This knob might disappear at some point, and we don't want to encourage
its use, so it's not being documented, but this should help with
development of new implementations.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
For properly configured Homebrew installations /usr/local/bin should be
before /bin, so this should still work. This allows the script to be
used in more than one setting.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
If we're doing automatic routing with default routes, but the config has
also specified an explicit fwmark, then use that explicit fwmark, even
if it's conflicting, since the administrator has explicitly opted into
using it. Also, when shutting down the interface, we only now remove the
fancy rules if we're in automatic routing mode with default routes.
Suggested-by: Luis Ressel <aranea@aixah.de>
Reported-by: Saeid Akbari <saeidscorp@yahoo.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Some older broken resolvconfs don't support resolvconf -l, but do have a
file in a standard location, so use it.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Some older broken resolvconf implementations ignore -m, but do have an
interface-order list. It's better to use this list dynamically, in case
it changes, or in case it's not used by the OS's resolvconf
implementation, such as in the case of systemd or openresolv.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Before, this meant that it simply took the last 15 characters, instead
of erroring out when there's more than 15 chars.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This reverts commit da4ff396cc5d5e0ff21f9ecbc2f951c048c63fff and adds
some optimizations to hacl64.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
For now, it's faster:
hacl64: 109782 cycles per call
fiat64: 108984 cycles per call
It's quite possible this commit will be reverted with nice changes from
INRIA, though.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
While this has a negative performance impact on x86_64, it has a
positive performance impact on smaller machines, which is where we're
actually using this code. For example, an A53:
Before: fiat32: 228605 cycles per call
After: fiat32: 188307 cycles per call
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* Table=auto (default) selects the current behaviour
* Table=off disables creation of routes altogether
* All other values are passed through to "ip route add"'s table option
Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
It's good to have SPDX identifiers in all files as the Linux kernel
developers are working to add these identifiers to all files.
Update all files with the correct SPDX license identifier based on the license
text of the project or based on the license in the file itself. The SPDX
identifier is a legally binding shorthand, which can be used instead of the
full boiler plate text.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Modified-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This gets us nanoseconds instead of microseconds, which is better, and
we can do this pretty much without freaking out existing userspace,
which doesn't actually make use of the nano/micro seconds field:
zx2c4@thinkpad ~ $ cat a.c
void main()
{
puts(sizeof(struct timeval) == sizeof(struct timespec) ? "success" : "failure");
}
zx2c4@thinkpad ~ $ gcc a.c -m64 && ./a.out
success
zx2c4@thinkpad ~ $ gcc a.c -m32 && ./a.out
success
This doesn't solve y2038 problem, but timespec64 isn't yet a thing in
userspace.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This ensures that on an unclean shutdown, we either see the old content
or the new content, but not empty content.
Suggested-by: Ka Ho Ng <ngkaho1234@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
One types:
for (i = 0 ...
So one should also type:
for_each_obj (obj ...
But the upstream kernel style guidelines are insane, and so we must
instead do:
for_each_obj(obj ...
Ugly, but one must choose his battles wisely.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This lets us do flexible things from wg-quick such as:
PostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)
It also was never a very sensible policy to enforce.
Suggested-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The reference to this is <https://sourceware.org/glibc/wiki/NameResolver>,
which mentions:
"From the perspective of the application that calls getaddrinfo() it
perhaps doesn't matter that much since EAI_FAIL, EAI_NONAME and
EAI_NODATA are all permanent failure codes and the causes are all
permanent failures in the sense that there is no point in retrying
later."
This should cover more early-boot situations.
While we're at it, we clean up the logic a bit so that we don't have a
retry message on the final non-retrying attempt. We also peer into errno
when receiving EAI_SYSTEM, to report to the user what actually happened.
Also, fix the quoting back tick front tick mess.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
DaveM suggests we do in fact do this. Others on the same thread weren't
happy about the length of the proposed message, so we also give a bit of
a less dramatic warning.
This reverts commit a2cc976a3b572cf308cc2d97c080eacac60416fe.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Also prefix octal 0, in case these files are actually of modes that
don't start with 0 by accident (such as SUID or sticky bit).
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This helps with old Debian which has ancient iproute2, as well as paving
the path toward this script supporting userspace implementations.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This doesn't actually fix a real problem, but it is more correct than
not having it.
Suggested-by: Aaron Sigel <aaron@vtty.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Maybe an attacker on the system could use the infoleak in /proc to gauge
how long a wg(8) process takes to complete and determine the number of
leading zeros. This is somewhat ridiculous, but it's possible somebody
somewhere might at somepoint care in the future, so alright.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>