If DNS= has an IP in it, treat it as a DNS server. If DNS= has a non-IP
in it, treat it as a DNS search domain.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Otherwise nft(8) has strange ideas of what a string is.
Suggested-by: RistiCore <RistiCore@mail.ee>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The ADDRESSES array might not have addresses added during PreUp. But
moreover, nft(8) and iptables(8) don't like ip addresses in the form
somev6prefix::someipv4suffix, such as fd00::1.2.3.4, while ip(8) can
handle it. So by adding these first and then asking for them back, we
always get normalized addresses suitable for nft(8) and iptables(8).
Reported-by: Silvan Nagl <mail@53c70r.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Daniel argues that technically a package manager could install nft(8)
after previously having started wg-quick(8) using iptables(8).
Suggested-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Older nft(8), such as that on Ubuntu, does not accept the - parameter to
the -f argument and doesn't accept symbolic priority names. So instead
use the canonical numeric priority forms and use <(echo) instead of -.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
If nft(8) is installed, use it. These rules should be identical to the
iptables-restore(8) ones, with the advantage that cleanup is easy
because we use custom table names.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
systemd-resolved has a compatibility interface for use with resolvconf
scripts when resolvectl is called from a symlink from resolvconf.
However, when tearing down the interface, cmd_down calls del_if and then
unset_dns. In the case of systemd-resolved, deleting the interface also
removes the systemd-resolved entry and causes resolvconf -d to fail when
resolvconf really is a symlink to resolvectl. This causes `wg-quick
down` and 'wg-quick@.service' to exit with failure.
Instead we use the resolvconf '-f' flag to ignore non-existent
interfaces, supported by both openresolv and sd-resolved resolvconf.
Signed-off-by: Ronan Pigott <rpigott@berkeley.edu>
[zx2c4: moved -f argument to end to remain compatible with Debian's resolvconf]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
`wg-quick strip` prints the config file to stdout after stripping it of
all wg-quick-specific options.
This enables tricks such as `wg addconf $DEV <(wg-quick strip $DEV)`.
Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This avoids another ip(8) invocation for little benefit.
Confirmed to work with iproute2 and busybox.
Signed-off-by: Aaron Jones <aaronmdjones@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This knob might disappear at some point, and we don't want to encourage
its use, so it's not being documented, but this should help with
development of new implementations.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
For properly configured Homebrew installations /usr/local/bin should be
before /bin, so this should still work. This allows the script to be
used in more than one setting.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
