aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src/tools
diff options
context:
space:
mode:
Diffstat (limited to 'src/tools')
-rw-r--r--src/tools/config.c6
-rw-r--r--src/tools/show.c5
-rwxr-xr-xsrc/tools/wg-quick.bash4
-rw-r--r--src/tools/wg.89
4 files changed, 19 insertions, 5 deletions
diff --git a/src/tools/config.c b/src/tools/config.c
index b3384da..b9a65c1 100644
--- a/src/tools/config.c
+++ b/src/tools/config.c
@@ -97,6 +97,12 @@ static inline bool parse_fwmark(uint32_t *fwmark, unsigned int *flags, const cha
char *end;
int base = 10;
+ if (!strcasecmp(value, "off")) {
+ *fwmark = 0;
+ *flags |= WGDEVICE_REMOVE_FWMARK;
+ return true;
+ }
+
if (value[0] == '0' && value[1] == 'x') {
value += 2;
base = 16;
diff --git a/src/tools/show.c b/src/tools/show.c
index c20d858..6cf2b23 100644
--- a/src/tools/show.c
+++ b/src/tools/show.c
@@ -276,7 +276,10 @@ static bool ugly_print(struct wgdevice *device, const char *param, bool with_int
} else if (!strcmp(param, "fwmark")) {
if (with_interface)
printf("%s\t", device->interface);
- printf("0x%x\n", device->fwmark);
+ if (device->fwmark)
+ printf("0x%x\n", device->fwmark);
+ else
+ printf("off\n");
} else if (!strcmp(param, "endpoints")) {
if (with_interface)
printf("%s\t", device->interface);
diff --git a/src/tools/wg-quick.bash b/src/tools/wg-quick.bash
index ccf27a9..bb7325c 100755
--- a/src/tools/wg-quick.bash
+++ b/src/tools/wg-quick.bash
@@ -79,7 +79,9 @@ add_if() {
}
del_if() {
- DEFAULT_TABLE=$(( $(wg show "$INTERFACE" fwmark) ))
+ local fwmark="$(wg show "$INTERFACE" fwmark)"
+ DEFAULT_TABLE=0
+ [[ $fwmark != off ]] && DEFAULT_TABLE=$(( $fwmark ))
if [[ $DEFAULT_TABLE -ne 0 ]]; then
while [[ -n $(ip -4 rule show table $DEFAULT_TABLE) ]]; do
cmd ip -4 rule delete table $DEFAULT_TABLE
diff --git a/src/tools/wg.8 b/src/tools/wg.8
index 9aa76cf..2933761 100644
--- a/src/tools/wg.8
+++ b/src/tools/wg.8
@@ -67,14 +67,16 @@ it adds an additional layer of symmetric-key cryptography to be mixed into
the already existing public-key cryptography, for post-quantum resistance.
If \fIallowed-ips\fP is specified, but the value is the empty string, all
allowed ips are removed from the peer. The use of \fIpersistent-keepalive\fP
-is optional and is by default off; setting it to 0 or "off", disables it.
+is optional and is by default off; setting it to 0 or "off" disables it.
Otherwise it represents, in seconds, between 1 and 65535 inclusive, how often
to send an authenticated empty packet to the peer, for the purpose of keeping
a stateful firewall or NAT mapping valid persistently. For example, if the
interface very rarely sends traffic, but it might at anytime receive traffic
from a peer, and it is behind NAT, the interface might benefit from having a
persistent keepalive interval of 25 seconds; however, most users will not need
-this.
+this. The use of \fIfwmark\fP is optional and is by default off; setting it to
+0 or "off" disables it. Otherwise it is a 32-bit fwmark for outgoing packets
+and may be specified in hexadecimal by prepending "0x".
.TP
\fBsetconf\fP \fI<interface>\fP \fI<configuration-filename>\fP
Sets the current configuration of \fI<interface>\fP to the contents of
@@ -126,7 +128,8 @@ for post-quantum resistance.
ListenPort \(em a 16-bit port for listening. Optional; if not specified, chosen
randomly.
.IP \(bu
-FwMark \(em a 32-bit fwmark for outgoing packets. Optional.
+FwMark \(em a 32-bit fwmark for outgoing packets. If set to 0 or "off", this
+option is disabled. May be specified in hexadecimal by prepending "0x". Optional.
.P
The \fIPeer\fP sections may contain the following fields:
.IP \(bu