From 081eed3b67857215d4028d7ac25cbcdc73e06ecd Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Wed, 22 Feb 2017 21:45:03 +0100 Subject: tools: give "off" value for fwmark --- src/tools/config.c | 6 ++++++ src/tools/show.c | 5 ++++- src/tools/wg-quick.bash | 4 +++- src/tools/wg.8 | 9 ++++++--- 4 files changed, 19 insertions(+), 5 deletions(-) diff --git a/src/tools/config.c b/src/tools/config.c index b3384da..b9a65c1 100644 --- a/src/tools/config.c +++ b/src/tools/config.c @@ -97,6 +97,12 @@ static inline bool parse_fwmark(uint32_t *fwmark, unsigned int *flags, const cha char *end; int base = 10; + if (!strcasecmp(value, "off")) { + *fwmark = 0; + *flags |= WGDEVICE_REMOVE_FWMARK; + return true; + } + if (value[0] == '0' && value[1] == 'x') { value += 2; base = 16; diff --git a/src/tools/show.c b/src/tools/show.c index c20d858..6cf2b23 100644 --- a/src/tools/show.c +++ b/src/tools/show.c @@ -276,7 +276,10 @@ static bool ugly_print(struct wgdevice *device, const char *param, bool with_int } else if (!strcmp(param, "fwmark")) { if (with_interface) printf("%s\t", device->interface); - printf("0x%x\n", device->fwmark); + if (device->fwmark) + printf("0x%x\n", device->fwmark); + else + printf("off\n"); } else if (!strcmp(param, "endpoints")) { if (with_interface) printf("%s\t", device->interface); diff --git a/src/tools/wg-quick.bash b/src/tools/wg-quick.bash index ccf27a9..bb7325c 100755 --- a/src/tools/wg-quick.bash +++ b/src/tools/wg-quick.bash @@ -79,7 +79,9 @@ add_if() { } del_if() { - DEFAULT_TABLE=$(( $(wg show "$INTERFACE" fwmark) )) + local fwmark="$(wg show "$INTERFACE" fwmark)" + DEFAULT_TABLE=0 + [[ $fwmark != off ]] && DEFAULT_TABLE=$(( $fwmark )) if [[ $DEFAULT_TABLE -ne 0 ]]; then while [[ -n $(ip -4 rule show table $DEFAULT_TABLE) ]]; do cmd ip -4 rule delete table $DEFAULT_TABLE diff --git a/src/tools/wg.8 b/src/tools/wg.8 index 9aa76cf..2933761 100644 --- a/src/tools/wg.8 +++ b/src/tools/wg.8 @@ -67,14 +67,16 @@ it adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance. If \fIallowed-ips\fP is specified, but the value is the empty string, all allowed ips are removed from the peer. The use of \fIpersistent-keepalive\fP -is optional and is by default off; setting it to 0 or "off", disables it. +is optional and is by default off; setting it to 0 or "off" disables it. Otherwise it represents, in seconds, between 1 and 65535 inclusive, how often to send an authenticated empty packet to the peer, for the purpose of keeping a stateful firewall or NAT mapping valid persistently. For example, if the interface very rarely sends traffic, but it might at anytime receive traffic from a peer, and it is behind NAT, the interface might benefit from having a persistent keepalive interval of 25 seconds; however, most users will not need -this. +this. The use of \fIfwmark\fP is optional and is by default off; setting it to +0 or "off" disables it. Otherwise it is a 32-bit fwmark for outgoing packets +and may be specified in hexadecimal by prepending "0x". .TP \fBsetconf\fP \fI\fP \fI\fP Sets the current configuration of \fI\fP to the contents of @@ -126,7 +128,8 @@ for post-quantum resistance. ListenPort \(em a 16-bit port for listening. Optional; if not specified, chosen randomly. .IP \(bu -FwMark \(em a 32-bit fwmark for outgoing packets. Optional. +FwMark \(em a 32-bit fwmark for outgoing packets. If set to 0 or "off", this +option is disabled. May be specified in hexadecimal by prepending "0x". Optional. .P The \fIPeer\fP sections may contain the following fields: .IP \(bu -- cgit v1.2.3-59-g8ed1b