| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
Suggested-by: David Miller <davem@davemloft.net>
|
|
|
|
|
|
| |
DaveM doth forbid.
Suggested-by: David Miller <davem@davemloft.net>
|
| |
|
|
|
|
| |
Signed-off-by: Luis Ressel <aranea@aixah.de>
|
|
|
|
|
|
|
|
|
| |
`wg-quick strip` prints the config file to stdout after stripping it of
all wg-quick-specific options.
This enables tricks such as `wg addconf $DEV <(wg-quick strip $DEV)`.
Signed-off-by: Luis Ressel <aranea@aixah.de>
|
|
|
|
| |
Signed-off-by: Luis Ressel <aranea@aixah.de>
|
|
|
|
| |
Otherwise mktemp doesn't see it, and if it's empty we wind up in /.
|
| |
|
|
|
|
|
|
|
| |
In d2c5c103b133 ("netfilter: nat: remove nf_nat_l3proto.h and
nf_nat_core.h").
Signed-off-by: Bruno Wolff III <bruno@wolff.to>
|
|
|
|
| |
Signed-off-by: Alexander von Gluck IV <kallisti5@unixzen.com>
|
|
|
|
|
|
|
|
|
|
| |
Apparently Haiku has a misbehaving /dev/urandom.
While we're at it, simplify the function signature to completely succeed
or completely fail and make sure the caller checks the result.
Reported-by: Alexander von Gluck IV <kallisti5@unixzen.com>
Nitpicked-by: Aaron Jones <aaronmdjones@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The commit 7c833642 ("wg-quick: freebsd: allow loopback to work") was
supposed to make things better, but actually it just started sending
legitimate localhost traffic over the WireGuard interface, which is
really quite bad.
This reverts commit 7c833642dfa342218602ab18e7091e86408d2982.
Reported-by: Matt Smith <matt.xtaz@gmail.com>
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
This makes `wg show` and `wg showconf` and the like significantly
faster, since we don't have to iterate through every node of the trie
for every single peer. It also makes netlink cursor resumption much less
problematic, since we're just iterating through a list, rather than
having to save a traversal stack.
|
| |
|
|
|
|
| |
This causes needless traversal of the trie.
|
|
|
|
| |
Signed-off-by: Luis Ressel <aranea@aixah.de>
|
|
|
|
| |
Signed-off-by: Luis Ressel <aranea@aixah.de>
|
| |
|
|
|
|
|
|
|
| |
On ancient kernels, ipv6_stub is sometimes null in cases where IPv6 has
been disabled with a command line flag or other failures.
Reported-by: Anatoli <me@anatoli.ws>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
The map allocations required to fix this are mostly slower than
unaligned paths.
Reported-by: Louis Sautier <sbraz@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The hashtable allocations are quite large, and cause the device allocation in
the net framework to stall sometimes while it tries to find a contiguous region
that can fit the device struct:
[<0000000000000000>] __switch_to+0x94/0xb8
[<0000000000000000>] __alloc_pages_nodemask+0x764/0x7e8
[<0000000000000000>] kmalloc_order+0x20/0x40
[<0000000000000000>] __kmalloc+0x144/0x1a0
[<0000000000000000>] alloc_netdev_mqs+0x5c/0x368
[<0000000000000000>] rtnl_create_link+0x48/0x180
[<0000000000000000>] rtnl_newlink+0x410/0x708
[<0000000000000000>] rtnetlink_rcv_msg+0x190/0x1f8
[<0000000000000000>] netlink_rcv_skb+0x4c/0xf8
[<0000000000000000>] rtnetlink_rcv+0x30/0x40
[<0000000000000000>] netlink_unicast+0x18c/0x208
[<0000000000000000>] netlink_sendmsg+0x19c/0x348
[<0000000000000000>] sock_sendmsg+0x3c/0x58
[<0000000000000000>] ___sys_sendmsg+0x290/0x2b0
[<0000000000000000>] __sys_sendmsg+0x58/0xa0
[<0000000000000000>] SyS_sendmsg+0x10/0x20
[<0000000000000000>] el0_svc_naked+0x34/0x38
[<0000000000000000>] 0xffffffffffffffff
To fix the allocation stalls, decouple the hashtable allocations from the device
allocation and allocate the hashtables with kvmalloc's implicit __GFP_NORETRY
so that the allocations fall back to vmalloc with little resistance.
Signed-off-by: Sultan Alsawaf <sultan@kerneltoast.com>
|
| |
|
|
|
|
|
| |
This mitigates unrelated sidechannel attacks that think they can turn
WireGuard into a useful time oracle.
|
|
|
|
| |
Windows.
|
|
|
|
|
|
|
| |
Since wg-quick(8) calls wg(8) which does hostname lookups, we should
probably only run this after we're allowed to look up hostnames.
Reported-by: Anton Castelli <anton.c42@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
FreeBSD adds a route for point-to-point destination addresses. We don't
really want to specify any destination address, but unfortunately we
have to. Before we tried to cheat by giving our own address as the
destination, but this had the unfortunate effect of preventing
loopback from working on our local ip address. We work around this with
yet another kludge: we set the destination address to 127.0.0.1. Since
127.0.0.1 is already assigned to an interface, this has the same effect
of not specifying a destination address, and therefore we accomplish the
intended behavior.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 9d5baf7d1d14ca7eb0852b41566330259229d489.
BenoƮt Viguier has proofs that values will stay well within 2^53. We
also have an improved carry function that's much simpler.
|
|
|
|
| |
This is a change for Linux 5.0.
|
| |
|
|
|
|
| |
Reported-by: Raf Czlonka <rczlonka@gmail.com>
|
|
|
|
| |
Reported-by: Alex Xu <alex@alxu.ca>
|
|
|
|
|
|
|
|
|
| |
The former was just a wrapper around the latter, and so upstream is now
removing it.
Also adjust the compat kludge to deal with this.
Reported-by: Alex Xu <alex@alxu.ca>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In WireGuard, the underlying UDP socket lives in the namespace where the
interface was created and doesn't move if the interface is moved. This
allows one to create the interface in some privileged place that has
Internet access, and then move it into a container namespace that only
has the WireGuard interface for egress. Consider the following
situation:
1. Interface created in namespace A. Socket therefore lives in namespace A.
2. Interface moved to namespace B. Socket remains in namespace A.
3. Namespace B now has access to the interface and changes the listen
port and/or fwmark of socket. Change is reflected in namespace A.
This behavior is arguably _fine_ and perhaps even expected or
acceptable. But there's also an argument to be made that B should have
A's cred to do so. So, this patch adds a simple ns_capable check.
|
|
|
|
| |
Reported-by: Chris Hewitt <chris@chrishewitt.net>
|
| |
|