Required tools for WireGuard, such as wg(8) and wg-quick(8) https://git.zx2c4.com/wireguard-tools/atom/?h=master 2026-05-06T21:21:24Z 2026-05-06T21:21:24Z Jason A. Donenfeld Jason@zx2c4.com 2026-05-06T21:21:24Z urn:sha1:a998407747005ea7e4e0258d96f105c97241e1d3 Looking at the source [1], it appears that the interface is always the 4th argument, regardless of the family: C1. if (fam != old_fam) // FALSE P1. p_sockaddr(params, &addr.u_sa, &mask.u_sa, rtm->rtm_flags, WID_DST(addr.u_sa.sa_family)); P2. p_sockaddr(params, rti_info[RTAX_GATEWAY], NULL, RTF_HOST, WID_GW(addr.u_sa.sa_family)); C2. if (params->lflag && (rtm->rtm_addrs & RTA_IFA)) // FALSE P3. p_flags(rtm->rtm_flags, "%-10.10s "); C3. if (params->lflag) // FALSE P4. printf("%*.*s", WID_IF(addr.u_sa.sa_family), WID_IF(addr.u_sa.sa_family), ifname); Because C1, C2, and C3 evaluate to false, interface is always in the 4th argument. [1] https://github.com/apple-oss-distributions/network_cmds/blob/97e27e6244c16d399bfeb254315ddc5828711c56/netstat.tproj/route.c#L328 Reported-by: Florian Uekermann <florian@uekermann.me> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2026-03-24T02:27:26Z Kyle Evans kevans@FreeBSD.org 2025-06-26T02:57:03Z urn:sha1:025f00454fec8fd0816607a28c1ee6cd9a54b134 The FreeBSD kernel flags will match what we define here in wg(8), just pass them through and let the kernel sort it out. Signed-off-by: Kyle Evans <kevans@FreeBSD.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2026-03-24T02:22:51Z Jason A. Donenfeld Jason@zx2c4.com 2026-03-24T02:22:51Z urn:sha1:06a99cce2c9998f53eb30d2f258a9e5ff286445b Following the Linux case, now support the same API on Windows. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2026-03-21T11:20:43Z Jason A. Donenfeld Jason@zx2c4.com 2026-03-21T11:20:43Z urn:sha1:997ffa0c89b4a6a3998325ceeb55588bb0cf8017 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2026-03-21T10:42:07Z Jason A. Donenfeld Jason@zx2c4.com 2026-03-20T21:07:25Z urn:sha1:1090b17df4ad07a9f46f5723ad4f8e3839484dea Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2026-02-23T22:24:27Z Jason A. Donenfeld Jason@zx2c4.com 2026-02-23T22:24:27Z urn:sha1:49ce333da02056ae7b22ee2aeb6afe8aaed79b19 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2026-02-23T22:23:04Z Jason A. Donenfeld Jason@zx2c4.com 2025-05-23T18:22:37Z urn:sha1:0a81a174dbde2371ddcf4b602ba0ecda3c5dbd67 Otherwise removing a persistent keepalive from a config file wouldn't reflect on the runtime state. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2026-02-23T22:10:51Z Jason A. Donenfeld Jason@zx2c4.com 2026-02-23T22:10:48Z urn:sha1:ede2c4804245d4069b629ef6e8c670ca033afdfc Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2026-02-23T22:02:07Z Doug Freed dwfreed@mtu.edu 2023-04-03T05:58:55Z urn:sha1:0cbe9938e1b1435a6ac394309c4884340240bb44 These dependencies ensure that instances of this service are started before wg-quick.target is considered started, allowing other services to depend on wg-quick.target to mean "all wg-quick services are started" Signed-off-by: Doug Freed <dwfreed@mtu.edu> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2026-02-23T21:54:42Z Jason A. Donenfeld Jason@zx2c4.com 2026-02-23T21:54:42Z urn:sha1:ac74ed6d7dd4d77f56c7f05c053a5e645e0e33a0 In some restrictive container namespaces, sysctl is locked down and can't be changed. This shouldn't be a problem, though, at least in theory, because net.ipv4.conf.all.src_valid_mark is already 1. However, currently wg-quick unconditionally sets it. Instead, check to see if it's already 1 before trying make it 1. Suggested-by: Dean P <dean@apakossa.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>