character has a static initializer, GCC 15's -Wunterminated-string-initialization will only warn if the array lacks the "nonstring" attribute[1]. Mark the arrays with __nonstring to and correctly identify the char array as "not a C string" and thereby eliminate the warning. Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117178 [1] Cc: Jason A. Donenfeld Cc: "Jason A. Donenfeld" Cc: Andrew Lunn Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: wireguard at lists.zx2c4.com Cc: netdev at vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireguard/noise.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireguard/noise.c b/drivers/net/wireguard/noise.c index 202a33af5a72..7eb9a23a3d4d 100644 --- a/drivers/net/wireguard/noise.c +++ b/drivers/net/wireguard/noise.c @@ -25,8 +25,8 @@ * <- e, ee, se, psk, {} */ -static const u8 handshake_name[37] = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"; -static const u8 identifier_name[34] = "WireGuard v1 zx2c4 Jason at zx2c4.com"; +static const u8 handshake_name[37] __nonstring = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"; +static const u8 identifier_name[34] __nonstring = "WireGuard v1 zx2c4 Jason at zx2c4.com"; static u8 handshake_init_hash[NOISE_HASH_LEN] __ro_after_init; static u8 handshake_init_chaining_key[NOISE_HASH_LEN] __ro_after_init; static atomic64_t keypair_counter = ATOMIC64_INIT(0); -- 2.34.1 From kuba at kernel.org Tue Mar 11 10:19:35 2025 From: kuba at kernel.org (Jakub Kicinski) Date: Tue, 11 Mar 2025 10:19:35 -0000 Subject: [PATCH] wireguard: noise: Add __nonstring annotations for unterminated strings In-Reply-To: <20250310222249.work.154-kees@kernel.org> References: <20250310222249.work.154-kees@kernel.org> Message-ID: <20250311111927.06120773@kernel.org> On Mon, 10 Mar 2025 15:22:50 -0700 Kees Cook wrote: > When a character array without a terminating NUL character has a static > initializer, GCC 15's -Wunterminated-string-initialization will only > warn if the array lacks the "nonstring" attribute[1]. Mark the arrays > with __nonstring to and correctly identify the char array as "not a C > string" and thereby eliminate the warning. Hi! Would marking all of u8 as non-string not be an option? How many of such warnings do we have in the tree? Feel free to point me to a previous conversation. From kees at kernel.org Tue Mar 11 22:38:56 2025 From: kees at kernel.org (Kees Cook) Date: Tue, 11 Mar 2025 22:38:56 -0000 Subject: [PATCH] wireguard: noise: Add __nonstring annotations for unterminated strings In-Reply-To: <20250311111927.06120773@kernel.org> References: <20250310222249.work.154-kees@kernel.org> <20250311111927.06120773@kernel.org> Message-ID: <202503111520.CF7527A@keescook> On Tue, Mar 11, 2025 at 11:19:27AM +0100, Jakub Kicinski wrote: > On Mon, 10 Mar 2025 15:22:50 -0700 Kees Cook wrote: > > When a character array without a terminating NUL character has a static > > initializer, GCC 15's -Wunterminated-string-initialization will only > > warn if the array lacks the "nonstring" attribute[1]. Mark the arrays > > with __nonstring to and correctly identify the char array as "not a C > > string" and thereby eliminate the warning. > > Hi! Would marking all of u8 as non-string not be an option? How many > of such warnings do we have in the tree? Feel free to point me to a > previous conversation. *thread merge* On Mon, Mar 10, 2025 at 06:38:01PM -0400, James Bottomley wrote[1]: > This looks a bit suboptimal ... is there anywhere in the kernel u8[] is > actually used for real strings? In which case it would seem the better > place to put the annotation is in the typedef for u8 arrays. So both of you asked basically same question, and I think the simple answer is "no we can't mark u8 as nonstring". The use of u8 has become synonymous with "char" for a long while now, and it's gotten even more common after we made char unsigned by default. The number of warning sources is pretty small. I think I have identified and proposed fixes most of them already[2]. ACPICA needs an upstream change, which I've submitted[3]. And ACPI needed multidimensional nonstring annotation support, which had the last needed bit added to GCC today[4], and I've proposed support for it in the kernel[5]. With 4 and 5 ready, I can send the final patch, which is basically just this (and actually accounts for the vast majority of warnings emitted): -static const char table_sigs[][ACPI_NAMESEG_SIZE] __initconst = { +static const char table_sigs[][ACPI_NAMESEG_SIZE] __nonstring_array __initconst = { -Kees [1] https://lore.kernel.org/lkml/98ca3727d65a418e403b03f6b17341dbcb192764.camel at HansenPartnership.com/ [2] https://lore.kernel.org/lkml/?q=f%3AKees+%22-Wunterminated-string-initialization%22 [3] https://github.com/acpica/acpica/pull/1006 [4] https://github.com/gcc-mirror/gcc/commit/afb46540d3921e96c4cd7ba8fa2c8b0901759455 [5] https://lore.kernel.org/lkml/20250310214244.work.194-kees at kernel.org/ -- Kees Cook From kees at kernel.org Wed Mar 12 20:14:58 2025 From: kees at kernel.org (Kees Cook) Date: Wed, 12 Mar 2025 20:14:58 -0000 Subject: [PATCH v2] wireguard: Add __nonstring annotations for unterminated strings Message-ID: <20250312201447.it.157-kees@kernel.org> When a character array without a terminating NUL character has a static initializer, GCC 15's -Wunterminated-string-initialization will only warn if the array lacks the "nonstring" attribute[1]. Mark the arrays with __nonstring to correctly identify the char array as "not a C string" and thereby eliminate the warning: ../drivers/net/wireguard/cookie.c:29:56: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (9 chars into 8 available) [-Wunterminated-string-initialization] 29 | static const u8 mac1_key_label[COOKIE_KEY_LABEL_LEN] = "mac1----"; | ^~~~~~~~~~ ../drivers/net/wireguard/cookie.c:30:58: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (9 chars into 8 available) [-Wunterminated-string-initialization] 30 | static const u8 cookie_key_label[COOKIE_KEY_LABEL_LEN] = "cookie--"; | ^~~~~~~~~~ ../drivers/net/wireguard/noise.c:28:38: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (38 chars into 37 available) [-Wunterminated-string-initialization] 28 | static const u8 handshake_name[37] = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../drivers/net/wireguard/noise.c:29:39: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (35 chars into 34 available) [-Wunterminated-string-initialization] 29 | static const u8 identifier_name[34] = "WireGuard v1 zx2c4 Jason at zx2c4.com"; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The arrays are always used with their fixed size, so use __nonstring. Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117178 [1] Signed-off-by: Kees Cook --- v2: Improve commit log, add cookie nonstrings too v1: https://lore.kernel.org/lkml/20250310222249.work.154-kees at kernel.org/ Cc: Jason A. Donenfeld Cc: "Jason A. Donenfeld" Cc: Andrew Lunn Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: wireguard at lists.zx2c4.com Cc: netdev at vger.kernel.org --- drivers/net/wireguard/cookie.c | 4 ++-- drivers/net/wireguard/noise.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireguard/cookie.c b/drivers/net/wireguard/cookie.c index f89581b5e8cb..94d0a7206084 100644 --- a/drivers/net/wireguard/cookie.c +++ b/drivers/net/wireguard/cookie.c @@ -26,8 +26,8 @@ void wg_cookie_checker_init(struct cookie_checker *checker, } enum { COOKIE_KEY_LABEL_LEN = 8 }; -static const u8 mac1_key_label[COOKIE_KEY_LABEL_LEN] = "mac1----"; -static const u8 cookie_key_label[COOKIE_KEY_LABEL_LEN] = "cookie--"; +static const u8 mac1_key_label[COOKIE_KEY_LABEL_LEN] __nonstring = "mac1----"; +static const u8 cookie_key_label[COOKIE_KEY_LABEL_LEN] __nonstring = "cookie--"; static void precompute_key(u8 key[NOISE_SYMMETRIC_KEY_LEN], const u8 pubkey[NOISE_PUBLIC_KEY_LEN], diff --git a/drivers/net/wireguard/noise.c b/drivers/net/wireguard/noise.c index 202a33af5a72..7eb9a23a3d4d 100644 --- a/drivers/net/wireguard/noise.c +++ b/drivers/net/wireguard/noise.c @@ -25,8 +25,8 @@ * <- e, ee, se, psk, {} */ -static const u8 handshake_name[37] = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"; -static const u8 identifier_name[34] = "WireGuard v1 zx2c4 Jason at zx2c4.com"; +static const u8 handshake_name[37] __nonstring = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"; +static const u8 identifier_name[34] __nonstring = "WireGuard v1 zx2c4 Jason at zx2c4.com"; static u8 handshake_init_hash[NOISE_HASH_LEN] __ro_after_init; static u8 handshake_init_chaining_key[NOISE_HASH_LEN] __ro_after_init; static atomic64_t keypair_counter = ATOMIC64_INIT(0); -- 2.34.1 From dxld at darkboxed.org Sun Mar 16 11:15:38 2025 From: dxld at darkboxed.org (Daniel =?utf-8?Q?Gr=C3=B6ber?=) Date: Sun, 16 Mar 2025 11:15:38 -0000 Subject: [PATCH v2] net: wireguard: Allow binding to specific ifindex In-Reply-To: <20241203193939.1953303-1-greearb@candelatech.com> References: <20241203193939.1953303-1-greearb@candelatech.com> Message-ID: <20250316111516.4vxnot4osduc7oeh@House.clients.dxld.at> Hi Ben, I sent a more general patch adding essentially same feature quite a while ago (Nov 2023) "wireguard: Add netlink attrs for binding to address and netdev" https://lore.kernel.org/netdev/20240219114334.3057169-1-dxld at darkboxed.org/T/ Which also came with ready-to-go wireguard-tools userspace support. Unfortunately I never got any real feedback on it. I managed to catch Jason at FOSDEM this year at least and he seems to not be convinced either address or inteface binding are useful or necessary features for wg. The 1) "scaling" argument in the v3 patch was shot down due to Linux not being scalable in the number of interfaces due to linked lists anyway, which is fair if true. I added that argument in v3 to make the patch more apealing, previously I had some handwaving about multihoming https://lists.zx2c4.com/pipermail/wireguard/2023-November/008256.html :-) I still think there's plenty of operational reasons to want to do this outside of that consideration and I just seem to be failing to communicate them in a way that appeals to Jason's design beauty aesthetic. Perhaps you could explain your use-case in more depth to make the technical argument stronger than what I can muster? :-) Quickly comparing your code with mine I see you set fl.flowi*_oif in addition to bind_ifindex, did you find that necessary for packets to be emited on the right device? Thanks, --Daniel PS: I'm aware the v3 patch proably still has a subtle uninitialized memory problem, just haven't had the motivation to work on it due to lack of feedback. PPS: Sorry for the late response I don't read netdev regularly and apparently Jason's wireguard list has been more broken than I've been aware of. I've got some sieve hacks to get wireguard mail from netdev now. On Tue, Dec 03, 2024 at 11:39:39AM -0800, greearb at candelatech.com wrote: > From: Ben Greear > > Which allows us to bind to VRF. > > Signed-off-by: Ben Greear > --- > > v2: Fix bad use of comma, semicolon now used instead. > > drivers/net/wireguard/device.h | 1 + > drivers/net/wireguard/netlink.c | 12 +++++++++++- > drivers/net/wireguard/socket.c | 8 +++++++- > include/uapi/linux/wireguard.h | 3 +++ > 4 files changed, 22 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireguard/device.h b/drivers/net/wireguard/device.h > index 43c7cebbf50b..9698d9203915 100644 > --- a/drivers/net/wireguard/device.h > +++ b/drivers/net/wireguard/device.h > @@ -53,6 +53,7 @@ struct wg_device { > atomic_t handshake_queue_len; > unsigned int num_peers, device_update_gen; > u32 fwmark; > + int lowerdev; /* ifindex of lower level device to bind UDP transport */ > u16 incoming_port; > }; > > diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c > index f7055180ba4a..5de3d59a17b0 100644 > --- a/drivers/net/wireguard/netlink.c > +++ b/drivers/net/wireguard/netlink.c > @@ -27,7 +27,8 @@ static const struct nla_policy device_policy[WGDEVICE_A_MAX + 1] = { > [WGDEVICE_A_FLAGS] = { .type = NLA_U32 }, > [WGDEVICE_A_LISTEN_PORT] = { .type = NLA_U16 }, > [WGDEVICE_A_FWMARK] = { .type = NLA_U32 }, > - [WGDEVICE_A_PEERS] = { .type = NLA_NESTED } > + [WGDEVICE_A_PEERS] = { .type = NLA_NESTED }, > + [WGDEVICE_A_LOWERDEV] = { .type = NLA_U32 }, > }; > > static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = { > @@ -232,6 +233,7 @@ static int wg_get_device_dump(struct sk_buff *skb, struct netlink_callback *cb) > if (nla_put_u16(skb, WGDEVICE_A_LISTEN_PORT, > wg->incoming_port) || > nla_put_u32(skb, WGDEVICE_A_FWMARK, wg->fwmark) || > + nla_put_u32(skb, WGDEVICE_A_LOWERDEV, wg->lowerdev) || > nla_put_u32(skb, WGDEVICE_A_IFINDEX, wg->dev->ifindex) || > nla_put_string(skb, WGDEVICE_A_IFNAME, wg->dev->name)) > goto out; > @@ -530,6 +532,14 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info) > wg_socket_clear_peer_endpoint_src(peer); > } > > + if (info->attrs[WGDEVICE_A_LOWERDEV]) { > + struct wg_peer *peer; > + > + wg->lowerdev = nla_get_u32(info->attrs[WGDEVICE_A_LOWERDEV]); > + list_for_each_entry(peer, &wg->peer_list, peer_list) > + wg_socket_clear_peer_endpoint_src(peer); > + } > + > if (info->attrs[WGDEVICE_A_LISTEN_PORT]) { > ret = set_port(wg, > nla_get_u16(info->attrs[WGDEVICE_A_LISTEN_PORT])); > diff --git a/drivers/net/wireguard/socket.c b/drivers/net/wireguard/socket.c > index 0414d7a6ce74..7cef4b27f6ba 100644 > --- a/drivers/net/wireguard/socket.c > +++ b/drivers/net/wireguard/socket.c > @@ -25,7 +25,8 @@ static int send4(struct wg_device *wg, struct sk_buff *skb, > .daddr = endpoint->addr4.sin_addr.s_addr, > .fl4_dport = endpoint->addr4.sin_port, > .flowi4_mark = wg->fwmark, > - .flowi4_proto = IPPROTO_UDP > + .flowi4_proto = IPPROTO_UDP, > + .flowi4_oif = wg->lowerdev, > }; > struct rtable *rt = NULL; > struct sock *sock; > @@ -111,6 +112,9 @@ static int send6(struct wg_device *wg, struct sk_buff *skb, > struct sock *sock; > int ret = 0; > > + if (wg->lowerdev) > + fl.flowi6_oif = wg->lowerdev; > + > skb_mark_not_on_list(skb); > skb->dev = wg->dev; > skb->mark = wg->fwmark; > @@ -360,6 +364,7 @@ int wg_socket_init(struct wg_device *wg, u16 port) > .family = AF_INET, > .local_ip.s_addr = htonl(INADDR_ANY), > .local_udp_port = htons(port), > + .bind_ifindex = wg->lowerdev, > .use_udp_checksums = true > }; > #if IS_ENABLED(CONFIG_IPV6) > @@ -369,6 +374,7 @@ int wg_socket_init(struct wg_device *wg, u16 port) > .local_ip6 = IN6ADDR_ANY_INIT, > .use_udp6_tx_checksums = true, > .use_udp6_rx_checksums = true, > + .bind_ifindex = wg->lowerdev, > .ipv6_v6only = true > }; > #endif > diff --git a/include/uapi/linux/wireguard.h b/include/uapi/linux/wireguard.h > index ae88be14c947..f3784885389a 100644 > --- a/include/uapi/linux/wireguard.h > +++ b/include/uapi/linux/wireguard.h > @@ -29,6 +29,7 @@ > * WGDEVICE_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN > * WGDEVICE_A_LISTEN_PORT: NLA_U16 > * WGDEVICE_A_FWMARK: NLA_U32 > + * WGDEVICE_A_LOWERDEV: NLA_U32 > * WGDEVICE_A_PEERS: NLA_NESTED > * 0: NLA_NESTED > * WGPEER_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN > @@ -83,6 +84,7 @@ > * WGDEVICE_A_PRIVATE_KEY: len WG_KEY_LEN, all zeros to remove > * WGDEVICE_A_LISTEN_PORT: NLA_U16, 0 to choose randomly > * WGDEVICE_A_FWMARK: NLA_U32, 0 to disable > + * WGDEVICE_A_LOWERDEV: NLA_U32, ifindex to bind lower transport, 0 to disable > * WGDEVICE_A_PEERS: NLA_NESTED > * 0: NLA_NESTED > * WGPEER_A_PUBLIC_KEY: len WG_KEY_LEN > @@ -157,6 +159,7 @@ enum wgdevice_attribute { > WGDEVICE_A_LISTEN_PORT, > WGDEVICE_A_FWMARK, > WGDEVICE_A_PEERS, > + WGDEVICE_A_LOWERDEV, > __WGDEVICE_A_LAST > }; > #define WGDEVICE_A_MAX (__WGDEVICE_A_LAST - 1) > -- > 2.42.0 > > From liuhangbin at gmail.com Tue Mar 18 10:25:07 2025 From: liuhangbin at gmail.com (Hangbin Liu) Date: Tue, 18 Mar 2025 10:25:07 -0000 Subject: [PATCHv4 RESEND net-next 0/2] selftests: wireguards: use nftables for testing In-Reply-To: <20250106081043.2073169-1-liuhangbin@gmail.com> References: <20250106081043.2073169-1-liuhangbin@gmail.com> Message-ID: Hi Jason, I saw the patch status[1] is still "Awaiting Upstream". Is there anything I need to do? https://patchwork.kernel.org/project/netdevbpf/patch/20250106081043.2073169-2-liuhangbin at gmail.com/ Thanks Hangbin On Mon, Jan 06, 2025 at 08:10:41AM +0000, Hangbin Liu wrote: > This patch set convert iptables to nftables for wireguard testing, as > iptables is deparated and nftables is the default framework of most releases. > > v3: drop iptables directly (Jason A. Donenfeld) > Also convert to using nft for qemu testing (Jason A. Donenfeld) > v2: use one nft table for testing (Phil Sutter) > > Hangbin Liu (2): > selftests: wireguards: convert iptables to nft > selftests: wireguard: update to using nft for qemu test > > tools/testing/selftests/wireguard/netns.sh | 29 +++++++++----- > .../testing/selftests/wireguard/qemu/Makefile | 40 ++++++++++++++----- > .../selftests/wireguard/qemu/kernel.config | 7 ++-- > 3 files changed, 53 insertions(+), 23 deletions(-) > > -- > 2.46.0 > From horms at kernel.org Tue Mar 18 13:08:19 2025 From: horms at kernel.org (Simon Horman) Date: Tue, 18 Mar 2025 13:08:19 -0000 Subject: [PATCH v2] wireguard: Add __nonstring annotations for unterminated strings In-Reply-To: <20250312201447.it.157-kees@kernel.org> References: <20250312201447.it.157-kees@kernel.org> Message-ID: <20250318130811.GQ688833@kernel.org> On Wed, Mar 12, 2025 at 01:14:51PM -0700, Kees Cook wrote: > When a character array without a terminating NUL character has a static > initializer, GCC 15's -Wunterminated-string-initialization will only > warn if the array lacks the "nonstring" attribute[1]. Mark the arrays > with __nonstring to correctly identify the char array as "not a C string" > and thereby eliminate the warning: > > ../drivers/net/wireguard/cookie.c:29:56: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (9 chars into 8 available) [-Wunterminated-string-initialization] > 29 | static const u8 mac1_key_label[COOKIE_KEY_LABEL_LEN] = "mac1----"; > | ^~~~~~~~~~ > ../drivers/net/wireguard/cookie.c:30:58: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (9 chars into 8 available) [-Wunterminated-string-initialization] > 30 | static const u8 cookie_key_label[COOKIE_KEY_LABEL_LEN] = "cookie--"; > | ^~~~~~~~~~ > ../drivers/net/wireguard/noise.c:28:38: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (38 chars into 37 available) [-Wunterminated-string-initialization] > 28 | static const u8 handshake_name[37] = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"; > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ../drivers/net/wireguard/noise.c:29:39: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (35 chars into 34 available) [-Wunterminated-string-initialization] > 29 | static const u8 identifier_name[34] = "WireGuard v1 zx2c4 Jason at zx2c4.com"; > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > The arrays are always used with their fixed size, so use __nonstring. > > Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117178 [1] > Signed-off-by: Kees Cook > --- > v2: Improve commit log, add cookie nonstrings too > v1: https://lore.kernel.org/lkml/20250310222249.work.154-kees at kernel.org/ Reviewed-by: Simon Horman From Jason at zx2c4.com Wed Mar 19 16:04:43 2025 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Wed, 19 Mar 2025 16:04:43 -0000 Subject: [PATCH v2] wireguard: Add __nonstring annotations for unterminated strings In-Reply-To: <20250312201447.it.157-kees@kernel.org> References: <20250312201447.it.157-kees@kernel.org> Message-ID: Hi Kees, On Wed, Mar 12, 2025 at 01:14:51PM -0700, Kees Cook wrote: > When a character array without a terminating NUL character has a static > initializer, GCC 15's -Wunterminated-string-initialization will only > warn if the array lacks the "nonstring" attribute[1]. Mark the arrays > with __nonstring to correctly identify the char array as "not a C string" > and thereby eliminate the warning: > > ../drivers/net/wireguard/cookie.c:29:56: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (9 chars into 8 available) [-Wunterminated-string-initialization] > 29 | static const u8 mac1_key_label[COOKIE_KEY_LABEL_LEN] = "mac1----"; > | ^~~~~~~~~~ > ../drivers/net/wireguard/cookie.c:30:58: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (9 chars into 8 available) [-Wunterminated-string-initialization] > 30 | static const u8 cookie_key_label[COOKIE_KEY_LABEL_LEN] = "cookie--"; > | ^~~~~~~~~~ > ../drivers/net/wireguard/noise.c:28:38: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (38 chars into 37 available) [-Wunterminated-string-initialization] > 28 | static const u8 handshake_name[37] = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"; > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ../drivers/net/wireguard/noise.c:29:39: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (35 chars into 34 available) [-Wunterminated-string-initialization] > 29 | static const u8 identifier_name[34] = "WireGuard v1 zx2c4 Jason at zx2c4.com"; > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > The arrays are always used with their fixed size, so use __nonstring. > Applied. Thanks for the patch. Jason From Jason at zx2c4.com Wed Mar 19 16:10:28 2025 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Wed, 19 Mar 2025 16:10:28 -0000 Subject: [PATCHv4 RESEND net-next 1/2] selftests: wireguards: convert iptables to nft In-Reply-To: <20250106081043.2073169-2-liuhangbin@gmail.com> References: <20250106081043.2073169-1-liuhangbin@gmail.com> <20250106081043.2073169-2-liuhangbin@gmail.com> Message-ID: On Mon, Jan 06, 2025 at 08:10:42AM +0000, Hangbin Liu wrote: > +n0 nft add rule ip wgtest INPUT meta length 1360 counter drop What's the point of `counter` here? It's never read back. > +n0 nft add rule ip wgtest POSTROUTING ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter snat to 10.0.0.1 Ditto. > +n1 nft add rule ip wgtest OUTPUT counter meta mark set 0x1 Ditto. > +n2 nft add rule ip wgtest POSTROUTING ip saddr 10.0.0.0/24 ip daddr 192.168.241.0/24 counter snat to 192.168.241.2 Ditto. > +n0 nft add rule ip wgtest INPUT iifname "vethrs" ip saddr != 10.0.0.0/24 counter drop Ditto. From Jason at zx2c4.com Wed Mar 19 16:11:28 2025 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Wed, 19 Mar 2025 16:11:28 -0000 Subject: [PATCHv4 RESEND net-next 0/2] selftests: wireguards: use nftables for testing In-Reply-To: References: <20250106081043.2073169-1-liuhangbin@gmail.com> Message-ID: On Tue, Mar 18, 2025 at 10:24:40AM +0000, Hangbin Liu wrote: > I saw the patch status[1] is still "Awaiting Upstream". > Is there anything I need to do? I'm looking at it now, but the subject line of your series says, "selftests: wireguards: " which is really not the same as all the other patches that touch these files. Jason From Jason at zx2c4.com Wed Mar 19 16:15:51 2025 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Wed, 19 Mar 2025 16:15:51 -0000 Subject: [PATCHv4 RESEND net-next 2/2] selftests: wireguard: update to using nft for qemu test In-Reply-To: <20250106081043.2073169-3-liuhangbin@gmail.com> References: <20250106081043.2073169-1-liuhangbin@gmail.com> <20250106081043.2073169-3-liuhangbin@gmail.com> Message-ID: On Mon, Jan 06, 2025 at 08:10:43AM +0000, Hangbin Liu wrote: > + echo "file /bin/nft $(NFTABLES_PATH)/src/nft 755 0 0" >> $@ > + echo "file /lib/libmnl.so.0 $(TOOLCHAIN_PATH)/lib/libmnl.so.0 755 0 0" >> $@ > + echo "file /lib/libnftnl.so.11 $(TOOLCHAIN_PATH)/lib/libnftnl.so.11 755 0 0" >> $@ Can't these be statically linked into the nft binary? From Jason at zx2c4.com Wed Mar 19 16:59:25 2025 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Wed, 19 Mar 2025 16:59:25 -0000 Subject: [PATCH net-next] wireguard: use rhashtables instead of hashtables In-Reply-To: <20250105110036.70720-2-demonihin@gmail.com> References: <20250105110036.70720-2-demonihin@gmail.com> Message-ID: On Sun, Jan 05, 2025 at 12:00:17PM +0100, Dmitrii Ermakov wrote: > @@ -74,7 +75,6 @@ struct noise_handshake { > u8 remote_static[NOISE_PUBLIC_KEY_LEN]; > u8 remote_ephemeral[NOISE_PUBLIC_KEY_LEN]; > u8 precomputed_static_static[NOISE_PUBLIC_KEY_LEN]; > - > u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN]; > > u8 hash[NOISE_HASH_LEN]; > @@ -83,6 +83,8 @@ struct noise_handshake { > u8 latest_timestamp[NOISE_TIMESTAMP_LEN]; > __le32 remote_index; > > + siphash_key_t hash_seed; Why? > +#include "linux/printk.h" > +#include "linux/rcupdate.h" > +#include "linux/rhashtable-types.h" > +#include "linux/rhashtable.h" > +#include "linux/siphash.h" Seems wrong. > +#include "messages.h" > #include "peer.h" > #include "noise.h" > +#include "linux/memory.h" Ditto. > > -static struct hlist_head *pubkey_bucket(struct pubkey_hashtable *table, > - const u8 pubkey[NOISE_PUBLIC_KEY_LEN]) > +static inline u32 index_hashfn(const void *data, u32 len, u32 seed) > { > - /* siphash gives us a secure 64bit number based on a random key. Since > - * the bits are uniformly distributed, we can then mask off to get the > - * bits we need. > - */ > - const u64 hash = siphash(pubkey, NOISE_PUBLIC_KEY_LEN, &table->key); > + const u32 *index = data; > + return *index; > +} But shouldn't this actually use siphash? What's happening here? > +struct peer_hash_pubkey { > + siphash_key_t key; > + u8 pubkey[NOISE_PUBLIC_KEY_LEN]; > +}; > + > +static inline u32 wg_peer_obj_hashfn(const void *data, u32 len, u32 seed) > +{ > + const struct wg_peer *peer = data; > + struct peer_hash_pubkey key; > + u64 hash; > + > + memcpy(&key.key, &peer->handshake.hash_seed, sizeof(key.key)); > + memcpy(&key.pubkey, &peer->handshake.remote_static, NOISE_PUBLIC_KEY_LEN); > + > + hash = siphash(&key.pubkey, NOISE_PUBLIC_KEY_LEN, &key.key); Why this weird construction with this other struct? I'll stop reading here. There's a lot of strangeness with this patch. Maybe it's workable with enough care, but I think to review this into shape, in its current state, would be about the same as just rewriting it. From liuhangbin at gmail.com Thu Mar 20 07:41:06 2025 From: liuhangbin at gmail.com (Hangbin Liu) Date: Thu, 20 Mar 2025 07:41:06 -0000 Subject: [PATCHv4 RESEND net-next 0/2] selftests: wireguards: use nftables for testing In-Reply-To: References: <20250106081043.2073169-1-liuhangbin@gmail.com> Message-ID: On Wed, Mar 19, 2025 at 05:11:15PM +0100, Jason A. Donenfeld wrote: > On Tue, Mar 18, 2025 at 10:24:40AM +0000, Hangbin Liu wrote: > > I saw the patch status[1] is still "Awaiting Upstream". > > Is there anything I need to do? > > I'm looking at it now, but the subject line of your series says, > "selftests: wireguards: " which is really not the same as all the other > patches that touch these files. Oh, I will fix the name in next patch. Hangbin From liuhangbin at gmail.com Fri Mar 21 10:40:35 2025 From: liuhangbin at gmail.com (Hangbin Liu) Date: Fri, 21 Mar 2025 10:40:35 -0000 Subject: [PATCHv4 RESEND net-next 2/2] selftests: wireguard: update to using nft for qemu test In-Reply-To: References: <20250106081043.2073169-1-liuhangbin@gmail.com> <20250106081043.2073169-3-liuhangbin@gmail.com> Message-ID: Hi Jason, Phil, On Wed, Mar 19, 2025 at 05:15:41PM +0100, Jason A. Donenfeld wrote: > On Mon, Jan 06, 2025 at 08:10:43AM +0000, Hangbin Liu wrote: > > + echo "file /bin/nft $(NFTABLES_PATH)/src/nft 755 0 0" >> $@ > > + echo "file /lib/libmnl.so.0 $(TOOLCHAIN_PATH)/lib/libmnl.so.0 755 0 0" >> $@ > > + echo "file /lib/libnftnl.so.11 $(TOOLCHAIN_PATH)/lib/libnftnl.so.11 755 0 0" >> $@ > > Can't these be statically linked into the nft binary? If I omit these, I will got error like mnl_attr_put: symbol not found Even though I set `--enable-static` in nft build. Do you know what's the reason? Thanks Hangbin From phil at nwl.cc Fri Mar 21 11:42:49 2025 From: phil at nwl.cc (Phil Sutter) Date: Fri, 21 Mar 2025 11:42:49 -0000 Subject: [PATCHv4 RESEND net-next 2/2] selftests: wireguard: update to using nft for qemu test In-Reply-To: References: <20250106081043.2073169-1-liuhangbin@gmail.com> <20250106081043.2073169-3-liuhangbin@gmail.com> Message-ID: Hi Hangbin, On Fri, Mar 21, 2025 at 10:40:25AM +0000, Hangbin Liu wrote: > Hi Jason, Phil, > On Wed, Mar 19, 2025 at 05:15:41PM +0100, Jason A. Donenfeld wrote: > > On Mon, Jan 06, 2025 at 08:10:43AM +0000, Hangbin Liu wrote: > > > + echo "file /bin/nft $(NFTABLES_PATH)/src/nft 755 0 0" >> $@ > > > + echo "file /lib/libmnl.so.0 $(TOOLCHAIN_PATH)/lib/libmnl.so.0 755 0 0" >> $@ > > > + echo "file /lib/libnftnl.so.11 $(TOOLCHAIN_PATH)/lib/libnftnl.so.11 755 0 0" >> $@ > > > > Can't these be statically linked into the nft binary? > > If I omit these, I will got error like > > mnl_attr_put: symbol not found > > Even though I set `--enable-static` in nft build. > > Do you know what's the reason? I was able to have nft linked statically against built libmnl and libnftnl by passing '--disable-shared --enable-static' to configure calls of all three build systems. With --enable-shared in library configure calls, nftables build preferred to link against the DSOs and I did not find a way to change this. Cheers, Phil From liuhangbin at gmail.com Fri Mar 21 12:45:27 2025 From: liuhangbin at gmail.com (Hangbin Liu) Date: Fri, 21 Mar 2025 12:45:27 -0000 Subject: [PATCHv4 RESEND net-next 2/2] selftests: wireguard: update to using nft for qemu test In-Reply-To: References: <20250106081043.2073169-1-liuhangbin@gmail.com> <20250106081043.2073169-3-liuhangbin@gmail.com> Message-ID: On Fri, Mar 21, 2025 at 12:42:42PM +0100, Phil Sutter wrote: > Hi Hangbin, > > On Fri, Mar 21, 2025 at 10:40:25AM +0000, Hangbin Liu wrote: > > Hi Jason, Phil, > > On Wed, Mar 19, 2025 at 05:15:41PM +0100, Jason A. Donenfeld wrote: > > > On Mon, Jan 06, 2025 at 08:10:43AM +0000, Hangbin Liu wrote: > > > > + echo "file /bin/nft $(NFTABLES_PATH)/src/nft 755 0 0" >> $@ > > > > + echo "file /lib/libmnl.so.0 $(TOOLCHAIN_PATH)/lib/libmnl.so.0 755 0 0" >> $@ > > > > + echo "file /lib/libnftnl.so.11 $(TOOLCHAIN_PATH)/lib/libnftnl.so.11 755 0 0" >> $@ > > > > > > Can't these be statically linked into the nft binary? > > > > If I omit these, I will got error like > > > > mnl_attr_put: symbol not found > > > > Even though I set `--enable-static` in nft build. > > > > Do you know what's the reason? > > I was able to have nft linked statically against built libmnl and > libnftnl by passing '--disable-shared --enable-static' to configure > calls of all three build systems. With --enable-shared in library > configure calls, nftables build preferred to link against the DSOs and I > did not find a way to change this. The patch is using "./configure --prefix=/ $(CROSS_COMPILE_FLAG) --enable-static \ --disable-shared --disable-debug --disable-man-doc --with-mini-gmp --without-cli" to build nft. I don't know why it's not linked static. Thanks Hangbin From Jason at zx2c4.com Fri Mar 21 12:51:11 2025 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Fri, 21 Mar 2025 12:51:11 -0000 Subject: [PATCHv4 RESEND net-next 2/2] selftests: wireguard: update to using nft for qemu test In-Reply-To: References: <20250106081043.2073169-1-liuhangbin@gmail.com> <20250106081043.2073169-3-liuhangbin@gmail.com> Message-ID: On Fri, Mar 21, 2025 at 12:45:17PM +0000, Hangbin Liu wrote: > On Fri, Mar 21, 2025 at 12:42:42PM +0100, Phil Sutter wrote: > > Hi Hangbin, > > > > On Fri, Mar 21, 2025 at 10:40:25AM +0000, Hangbin Liu wrote: > > > Hi Jason, Phil, > > > On Wed, Mar 19, 2025 at 05:15:41PM +0100, Jason A. Donenfeld wrote: > > > > On Mon, Jan 06, 2025 at 08:10:43AM +0000, Hangbin Liu wrote: > > > > > + echo "file /bin/nft $(NFTABLES_PATH)/src/nft 755 0 0" >> $@ > > > > > + echo "file /lib/libmnl.so.0 $(TOOLCHAIN_PATH)/lib/libmnl.so.0 755 0 0" >> $@ > > > > > + echo "file /lib/libnftnl.so.11 $(TOOLCHAIN_PATH)/lib/libnftnl.so.11 755 0 0" >> $@ > > > > > > > > Can't these be statically linked into the nft binary? > > > > > > If I omit these, I will got error like > > > > > > mnl_attr_put: symbol not found > > > > > > Even though I set `--enable-static` in nft build. > > > > > > Do you know what's the reason? > > > > I was able to have nft linked statically against built libmnl and > > libnftnl by passing '--disable-shared --enable-static' to configure > > calls of all three build systems. With --enable-shared in library > > configure calls, nftables build preferred to link against the DSOs and I > > did not find a way to change this. > > The patch is using > "./configure --prefix=/ $(CROSS_COMPILE_FLAG) --enable-static \ > --disable-shared --disable-debug --disable-man-doc --with-mini-gmp --without-cli" > to build nft. > > I don't know why it's not linked static. All three DSOs... From phil at nwl.cc Fri Mar 21 14:40:26 2025 From: phil at nwl.cc (Phil Sutter) Date: Fri, 21 Mar 2025 14:40:26 -0000 Subject: [PATCHv4 RESEND net-next 2/2] selftests: wireguard: update to using nft for qemu test In-Reply-To: References: <20250106081043.2073169-1-liuhangbin@gmail.com> <20250106081043.2073169-3-liuhangbin@gmail.com> Message-ID: On Fri, Mar 21, 2025 at 12:45:17PM +0000, Hangbin Liu wrote: > On Fri, Mar 21, 2025 at 12:42:42PM +0100, Phil Sutter wrote: > > Hi Hangbin, > > > > On Fri, Mar 21, 2025 at 10:40:25AM +0000, Hangbin Liu wrote: > > > Hi Jason, Phil, > > > On Wed, Mar 19, 2025 at 05:15:41PM +0100, Jason A. Donenfeld wrote: > > > > On Mon, Jan 06, 2025 at 08:10:43AM +0000, Hangbin Liu wrote: > > > > > + echo "file /bin/nft $(NFTABLES_PATH)/src/nft 755 0 0" >> $@ > > > > > + echo "file /lib/libmnl.so.0 $(TOOLCHAIN_PATH)/lib/libmnl.so.0 755 0 0" >> $@ > > > > > + echo "file /lib/libnftnl.so.11 $(TOOLCHAIN_PATH)/lib/libnftnl.so.11 755 0 0" >> $@ > > > > > > > > Can't these be statically linked into the nft binary? > > > > > > If I omit these, I will got error like > > > > > > mnl_attr_put: symbol not found > > > > > > Even though I set `--enable-static` in nft build. > > > > > > Do you know what's the reason? > > > > I was able to have nft linked statically against built libmnl and > > libnftnl by passing '--disable-shared --enable-static' to configure > > calls of all three build systems. With --enable-shared in library > > configure calls, nftables build preferred to link against the DSOs and I > > did not find a way to change this. > > The patch is using > "./configure --prefix=/ $(CROSS_COMPILE_FLAG) --enable-static \ > --disable-shared --disable-debug --disable-man-doc --with-mini-gmp --without-cli" > to build nft. Do you pass that to the configure calls for libnftnl and libmnl, too? I didn't find a way to force static linking in nftables build system, so I disabled building of shared libmnl/libnftnl libraries. Cheers, Phil From liuhangbin at gmail.com Sat Mar 22 09:25:29 2025 From: liuhangbin at gmail.com (Hangbin Liu) Date: Sat, 22 Mar 2025 09:25:29 -0000 Subject: [PATCHv4 RESEND net-next 2/2] selftests: wireguard: update to using nft for qemu test In-Reply-To: References: <20250106081043.2073169-1-liuhangbin@gmail.com> <20250106081043.2073169-3-liuhangbin@gmail.com> Message-ID: On Fri, Mar 21, 2025 at 03:40:20PM +0100, Phil Sutter wrote: > On Fri, Mar 21, 2025 at 12:45:17PM +0000, Hangbin Liu wrote: > > On Fri, Mar 21, 2025 at 12:42:42PM +0100, Phil Sutter wrote: > > > Hi Hangbin, > > > > > > On Fri, Mar 21, 2025 at 10:40:25AM +0000, Hangbin Liu wrote: > > > > Hi Jason, Phil, > > > > On Wed, Mar 19, 2025 at 05:15:41PM +0100, Jason A. Donenfeld wrote: > > > > > On Mon, Jan 06, 2025 at 08:10:43AM +0000, Hangbin Liu wrote: > > > > > > + echo "file /bin/nft $(NFTABLES_PATH)/src/nft 755 0 0" >> $@ > > > > > > + echo "file /lib/libmnl.so.0 $(TOOLCHAIN_PATH)/lib/libmnl.so.0 755 0 0" >> $@ > > > > > > + echo "file /lib/libnftnl.so.11 $(TOOLCHAIN_PATH)/lib/libnftnl.so.11 755 0 0" >> $@ > > > > > > > > > > Can't these be statically linked into the nft binary? > > > > > > > > If I omit these, I will got error like > > > > > > > > mnl_attr_put: symbol not found > > > > > > > > Even though I set `--enable-static` in nft build. > > > > > > > > Do you know what's the reason? > > > > > > I was able to have nft linked statically against built libmnl and > > > libnftnl by passing '--disable-shared --enable-static' to configure > > > calls of all three build systems. With --enable-shared in library > > > configure calls, nftables build preferred to link against the DSOs and I > > > did not find a way to change this. > > > > The patch is using > > "./configure --prefix=/ $(CROSS_COMPILE_FLAG) --enable-static \ > > --disable-shared --disable-debug --disable-man-doc --with-mini-gmp --without-cli" > > to build nft. > > Do you pass that to the configure calls for libnftnl and libmnl, too? I > didn't find a way to force static linking in nftables build system, so I > disabled building of shared libmnl/libnftnl libraries. > It works after pass that to libnftnl and libmnl. Thanks Hangbin From liuhangbin at gmail.com Sat Mar 22 09:30:31 2025 From: liuhangbin at gmail.com (Hangbin Liu) Date: Sat, 22 Mar 2025 09:30:31 -0000 Subject: [PATCHv5 net-next 0/2] wireguard: selftests: use nftables for testing Message-ID: <20250322093016.16631-1-liuhangbin@gmail.com> This patch set convert iptables to nftables for wireguard testing, as iptables is deparated and nftables is the default framework of most releases. v5: remove the counter in nft rules and link nft statically (Jason A. Donenfeld) v4: no update, just re-send v3: drop iptables directly (Jason A. Donenfeld) Also convert to using nft for qemu testing (Jason A. Donenfeld) v2: use one nft table for testing (Phil Sutter) Hangbin Liu (2): wireguard: selftests: convert iptables to nft wireguard: selftests: update to using nft for qemu test tools/testing/selftests/wireguard/netns.sh | 29 +++++++++------ .../testing/selftests/wireguard/qemu/Makefile | 36 ++++++++++++++----- .../selftests/wireguard/qemu/kernel.config | 7 ++-- 3 files changed, 49 insertions(+), 23 deletions(-) -- 2.46.0 From liuhangbin at gmail.com Sat Mar 22 09:30:37 2025 From: liuhangbin at gmail.com (Hangbin Liu) Date: Sat, 22 Mar 2025 09:30:37 -0000 Subject: [PATCHv5 net-next 1/2] wireguard: selftests: convert iptables to nft In-Reply-To: <20250322093016.16631-1-liuhangbin@gmail.com> References: <20250322093016.16631-1-liuhangbin@gmail.com> Message-ID: <20250322093016.16631-2-liuhangbin@gmail.com> Convert iptabels to nft as it is the replacement for iptables, which is used by default in most releases. Signed-off-by: Hangbin Liu --- tools/testing/selftests/wireguard/netns.sh | 29 ++++++++++++++-------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh index 55500f901fbc..8b840fef90af 100755 --- a/tools/testing/selftests/wireguard/netns.sh +++ b/tools/testing/selftests/wireguard/netns.sh @@ -75,6 +75,11 @@ pp ip netns add $netns1 pp ip netns add $netns2 ip0 link set up dev lo +# init nft tables +n0 nft add table ip wgtest +n1 nft add table ip wgtest +n2 nft add table ip wgtest + ip0 link add dev wg0 type wireguard ip0 link set wg0 netns $netns1 ip0 link add dev wg0 type wireguard @@ -196,13 +201,14 @@ ip1 link set wg0 mtu 1300 ip2 link set wg0 mtu 1300 n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2 n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1 -n0 iptables -A INPUT -m length --length 1360 -j DROP +n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; } +n0 nft add rule ip wgtest INPUT meta length 1360 drop n1 ip route add 192.168.241.2/32 dev wg0 mtu 1299 n2 ip route add 192.168.241.1/32 dev wg0 mtu 1299 n2 ping -c 1 -W 1 -s 1269 192.168.241.1 n2 ip route delete 192.168.241.1/32 dev wg0 mtu 1299 n1 ip route delete 192.168.241.2/32 dev wg0 mtu 1299 -n0 iptables -F INPUT +n0 nft flush table ip wgtest ip1 link set wg0 mtu $orig_mtu ip2 link set wg0 mtu $orig_mtu @@ -335,7 +341,8 @@ n0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward' [[ -e /proc/sys/net/netfilter/nf_conntrack_udp_timeout ]] || modprobe nf_conntrack n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout' n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream' -n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1 +n0 nft add chain ip wgtest POSTROUTING { type nat hook postrouting priority srcnat\; policy accept \; } +n0 nft add rule ip wgtest POSTROUTING ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 snat to 10.0.0.1 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.100:2 persistent-keepalive 1 n1 ping -W 1 -c 1 192.168.241.2 @@ -349,10 +356,11 @@ n1 wg set wg0 peer "$pub2" persistent-keepalive 0 # Test that sk_bound_dev_if works n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # What about when the mark changes and the packet must be rerouted? -n1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1 +n1 nft add chain ip wgtest OUTPUT { type route hook output priority mangle\; policy accept \; } +n1 nft add rule ip wgtest OUTPUT meta mark set 0x1 n1 ping -c 1 -W 1 192.168.241.2 # First the boring case n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # Then the sk_bound_dev_if case -n1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1 +n1 nft flush table ip wgtest # Test that onion routing works, even when it loops n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5 @@ -386,16 +394,17 @@ n1 ping -W 1 -c 100 -f 192.168.99.7 n1 ping -W 1 -c 100 -f abab::1111 # Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route. -n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2 -n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit. +n2 nft add chain ip wgtest POSTROUTING { type nat hook postrouting priority srcnat\; policy accept \; } +n2 nft add rule ip wgtest POSTROUTING ip saddr 10.0.0.0/24 ip daddr 192.168.241.0/24 snat to 192.168.241.2 +n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; } +n0 nft add rule ip wgtest INPUT iifname "vethrs" ip saddr != 10.0.0.0/24 drop n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward' ip0 -4 route add 192.168.241.1 via 10.0.0.100 n2 wg set wg0 peer "$pub1" remove [[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]] -n0 iptables -t nat -F -n0 iptables -t filter -F -n2 iptables -t nat -F +n0 nft flush table ip wgtest +n2 nft flush table ip wgtest ip0 link del vethrc ip0 link del vethrs ip1 link del wg0 -- 2.46.0 From phil at nwl.cc Sun Mar 23 21:10:41 2025 From: phil at nwl.cc (Phil Sutter) Date: Sun, 23 Mar 2025 21:10:41 -0000 Subject: [PATCHv5 net-next 1/2] wireguard: selftests: convert iptables to nft In-Reply-To: <20250322093016.16631-2-liuhangbin@gmail.com> References: <20250322093016.16631-1-liuhangbin@gmail.com> <20250322093016.16631-2-liuhangbin@gmail.com> Message-ID: On Sat, Mar 22, 2025 at 09:30:15AM +0000, Hangbin Liu wrote: > Convert iptabels to nft as it is the replacement for iptables, which is used ~~~~~~~~ Typo, but I would write "Convert the selftest to nft ..." instead since that is what you're converting, iptables is just replaced. :) > by default in most releases. > > Signed-off-by: Hangbin Liu > --- > tools/testing/selftests/wireguard/netns.sh | 29 ++++++++++++++-------- > 1 file changed, 19 insertions(+), 10 deletions(-) > > diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh > index 55500f901fbc..8b840fef90af 100755 > --- a/tools/testing/selftests/wireguard/netns.sh > +++ b/tools/testing/selftests/wireguard/netns.sh > @@ -75,6 +75,11 @@ pp ip netns add $netns1 > pp ip netns add $netns2 > ip0 link set up dev lo > > +# init nft tables > +n0 nft add table ip wgtest > +n1 nft add table ip wgtest > +n2 nft add table ip wgtest > + > ip0 link add dev wg0 type wireguard > ip0 link set wg0 netns $netns1 > ip0 link add dev wg0 type wireguard > @@ -196,13 +201,14 @@ ip1 link set wg0 mtu 1300 > ip2 link set wg0 mtu 1300 > n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2 > n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1 > -n0 iptables -A INPUT -m length --length 1360 -j DROP > +n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; } You may skip the 'policy accept \;' part in all 'add chain' commands as this is the default for all chains. Unless you prefer to explicitly state the chain policy, of course. Cheers, Phil From liuhangbin at gmail.com Mon Mar 24 03:15:53 2025 From: liuhangbin at gmail.com (Hangbin Liu) Date: Mon, 24 Mar 2025 03:15:53 -0000 Subject: [PATCHv5 net-next 1/2] wireguard: selftests: convert iptables to nft In-Reply-To: References: <20250322093016.16631-1-liuhangbin@gmail.com> <20250322093016.16631-2-liuhangbin@gmail.com> Message-ID: On Sun, Mar 23, 2025 at 10:10:33PM +0100, Phil Sutter wrote: > On Sat, Mar 22, 2025 at 09:30:15AM +0000, Hangbin Liu wrote: > > Convert iptabels to nft as it is the replacement for iptables, which is used > ~~~~~~~~ > > Typo, but I would write "Convert the selftest to nft ..." instead since > that is what you're converting, iptables is just replaced. :) > > > by default in most releases. > > > > Signed-off-by: Hangbin Liu > > --- > > tools/testing/selftests/wireguard/netns.sh | 29 ++++++++++++++-------- > > 1 file changed, 19 insertions(+), 10 deletions(-) > > > > diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh > > index 55500f901fbc..8b840fef90af 100755 > > --- a/tools/testing/selftests/wireguard/netns.sh > > +++ b/tools/testing/selftests/wireguard/netns.sh > > @@ -75,6 +75,11 @@ pp ip netns add $netns1 > > pp ip netns add $netns2 > > ip0 link set up dev lo > > > > +# init nft tables > > +n0 nft add table ip wgtest > > +n1 nft add table ip wgtest > > +n2 nft add table ip wgtest > > + > > ip0 link add dev wg0 type wireguard > > ip0 link set wg0 netns $netns1 > > ip0 link add dev wg0 type wireguard > > @@ -196,13 +201,14 @@ ip1 link set wg0 mtu 1300 > > ip2 link set wg0 mtu 1300 > > n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2 > > n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1 > > -n0 iptables -A INPUT -m length --length 1360 -j DROP > > +n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; } > > You may skip the 'policy accept \;' part in all 'add chain' commands as > this is the default for all chains. Unless you prefer to explicitly > state the chain policy, of course. Yes, I would prefer to keep the "policy accept" unless Jason has objects. Thanks Hangbin From liuhangbin at gmail.com Wed Mar 26 06:25:24 2025 From: liuhangbin at gmail.com (Hangbin Liu) Date: Wed, 26 Mar 2025 06:25:24 -0000 Subject: [PATCHv5 net-next 1/2] wireguard: selftests: convert iptables to nft In-Reply-To: References: <20250322093016.16631-1-liuhangbin@gmail.com> <20250322093016.16631-2-liuhangbin@gmail.com> Message-ID: On Sun, Mar 23, 2025 at 10:10:33PM +0100, Phil Sutter wrote: > On Sat, Mar 22, 2025 at 09:30:15AM +0000, Hangbin Liu wrote: > > Convert iptabels to nft as it is the replacement for iptables, which is used > ~~~~~~~~ > > Typo, but I would write "Convert the selftest to nft ..." instead since > that is what you're converting, iptables is just replaced. :) Hi Jason, I saw net-next is closed. Should I wait for net-next re-open to post the new version and fix the typo? I'm not sure about the wg branch policy. Thanks Hangbin > > > by default in most releases. > > > > Signed-off-by: Hangbin Liu > > --- > > tools/testing/selftests/wireguard/netns.sh | 29 ++++++++++++++-------- > > 1 file changed, 19 insertions(+), 10 deletions(-) > > > > diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh > > index 55500f901fbc..8b840fef90af 100755 > > --- a/tools/testing/selftests/wireguard/netns.sh > > +++ b/tools/testing/selftests/wireguard/netns.sh > > @@ -75,6 +75,11 @@ pp ip netns add $netns1 > > pp ip netns add $netns2 > > ip0 link set up dev lo > > > > +# init nft tables > > +n0 nft add table ip wgtest > > +n1 nft add table ip wgtest > > +n2 nft add table ip wgtest > > + > > ip0 link add dev wg0 type wireguard > > ip0 link set wg0 netns $netns1 > > ip0 link add dev wg0 type wireguard > > @@ -196,13 +201,14 @@ ip1 link set wg0 mtu 1300 > > ip2 link set wg0 mtu 1300 > > n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2 > > n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1 > > -n0 iptables -A INPUT -m length --length 1360 -j DROP > > +n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; } > > You may skip the 'policy accept \;' part in all 'add chain' commands as > this is the default for all chains. Unless you prefer to explicitly > state the chain policy, of course. > > Cheers, Phil From syzbot+7da6c19dc528c2ebc612 at syzkaller.appspotmail.com Fri Mar 28 23:20:05 2025 From: syzbot+7da6c19dc528c2ebc612 at syzkaller.appspotmail.com (syzbot) Date: Fri, 28 Mar 2025 23:20:05 -0000 Subject: [syzbot] [wireguard?] INFO: task hung in wg_destruct (2) In-Reply-To: <66fa2708.050a0220.aab67.0025.GAE@google.com> Message-ID: <67e72ea3.050a0220.1547ec.0000.GAE@google.com> syzbot suspects this issue was fixed by commit: commit 66951e4860d3c688bfa550ea4a19635b57e00eca Author: Peter Zijlstra Date: Mon Jan 13 12:50:11 2025 +0000 sched/fair: Fix update_cfs_group() vs DELAY_DEQUEUE bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16f07804580000 start commit: e32cde8d2bd7 Merge tag 'sched_ext-for-6.12-rc1-fixes-1' of.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=286b31f2cf1c36b5 dashboard link: https://syzkaller.appspot.com/bug?extid=7da6c19dc528c2ebc612 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=146ae580580000 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: sched/fair: Fix update_cfs_group() vs DELAY_DEQUEUE For information about bisection process see: https://goo.gl/tpsmEJ#bisection From liuhangbin at gmail.com Sat Mar 22 09:30:45 2025 From: liuhangbin at gmail.com (Hangbin Liu) Date: Sat, 22 Mar 2025 09:30:45 -0000 Subject: [PATCHv5 net-next 2/2] wireguard: selftests: update to using nft for qemu test In-Reply-To: <20250322093016.16631-1-liuhangbin@gmail.com> References: <20250322093016.16631-1-liuhangbin@gmail.com> Message-ID: <20250322093016.16631-3-liuhangbin@gmail.com> Since we will replace iptables with nft for wireguard netns testing, let's also convert the qemu test to use nft at the same time. Co-developed-by: Phil Sutter Signed-off-by: Phil Sutter Signed-off-by: Hangbin Liu --- .../testing/selftests/wireguard/qemu/Makefile | 36 ++++++++++++++----- .../selftests/wireguard/qemu/kernel.config | 7 ++-- 2 files changed, 30 insertions(+), 13 deletions(-) diff --git a/tools/testing/selftests/wireguard/qemu/Makefile b/tools/testing/selftests/wireguard/qemu/Makefile index 35856b11c143..2442ae99f007 100644 --- a/tools/testing/selftests/wireguard/qemu/Makefile +++ b/tools/testing/selftests/wireguard/qemu/Makefile @@ -40,7 +40,9 @@ endef $(eval $(call tar_download,IPERF,iperf,3.11,.tar.gz,https://downloads.es.net/pub/iperf/,de8cb409fad61a0574f4cb07eb19ce1159707403ac2dc01b5d175e91240b7e5f)) $(eval $(call tar_download,BASH,bash,5.1.16,.tar.gz,https://ftp.gnu.org/gnu/bash/,5bac17218d3911834520dad13cd1f85ab944e1c09ae1aba55906be1f8192f558)) $(eval $(call tar_download,IPROUTE2,iproute2,5.17.0,.tar.gz,https://www.kernel.org/pub/linux/utils/net/iproute2/,bda331d5c4606138892f23a565d78fca18919b4d508a0b7ca8391c2da2db68b9)) -$(eval $(call tar_download,IPTABLES,iptables,1.8.7,.tar.bz2,https://www.netfilter.org/projects/iptables/files/,c109c96bb04998cd44156622d36f8e04b140701ec60531a10668cfdff5e8d8f0)) +$(eval $(call tar_download,LIBMNL,libmnl,1.0.5,.tar.bz2,https://www.netfilter.org/projects/libmnl/files/,274b9b919ef3152bfb3da3a13c950dd60d6e2bcd54230ffeca298d03b40d0525)) +$(eval $(call tar_download,LIBNFTNL,libnftnl,1.2.8,.tar.xz,https://www.netfilter.org/projects/libnftnl/files/,37fea5d6b5c9b08de7920d298de3cdc942e7ae64b1a3e8b880b2d390ae67ad95)) +$(eval $(call tar_download,NFTABLES,nftables,1.1.1,.tar.xz,https://www.netfilter.org/projects/nftables/files/,6358830f3a64f31e39b0ad421d7dadcd240b72343ded48d8ef13b8faf204865a)) $(eval $(call tar_download,NMAP,nmap,7.92,.tgz,https://nmap.org/dist/,064183ea642dc4c12b1ab3b5358ce1cef7d2e7e11ffa2849f16d339f5b717117)) $(eval $(call tar_download,IPUTILS,iputils,s20190709,.tar.gz,https://github.com/iputils/iputils/archive/s20190709.tar.gz/#,a15720dd741d7538dd2645f9f516d193636ae4300ff7dbc8bfca757bf166490a)) $(eval $(call tar_download,WIREGUARD_TOOLS,wireguard-tools,1.0.20210914,.tar.xz,https://git.zx2c4.com/wireguard-tools/snapshot/,97ff31489217bb265b7ae850d3d0f335ab07d2652ba1feec88b734bc96bd05ac)) @@ -322,8 +324,7 @@ $(BUILD_PATH)/init-cpio-spec.txt: $(TOOLCHAIN_PATH)/.installed $(BUILD_PATH)/ini echo "file /bin/ss $(IPROUTE2_PATH)/misc/ss 755 0 0" >> $@ echo "file /bin/ping $(IPUTILS_PATH)/ping 755 0 0" >> $@ echo "file /bin/ncat $(NMAP_PATH)/ncat/ncat 755 0 0" >> $@ - echo "file /bin/xtables-legacy-multi $(IPTABLES_PATH)/iptables/xtables-legacy-multi 755 0 0" >> $@ - echo "slink /bin/iptables xtables-legacy-multi 777 0 0" >> $@ + echo "file /bin/nft $(NFTABLES_PATH)/src/nft 755 0 0" >> $@ echo "slink /bin/ping6 ping 777 0 0" >> $@ echo "dir /lib 755 0 0" >> $@ echo "file /lib/libc.so $(TOOLCHAIN_PATH)/$(CHOST)/lib/libc.so 755 0 0" >> $@ @@ -338,7 +339,7 @@ $(KERNEL_BUILD_PATH)/.config: $(TOOLCHAIN_PATH)/.installed kernel.config arch/$( cd $(KERNEL_BUILD_PATH) && ARCH=$(KERNEL_ARCH) $(KERNEL_PATH)/scripts/kconfig/merge_config.sh -n $(KERNEL_BUILD_PATH)/.config $(KERNEL_BUILD_PATH)/minimal.config $(if $(findstring yes,$(DEBUG_KERNEL)),cp debug.config $(KERNEL_BUILD_PATH) && cd $(KERNEL_BUILD_PATH) && ARCH=$(KERNEL_ARCH) $(KERNEL_PATH)/scripts/kconfig/merge_config.sh -n $(KERNEL_BUILD_PATH)/.config debug.config,) -$(KERNEL_BZIMAGE): $(TOOLCHAIN_PATH)/.installed $(KERNEL_BUILD_PATH)/.config $(BUILD_PATH)/init-cpio-spec.txt $(IPERF_PATH)/src/iperf3 $(IPUTILS_PATH)/ping $(BASH_PATH)/bash $(IPROUTE2_PATH)/misc/ss $(IPROUTE2_PATH)/ip/ip $(IPTABLES_PATH)/iptables/xtables-legacy-multi $(NMAP_PATH)/ncat/ncat $(WIREGUARD_TOOLS_PATH)/src/wg $(BUILD_PATH)/init +$(KERNEL_BZIMAGE): $(TOOLCHAIN_PATH)/.installed $(KERNEL_BUILD_PATH)/.config $(BUILD_PATH)/init-cpio-spec.txt $(IPERF_PATH)/src/iperf3 $(IPUTILS_PATH)/ping $(BASH_PATH)/bash $(IPROUTE2_PATH)/misc/ss $(IPROUTE2_PATH)/ip/ip $(LIBMNL_PATH)/libmnl $(LIBNFTNL_PATH)/libnftnl $(NFTABLES_PATH)/src/nft $(NMAP_PATH)/ncat/ncat $(WIREGUARD_TOOLS_PATH)/src/wg $(BUILD_PATH)/init $(MAKE) -C $(KERNEL_PATH) O=$(KERNEL_BUILD_PATH) ARCH=$(KERNEL_ARCH) CROSS_COMPILE=$(CROSS_COMPILE) .PHONY: $(KERNEL_BZIMAGE) @@ -421,15 +422,32 @@ $(IPROUTE2_PATH)/misc/ss: | $(IPROUTE2_PATH)/.installed $(USERSPACE_DEPS) $(MAKE) -C $(IPROUTE2_PATH) PREFIX=/ misc/ss $(STRIP) -s $@ -$(IPTABLES_PATH)/.installed: $(IPTABLES_TAR) +$(LIBMNL_PATH)/.installed: $(LIBMNL_TAR) mkdir -p $(BUILD_PATH) flock -s $<.lock tar -C $(BUILD_PATH) -xf $< - sed -i -e "/nfnetlink=[01]/s:=[01]:=0:" -e "/nfconntrack=[01]/s:=[01]:=0:" $(IPTABLES_PATH)/configure touch $@ -$(IPTABLES_PATH)/iptables/xtables-legacy-multi: | $(IPTABLES_PATH)/.installed $(USERSPACE_DEPS) - cd $(IPTABLES_PATH) && ./configure --prefix=/ $(CROSS_COMPILE_FLAG) --enable-static --disable-shared --disable-nftables --disable-bpf-compiler --disable-nfsynproxy --disable-libipq --disable-connlabel --with-kernel=$(BUILD_PATH)/include - $(MAKE) -C $(IPTABLES_PATH) +$(LIBMNL_PATH)/libmnl: | $(LIBMNL_PATH)/.installed $(USERSPACE_DEPS) + cd $(LIBMNL_PATH) && ./configure --prefix=$(TOOLCHAIN_PATH) $(CROSS_COMPILE_FLAG) --enable-static --disable-shared + $(MAKE) -C $(LIBMNL_PATH) install + +$(LIBNFTNL_PATH)/.installed: $(LIBNFTNL_TAR) + mkdir -p $(BUILD_PATH) + flock -s $<.lock tar -C $(BUILD_PATH) -xf $< + touch $@ + +$(LIBNFTNL_PATH)/libnftnl: | $(LIBNFTNL_PATH)/.installed $(USERSPACE_DEPS) + cd $(LIBNFTNL_PATH) && PKG_CONFIG_PATH="$(TOOLCHAIN_PATH)/lib/pkgconfig" ./configure --prefix=$(TOOLCHAIN_PATH) $(CROSS_COMPILE_FLAG) --enable-static --disable-shared + $(MAKE) -C $(LIBNFTNL_PATH) install + +$(NFTABLES_PATH)/.installed: $(NFTABLES_TAR) + mkdir -p $(BUILD_PATH) + flock -s $<.lock tar -C $(BUILD_PATH) -xf $< + touch $@ + +$(NFTABLES_PATH)/src/nft: | $(NFTABLES_PATH)/.installed $(USERSPACE_DEPS) + cd $(NFTABLES_PATH) && PKG_CONFIG_PATH="$(TOOLCHAIN_PATH)/lib/pkgconfig" ./configure --prefix=/ $(CROSS_COMPILE_FLAG) --enable-static --disable-shared --disable-debug --disable-man-doc --with-mini-gmp --without-cli + $(MAKE) -C $(NFTABLES_PATH) PREFIX=/ $(STRIP) -s $@ $(NMAP_PATH)/.installed: $(NMAP_TAR) diff --git a/tools/testing/selftests/wireguard/qemu/kernel.config b/tools/testing/selftests/wireguard/qemu/kernel.config index f314d3789f17..9930116ecd81 100644 --- a/tools/testing/selftests/wireguard/qemu/kernel.config +++ b/tools/testing/selftests/wireguard/qemu/kernel.config @@ -19,10 +19,9 @@ CONFIG_NETFILTER_XTABLES=y CONFIG_NETFILTER_XT_NAT=y CONFIG_NETFILTER_XT_MATCH_LENGTH=y CONFIG_NETFILTER_XT_MARK=y -CONFIG_IP_NF_IPTABLES=y -CONFIG_IP_NF_FILTER=y -CONFIG_IP_NF_MANGLE=y -CONFIG_IP_NF_NAT=y +CONFIG_NF_TABLES=m +CONFIG_NF_TABLES_INET=y +CONFIG_NFT_NAT=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IPV6_MULTIPLE_TABLES=y -- 2.46.0 From vegeta at tuxpowered.net Tue Mar 4 17:50:14 2025 From: vegeta at tuxpowered.net (Kajetan Staszkiewicz) Date: Tue, 04 Mar 2025 17:50:14 -0000 Subject: [PATCH] Restore iOS-like NWPath handling on MacOS app Message-ID: Sometimes after a network path change, especially when only "unsatisfied" network path is available, for example when a laptop is loses all LAN and WiFi networks, further network path changes are ignored. When "satisfied" networks disappear the cloned route for the bound socket is removed by the system and WireGuard packets are routed through the tunnel. This will result in an non-operational tunnel. The iOS code does not manifest this behaviour, as it properly disables the tunnel when no "satisfied" networks are available. Remove the special MacOS case, use the iOS code on MacOS app. --- Sources/WireGuardKit/WireGuardAdapter.swift | 8 -------- 1 file changed, 8 deletions(-) diff --git a/Sources/WireGuardKit/WireGuardAdapter.swift b/Sources/WireGuardKit/WireGuardAdapter.swift index f7be19b..f5bf115 100644 --- a/Sources/WireGuardKit/WireGuardAdapter.swift +++ b/Sources/WireGuardKit/WireGuardAdapter.swift @@ -409,25 +409,20 @@ public class WireGuardAdapter { self.logHandler(.error, "Failed to resolve endpoint \(resolutionError.address): \(resolutionError.errorDescription ?? "(nil)")") } } } /// Helper method used by network path monitor. /// - Parameter path: new network path private func didReceivePathUpdate(path: Network.NWPath) { self.logHandler(.verbose, "Network change detected with \(path.status) route and interface order \(path.availableInterfaces)") - #if os(macOS) - if case .started(let handle, _) = self.state { - wgBumpSockets(handle) - } - #elseif os(iOS) switch self.state { case .started(let handle, let settingsGenerator): if path.status.isSatisfiable { let (wgConfig, resolutionResults) = settingsGenerator.endpointUapiConfiguration() self.logEndpointResolutionResults(resolutionResults) wgSetConfig(handle, wgConfig) wgDisableSomeRoamingForBrokenMobileSemantics(handle) wgBumpSockets(handle) } else { @@ -453,23 +448,20 @@ public class WireGuardAdapter { settingsGenerator ) } catch { self.logHandler(.error, "Failed to restart backend: \(error.localizedDescription)") } case .stopped: // no-op break } - #else - #error("Unsupported") - #endif } } /// A enum describing WireGuard log levels defined in `api-apple.go`. public enum WireGuardLogLevel: Int32 { case verbose = 0 case error = 1 } private extension Network.NWPath.Status { -- 2.47.0 -- | pozdrawiam / regards | Powered by macOS, Debian and FreeBSD | | Kajetan Staszkiewicz | www: http://vegeta.tuxpowered.net | `----------------------^--------------------------------------' -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From hey at itrooz.fr Mon Mar 10 11:48:13 2025 From: hey at itrooz.fr (iTrooz) Date: Mon, 10 Mar 2025 11:48:13 -0000 Subject: [PATCH] prioritise WG_QUICK_USERSPACE_IMPLEMENTATION over kernel implementation when set Message-ID: <20250310114640.402727-1-hey@itrooz.fr> Rationale: today, the wireguard kernel module is embedded in many Linux systems. If one wants to try out an userspace implementation, they will first need to blacklist the kernel module, or manually modify wg-quick. These changes allow users to use a userspace implementation even if the kernel module exists, by prioritising it when the variable WG_QUICK_USERSPACE_IMPLEMENTATION is explicitely set by the user Signed-off-by: iTrooz --- src/wg-quick/linux.bash | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash index 4193ce5..42e2d2d 100755 --- a/src/wg-quick/linux.bash +++ b/src/wg-quick/linux.bash @@ -87,11 +87,30 @@ auto_su() { add_if() { local ret + # If the userspace implementation variable is set, use it + if [[ $WG_QUICK_USERSPACE_IMPLEMENTATION ]]; then + if ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION}" >/dev/null; then + echo "[!] WireGuard userspace implementation selected, but invalid command: ${WG_QUICK_USERSPACE_IMPLEMENTATION}" >&2 + exit 1 + fi + cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION}" "$INTERFACE" + return + fi + + # Try to use kernel implementation if ! cmd ip link add "$INTERFACE" type wireguard; then ret=$? - [[ -e /sys/module/wireguard ]] || ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" >/dev/null && exit $ret - echo "[!] Missing WireGuard kernel module. Falling back to slow userspace implementation." >&2 - cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" "$INTERFACE" + if [[ -e /sys/module/wireguard ]]; then + echo "[!] WireGuard kernel module detected, but failed to create interface" >&2 + exit $ret + # Potentially fall back to wireguard-go + elif command -v wireguard-go >/dev/null; then + echo "[!] Missing WireGuard kernel module. Falling back to slow wireguard-go userspace implementation." >&2 + cmd wireguard-go "$INTERFACE" + else + echo "[!] Missing WireGuard kernel module or userspace implementation." >&2 + exit $ret + fi fi } -- 2.48.1 From patrick.havelange_ext at softathome.com Fri Mar 14 09:39:32 2025 From: patrick.havelange_ext at softathome.com (Patrick Havelange) Date: Fri, 14 Mar 2025 09:39:32 -0000 Subject: [PATCH] wg: syncconf: also handle psk changes Message-ID: <20250314093920.3448871-1-patrick.havelange_ext@softathome.com> This fixes the case where the removal of a psk would not be reflected with wg syncconf. Signed-off-by: Patrick Havelange --- src/setconf.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/setconf.c b/src/setconf.c index 1c5b138..8f40124 100644 --- a/src/setconf.c +++ b/src/setconf.c @@ -15,6 +15,7 @@ struct pubkey_origin { uint8_t *pubkey; + uint8_t *psk; bool from_file; }; @@ -64,11 +65,13 @@ static bool sync_conf(struct wgdevice *file) for_each_wgpeer(file, peer) { pubkeys[i].pubkey = peer->public_key; + pubkeys[i].psk = peer->preshared_key; pubkeys[i].from_file = true; ++i; } for_each_wgpeer(runtime, peer) { pubkeys[i].pubkey = peer->public_key; + pubkeys[i].psk = peer->preshared_key; pubkeys[i].from_file = false; ++i; } @@ -77,7 +80,7 @@ static bool sync_conf(struct wgdevice *file) for (i = 0; i < peer_count; ++i) { if (pubkeys[i].from_file) continue; - if (i == peer_count - 1 || !pubkeys[i + 1].from_file || memcmp(pubkeys[i].pubkey, pubkeys[i + 1].pubkey, WG_KEY_LEN)) { + if (i == peer_count - 1 || !pubkeys[i + 1].from_file || memcmp(pubkeys[i].pubkey, pubkeys[i + 1].pubkey, WG_KEY_LEN) || memcmp(pubkeys[i].psk, pubkeys[i + 1].psk, WG_KEY_LEN)) { peer = calloc(1, sizeof(struct wgpeer)); if (!peer) { free_wgdevice(runtime); -- 2.30.2 -- This message and any attachments herein are, unless otherwise stated, confidential, intended solely for the addressees and are SoftAtHome?s ownership. Any unauthorized use, reproduction or dissemination is prohibited unless formaly agreed beforehand by the sender. If you are not the intended addressee of this message, please immediately delete it and all its attachments from your computer system and notify the sender. SoftAtHome reserves the right to monitor all email communications through its networks. Any views or opinions presented are solely those of its author and do not necessarily represent those of SoftAtHome. The internet cannot guarantee the integrity of this message. SoftAtHome not shall be liable for the message if altered, changed or falsified. While we take all reasonable precautions to ensure that viruses are not transmitted via emails, we recommend that you take your own measures to prevent viruses from entering your computer system. SoftAtHome is a French Soci?t? Anonyme with a Board of Directors, having a capital of 6 450 699 Euros having its registered office located at 9-11 rue du d?barcad?re ? 92700 ? Colombes ? France ? Tel + 33 (0)1 57 66 88 88 ? Fax + 33 (0)1 57 66 88 89 - RCS Nanterre B 500 440 813 ? Intra-Community VAT: FR 04500440813 -- Ce message et toutes les pi?ces jointes qui y sont incluses sont, sauf indication contraire, confidentiels, destin?s uniquement aux destinataires et sont la propri?t? de SoftAtHome. Toute utilisation non autoris?e, reproduction ou diffusion est interdite, sauf accord formel pr?alable de l'exp?diteur. Si vous n'?tes pas le destinataire pr?vu de ce message, veuillez le supprimer imm?diatement ainsi que toutes ses pi?ces jointes de votre syst?me informatique et en informer l'exp?diteur. SoftAtHome se r?serve le droit de surveiller toutes les communications par e-mail via ses r?seaux. Les opinions exprim?es dans ce message sont celles de leur auteur et ne repr?sentent pas n?cessairement celles de SoftAtHome. L?Internet ne permettant pas d?assurer l?int?grit? de ce message, SoftAtHome d?cline toute responsabilit? ? ce titre, dans l?hypoth?se o? il aurait ?t? alt?r?, d?form? ou falsifi?. Par ailleurs et malgr? toutes les pr?cautions prises pour ?viter la pr?sence de virus dans nos envois, nous vous recommandons de prendre, de votre c?t?, les mesures permettant d'assurer la non-introduction de virus dans votre syst?me informatique. SoftAtHome est une Soci?t? Anonyme fran?aise ? Conseil d?Administration ayant un capital de 6 450 699 euros, dont le si?ge social est situ? au 9-11 rue du d?barcad?re - 92700 - Colombes - France - Tel + 33 (0)1 57 66 88 88 - Fax + 33 (0)1 57 66 88 89 RCS Nanterre B 500 440 813 - TVA intracommunautaire : FR 04500440813