Commit graph

309 commits

Author SHA1 Message Date
Jason A. Donenfeld ef117a91d1 netlink: remove libmnl requirement
It turns out that the binary actually gets smaller if we simply inline
the very small parts of libmnl that we need. Since we wind up needing
the mnlg bits anyway, there's little benefit in linking to libmnl.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-02-03 18:17:27 +01:00
Jason A. Donenfeld 27c885ff08 man: document dynamic debug trick for Linux
This comes up occasionally, so it may be useful to mention its
possibility in the man page. At least the Arch Linux and Ubuntu kernels
support dynamic debugging, so this advise will at least help somebody.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-31 23:17:59 +01:00
Jason A. Donenfeld 6771c4454e wg-quick: android: split uids into multiple commands
Different versions of netd have different limits on how many can be
passed at once.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Alexey <zaranecc@bk.ru>
2020-01-31 18:56:52 +01:00
Jason A. Donenfeld 8082f7e6a8 version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-21 15:51:31 +01:00
Jason A. Donenfeld 3a3a56e217 Makefile: sort inputs to linker so that build is reproducible
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-21 15:51:07 +01:00
Jason A. Donenfeld 64576f9a06 netlink: make sure to clear return value when trying again
Otherwise this runs in an infinite loop if at some point a dump was
interrupted.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-11 12:16:50 -05:00
Jason A. Donenfeld 95c30bc034 fuzz: add set and setconf fuzzers
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-11 10:47:59 -05:00
Jason A. Donenfeld f7f1e7da2c Makefile: evaluate git version lazily
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-08 17:59:58 -05:00
Jason A. Donenfeld cdd8d8ba9f fuzz: add generic command argument fuzzer
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-04 10:47:28 -05:00
Jason A. Donenfeld 1d2d6200b8 ipc: simplify inflatable buffer and add fuzzer
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-04 15:07:10 +01:00
Jason A. Donenfeld f59f63f462 Makefile: add standard 'all' target
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Bruno Wolff III <bruno@wolff.to>
2020-01-03 21:22:22 +01:00
Jason A. Donenfeld bfb31ac953 Makefile: remove pwd from compile output
We previously included $(pwd) in the compile output pretty printer,
because it matched our parent out-of-tree module build. Since we're no
longer coupled to the module, we can return to a prettier scheme of just
using the object name.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Fixes: eb68ad07 ("Makefile: even prettier output")
2020-01-03 12:36:10 +01:00
Jason A. Donenfeld 3bf1b64d44 version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-02 19:53:11 +01:00
Jason A. Donenfeld d8230ea0dc global: bump copyright
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-02 19:52:25 +01:00
Jason A. Donenfeld 16e20de722 wg-quick: linux: quote ifname for nft
Otherwise nft(8) has strange ideas of what a string is.

Suggested-by: RistiCore <RistiCore@mail.ee>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-28 18:35:41 +01:00
Jason A. Donenfeld 3bfe9c41ab Makefile: rework automatic version.h mangling
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Joe Doss <joe@solidadmin.com>
2019-12-27 18:33:55 +01:00
Jason A. Donenfeld 2d000809dd fuzz: find bugs when parsing uapi input
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-27 18:33:55 +01:00
Jason A. Donenfeld cde6f312e4 fuzz: find bugs in the config syntax parser
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-27 18:33:55 +01:00
Devin Smith 318253d932 man: add documentation about removing explicit listen-port
Signed-off-by: Devin Smith <thundza@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-27 11:52:29 +01:00
Jason A. Donenfeld f9f1ba795e Makefile: port static analysis check
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 16:54:25 +01:00
Jason A. Donenfeld ff7e5dfe30 Makefile: DEBUG_TOOLS -> DEBUG and document
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 16:51:58 +01:00
Jason A. Donenfeld 7861d89b7c systemd: update documentation URL
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 13:59:27 +01:00
Jason A. Donenfeld ae659490cf version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 13:59:11 +01:00
Jason A. Donenfeld 9130fa0450 Makefile: add git versioning to dev builds
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 13:57:58 +01:00
Jason A. Donenfeld 011bf3b9f4 README: consolidate with INSTALL and rewrite
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 13:10:42 +01:00
Jason A. Donenfeld 262b5196cf wg: include tools version
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 13:10:42 +01:00
Jason A. Donenfeld 2f74ac29cf wg: add back source formerly shared with kernel module
We used to reach back into parent directories for this, but with the
repo split, we now require our own copy.

We use -idirafter in case system headers are installed for the
wireguard.h netlink definitions.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 12:55:41 +01:00
Jason A. Donenfeld 6262906e5c wg-quick: linux: use already configured addresses instead of in-memory
The ADDRESSES array might not have addresses added during PreUp. But
moreover, nft(8) and iptables(8) don't like ip addresses in the form
somev6prefix::someipv4suffix, such as fd00::1.2.3.4, while ip(8) can
handle it. So by adding these first and then asking for them back, we
always get normalized addresses suitable for nft(8) and iptables(8).

Reported-by: Silvan Nagl <mail@53c70r.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-17 14:18:09 +01:00
Kai Haberzettl 64f83e6161 wg: adjust wg.8 syntax for consistency in COMMANDS section
Signed-off-by: Kai Haberzettl <khaberz@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-13 16:22:19 +01:00
Jason A. Donenfeld 6fbfa0d7bb wg-quick: linux: try both iptables(8) and nft(8) on teardown
Daniel argues that technically a package manager could install nft(8)
after previously having started wg-quick(8) using iptables(8).

Suggested-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-12 17:24:04 +01:00
Jason A. Donenfeld 45417c5c0d wg-quick: linux: support older nft(8)
Older nft(8), such as that on Ubuntu, does not accept the - parameter to
the -f argument and doesn't accept symbolic priority names. So instead
use the canonical numeric priority forms and use <(echo) instead of -.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-12 12:24:05 +01:00
Josh Soref a863be0148 global: fix up spelling
Signed-off-by: Josh Soref <jsoref@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-12 12:24:05 +01:00
Jason A. Donenfeld 17c78d31c2 wg-quick: linux: add support for nft and prefer it
If nft(8) is installed, use it. These rules should be identical to the
iptables-restore(8) ones, with the advantage that cleanup is easy
because we use custom table names.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-12 12:24:05 +01:00
Jason A. Donenfeld bc8bf54185 wg-quick: linux: ignore save warnings for iptables-nft
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-06 16:51:05 +01:00
Jason A. Donenfeld 8d4e4f3a86 wg-quick: linux: suppress more warnings on weird kernels
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-06 16:22:18 +01:00
Jason A. Donenfeld 3928ebb87d wg-quick: linux: some iptables don't like empty lines
Reported-by: Kenneth R. Crudup <kenny@panix.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 18:33:18 +01:00
Jason A. Donenfeld 9eab3487cd wg-quick: linux: iptables-* -w is not widely supported
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 11:48:25 +01:00
Jason A. Donenfeld faa55d8b19 ipc: make sure userspace communication frees wgdevice
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 11:48:25 +01:00
Jason A. Donenfeld 207aeed010 wg-quick: linux: have remove_iptables return true
Reported-by: Thomas Sattler <sattler@med.uni-frankfurt.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 11:48:25 +01:00
Jason A. Donenfeld af69113e02 wg-quick: linux: ensure postdown hooks execute
Reported-by: Thomas Sattler <sattler@med.uni-frankfurt.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 11:48:25 +01:00
Jason A. Donenfeld a9abb21575 wg-quick: linux: suppress error when finding unused table
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-11-27 17:12:15 +01:00
Jason A. Donenfeld ae374129ab wg: add syncconf command
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-11-27 14:42:34 +01:00
Jason A. Donenfeld ebcf1ef8b1 wg-quick: linux: filter bogus injected packets and don't disable rpfilter
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-11-27 13:45:58 +01:00
Jason A. Donenfeld a59aa6c404 wg-quick: linux: only touch net.ipv4 for v4
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-11-26 11:33:33 +01:00
Jason A. Donenfeld cf7ec31d2d wg-quick: android: check for null in binder cleanup functions
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-10-16 14:23:27 +02:00
Nicolas Douma 792727cf64 wg-quick: android: use Binder for setting DNS on Android 10
Signed-off-by: Nicolas Douma <nicolas@serveur.io>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-10-12 16:49:52 +02:00
Jason A. Donenfeld 959937672a wg: windows: enforce named pipe ownership and use protected prefix
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-08-31 08:48:39 -06:00
Ronan Pigott 4154476d89 wg-quick: linux: don't fail down when using systemd-resolved
systemd-resolved has a compatibility interface for use with resolvconf
scripts when resolvectl is called from a symlink from resolvconf.
However, when tearing down the interface, cmd_down calls del_if and then
unset_dns. In the case of systemd-resolved, deleting the interface also
removes the systemd-resolved entry and causes resolvconf -d to fail when
resolvconf really is a symlink to resolvectl. This causes `wg-quick
down` and 'wg-quick@.service' to exit with failure.

Instead we use the resolvconf '-f' flag to ignore non-existent
interfaces, supported by both openresolv and sd-resolved resolvconf.

Signed-off-by: Ronan Pigott <rpigott@berkeley.edu>
[zx2c4: moved -f argument to end to remain compatible with Debian's resolvconf]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-08-27 20:29:17 -06:00
Ankur Kothari 5df58a945d wg-quick: openbsd: fix alternate routing table syntax
route(8) has always used the `-T` option to specify the
routing table; there is no `rdomain` option.

Signed-off-by: Ankur Kothari <ankur@lipidity.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-08-07 10:41:26 +02:00
Jason A. Donenfeld 6a5906608c wg-quick: android: refactor and add incoming allow rules
Suggested-by: Yağmur Oymak <yagmur.oymak@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-07-08 13:48:17 +02:00