This brings the route_allowed_ips option into parity with the addresses
option, which makes these same assumption. The parsing selection is made
to be identical between these two settings.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
From upstream's changelog:
* main: annotate init/exit functions to save memory
* selftest: remove antique siphash self test
* haskell: re-add updated haskell example
* socket: use ip_rt_put instead of dst_release
* device: avoid double icmp send on routing loop
* compat: clean up cruft
* global: cleanup IP header checking
* compat: do not export symbols unnecessarily
Various cleanups and updates.
* device: netdevice destruction logic change for 4.12
When Linux 4.12 is released next week, we're good to go.
* device: only use one sleep notifier
Rather than have a separate sleep notification for every interface, we now
have a single notifier for every interface. This improves performance,
especially when creating many interfaces at once.
* device: remove icmp conntrack hacks
We're moving hacks upstream the proper way, and then backporting them to
compat.
* receive: extend rate limiting to 1 second after under load detection
After we determine that we're under load, we now wait 1 second before not
being under load again, a timer which is global across all interfaces on a
given system.
* curve25519: satisfy sparse and use short types
* curve25519: keep certain sandy2x functions in C
Certain functions have been made into C, which should improve stack frames and
reliability.
* ratelimiter: rewrite from scratch
This is a big change. We no longer rely on x_tables or xt_hashlimit, instead
using a super minimal and sleek token bucket ratelimiter. This works much
better than the old cruft and should allow us to run more places. It also has
the benefit of being global, so that it's possible to have thousands of
interfaces without killing the system with separate GCs and vmallocs, which is
what happened prior.
* socket: verify saddr belongs to interface
We now more quickly react to changes of the v4 routing table, by ensuring that
the sticky source address is actually still valid.
* wg-quick: properly match IPv6 endpoint
wg-quick now works better with IPv6.
* wg-quick: use printf -v instead of namerefs for bash 4.2
This adds support for old bash, which means wg-quick should be generically
"bash 4 and up". I'm not happy about this but EL7 uses old bash, so we're
stuck with it.
* compat: support EL7.3
Support for RHEL, CentOS, ScientificLinux, and so forth.
* compat: support Ubuntu 14.04
An old crufty Ubuntu is now supported, since it's LTS.
There are no other "echo" debug lines in this file, and it seems
clear that this one was accidentally left as a debugging line,
since it misspelled "dependency". So, we just remove this line.
We don't bump the package version, though, because this is
pretty inconsequential.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
From upstream's changelog:
* timers: queue up killing ephemerals only if not already
We fix up a small detail in the timer logic that changed during the last
snapshot.
* receive: trim incoming packets to IP header length
Packets are now trimmed to their actual length, not their length+padding,
before handing to the rest of the network subsystem, so that packets look
pretty in tcpdump. This doesn't actually affect what userspace sees, since the
kernel trims it at a later stage, but it does make pcaps a bit nicer to use.
* curve25519: use more standard label convention in asm
This ensures that perf(1) shows the function name instead of the label name.
* compat: remove padata hotplug code
Fixes building on kernels that have HOTPLUG enabled but no PADATA support.
* config: add new line for style
* device: do-while assignment style
* peer: explicitly initialize atomic
Style.
* noise: fix race when replacing handshake
Handle a situation in which three peers, all running on the same system, begin
a handshake with all three of each other, at exactly the same time, on a
multi-CPU system.
* random: wait for random bytes when generating nonces and ephemerals
We've been working with upstream to add a new API to the kernel for ensuring
that the RNG actually is seeded. Until they merge it for 4.13, we provide a
poly-fill to the compat code. This means that WireGuard will block during
handshakes until the RNG has enough entropy, so that it's never in a
circumstance in which ephemeral keys are generated from bad randomness.
* go test: properly pad message
* go test: correct tai64n and formatting
* external-tests: add keepalive packet
* go test: use x/crypto for blake2s now that we have 128-bit mac
* external-tests: trim the fat
Improvements for the external tests.
* wg-quick: make sure we have empty table for both v6 and v4
* wg-quick: match ipv6 default route more broadly
Tiny nits with wg-quick, one of which should now allow multiple v6-only
wg-quick instances running at the same time.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
From upstreams changelog:
This rather large snapshot touches quite a few sensitive areas, so I'm
releasing it now rather than later to receive feedback on any possible issues.
It also contains fixes, so everybody should upgrade.
* man: fix psk mention in wg-quick man page
* man: update wg-quick(8) to show Debian resolvconf braindamage
Documentation cleanups.
* wg-quick: use src routing for default routes in v6
ip-rule(8) doesn't do the right thing with source addresses, unless we
explicitly set it inside the route. This fixes wg-quick on IPv6 systems.
* curve25519: actually, do some things on heap sometimes
* curve25519: align the basepoint to 32 bytes
* curve25519: add NEON versions for ARM
* data: enable BH during parallel crypto on ARM/NEON
* chacha20poly1305: move constants to rodata
* chacha20poly1305: add NEON versions for ARM and ARM64
We now have faster primitives on ARM and ARM64 processors, which should
improve performance.
* handshake: process in parallel
Handshakes are now processed in parallel using all cores, which should improve
throughput during a storm.
* noise: no need to store ephemeral public key
* noise: precompute static-static ECDH operation
We can precompute the ECDH(s, s) calculation, which improves handshake
initiation message performance by double.
* style: spaces after for loops
* peer: use iterator macro instead of callback
The most unreadable C ever produced. It might be wise to find a sexier-looking
alternative at some point.
* compat: remove warning for < 4.1
* compat: ship padata if kernel doesn't have it
The usual array of annoying compat things.
* rust test: convert screech test to snow
* rust test: add icmp ping
We now use Jake's snow library for Noise in the test, which we've expanded to
complete a ping.
* config: do not error out when getting if no peers
* tools: allow creating device with no peers
Fixing some small things in the tool/config interaction.
* device: keep going when share_check fails
* routingtable: remove unnecessary check in node_placement()
* config: it's faster to memcpy than strncpy
* timers: fix typo in comment
Nits.
* debug: print interface name in dmesg
For those who compile with `make debug`, you'll be happy to see a bit better
information in dmesg.
* timers: rework handshake reply control flow
* timers: the completion of a handshake also is on key confirmation
* timers: reset retry-attempt counter when not retrying
Tightening up our timer implementation, which is quite important.
Signed-off-by: Dan Luedtke <mail@danrl.com>
Adds support for the fwmark option.
FwMark is a 32-bit fwmark for outgoing packets.
If set to 0 or "off", this option is disabled.
Signed-off-by: Dan Luedtke <mail@danrl.com>
Update to a new wireguard version. Simple version bump.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Endpoint dependency implemented. The actual endpoint is used exclusively. Using
this approach we are dual-stack safe (not errors on missing protocol) and create
only the dependency that are really necessary.
Signed-off-by: Dan Luedtke <mail@danrl.com>
Update to new snapshot version. We also make IPV6 optional, and
conditionally selecting the udptunnel6 module, using the same trick that
the strongswan package also uses for this kind of dependency expression.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This should massively improve performance for (at least) MIPS targets:
* poly1305: optimize unaligned access
This is a very appreciated fix from René van Dorst, adjusting the
arithmetic in Poly1305 to work fast on platforms with slow unaligned
access, such as MIPS. According to his calculation, this gives a 50%
improvement on small MIPS boxes.
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Also fix a new compilation error, due to upstream changes in the build
system. SUBDIRS= is deprecated when building external kernel modules, use
M= instead to fix compilation.
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
