If DNS= has an IP in it, treat it as a DNS server. If DNS= has a non-IP
in it, treat it as a DNS search domain.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Add file wg-quick.target, which allows starting and stopping all
wg-quick@.service instances at once.
Signed-off-by: Martin Hauke <mardnh@gmx.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Prior we only supported a blacklist, but actually a whitelist is an
easier algorithm because that's internally how netd considers it, so we
don't need to find range spans. This commit adds an IncludedApplications
key.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
These are generic helper functions we don't want to move into the actual
implementations, so that it's easy to keep parity with the kernel code.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
It turns out that the binary actually gets smaller if we simply inline
the very small parts of libmnl that we need. Since we wind up needing
the mnlg bits anyway, there's little benefit in linking to libmnl.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This comes up occasionally, so it may be useful to mention its
possibility in the man page. At least the Arch Linux and Ubuntu kernels
support dynamic debugging, so this advise will at least help somebody.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Different versions of netd have different limits on how many can be
passed at once.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Alexey <zaranecc@bk.ru>
We previously included $(pwd) in the compile output pretty printer,
because it matched our parent out-of-tree module build. Since we're no
longer coupled to the module, we can return to a prettier scheme of just
using the object name.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Fixes: eb68ad07 ("Makefile: even prettier output")
Otherwise nft(8) has strange ideas of what a string is.
Suggested-by: RistiCore <RistiCore@mail.ee>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
We used to reach back into parent directories for this, but with the
repo split, we now require our own copy.
We use -idirafter in case system headers are installed for the
wireguard.h netlink definitions.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The ADDRESSES array might not have addresses added during PreUp. But
moreover, nft(8) and iptables(8) don't like ip addresses in the form
somev6prefix::someipv4suffix, such as fd00::1.2.3.4, while ip(8) can
handle it. So by adding these first and then asking for them back, we
always get normalized addresses suitable for nft(8) and iptables(8).
Reported-by: Silvan Nagl <mail@53c70r.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Daniel argues that technically a package manager could install nft(8)
after previously having started wg-quick(8) using iptables(8).
Suggested-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Older nft(8), such as that on Ubuntu, does not accept the - parameter to
the -f argument and doesn't accept symbolic priority names. So instead
use the canonical numeric priority forms and use <(echo) instead of -.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
If nft(8) is installed, use it. These rules should be identical to the
iptables-restore(8) ones, with the advantage that cleanup is easy
because we use custom table names.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
systemd-resolved has a compatibility interface for use with resolvconf
scripts when resolvectl is called from a symlink from resolvconf.
However, when tearing down the interface, cmd_down calls del_if and then
unset_dns. In the case of systemd-resolved, deleting the interface also
removes the systemd-resolved entry and causes resolvconf -d to fail when
resolvconf really is a symlink to resolvectl. This causes `wg-quick
down` and 'wg-quick@.service' to exit with failure.
Instead we use the resolvconf '-f' flag to ignore non-existent
interfaces, supported by both openresolv and sd-resolved resolvconf.
Signed-off-by: Ronan Pigott <rpigott@berkeley.edu>
[zx2c4: moved -f argument to end to remain compatible with Debian's resolvconf]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
route(8) has always used the `-T` option to specify the
routing table; there is no `rdomain` option.
Signed-off-by: Ankur Kothari <ankur@lipidity.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This causes wg-quick up to wait for the monitor to exit before it exits,
so that launchd can correctly wait on it.
Reported-by: Cameron Palmer <cameron@promon.no>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
`wg-quick strip` prints the config file to stdout after stripping it of
all wg-quick-specific options.
This enables tricks such as `wg addconf $DEV <(wg-quick strip $DEV)`.
Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Apparently Haiku has a misbehaving /dev/urandom.
While we're at it, simplify the function signature to completely succeed
or completely fail and make sure the caller checks the result.
Reported-by: Alexander von Gluck IV <kallisti5@unixzen.com>
Nitpicked-by: Aaron Jones <aaronmdjones@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The commit 7c833642 ("wg-quick: freebsd: allow loopback to work") was
supposed to make things better, but actually it just started sending
legitimate localhost traffic over the WireGuard interface, which is
really quite bad.
This reverts commit 7c833642dfa342218602ab18e7091e86408d2982.
Reported-by: Matt Smith <matt.xtaz@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Since wg-quick(8) calls wg(8) which does hostname lookups, we should
probably only run this after we're allowed to look up hostnames.
Reported-by: Anton Castelli <anton.c42@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
FreeBSD adds a route for point-to-point destination addresses. We don't
really want to specify any destination address, but unfortunately we
have to. Before we tried to cheat by giving our own address as the
destination, but this had the unfortunate effect of preventing
loopback from working on our local ip address. We work around this with
yet another kludge: we set the destination address to 127.0.0.1. Since
127.0.0.1 is already assigned to an interface, this has the same effect
of not specifying a destination address, and therefore we accomplish the
intended behavior.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This avoids another ip(8) invocation for little benefit.
Confirmed to work with iproute2 and busybox.
Signed-off-by: Aaron Jones <aaronmdjones@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
An empty allowed IPs is totally valid, for folks wishing to move IP
addresses between multiple peers atomically.
Suggested-by: Comex <comexk@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Netlink returns NLM_F_DUMP_INTR if the set of all tunnels changed
during the dump. That's unfortunate, but is pretty common on busy
systems that are adding and removing tunnels all the time. Rather
than retrying, potentially indefinitely, we just work with the
partial results.
Reported-by: Robert Gerus <ar@is-a.cat>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
We don't actually use any C11 features, so we can at least compile with
ancient gcc.
Reported-by: Aaron M. D. Jones <aaronmdjones@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>