The wireguard route table ip rule should stay as a no-op until the
`suppress_prefixlength 0 table main` rule is in effect. Therefore, add
the wireguard default route to its route table after the latter rule is
added.
Signed-off-by: Tom Yan <tom.ty89@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Looks like the "is valid ifname" regex was copy and pasted from
wg-quick.bash instead of the "is valid IP" regex.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
OpenBSD has introduced a new daemon named resolvd(8) to manage
resolv.conf. This creates problems with the old "horrible way" of
completely replacing resolv.conf. Resolvd will attempt to merge manual
changes with DNS servers discovered through dhcpleased(8) and slaacd(8).
Unfortunately, resolvd puts any manual modifications at the end of
resolv.conf, meaning that the wg-quick name servers will be queried
last.
The process for handling multiple name servers (at least with libc) is
to try a name server, and if the query times out, try the next, until
out of name servers, then repeat trying all name servers until a maximum
number of retries are performed. The name servers are queried in the
order listed in resolv.conf and the timeout is 5 seconds.
With this patch, we ensure the wg-quick name server is first in
resolv.conf (as route creates the name server with "static" priority),
but cannot ensure it is exclusive. Therfore, it may be possible that
queries are leaked to other name servers if the wg-quick name server
doesn't respond within 5 seconds.
We have another problem however, and that is if resolvd detects unwind
is running, it will set 127.0.0.1 as the only name server in
resolv.conf. unwind does not have deterministic name server selection in
the default configuration. This means, all a user would need to do to
inadvertently cause persistent query leaks would be to run `rcctl enable
unwind`.
There are warnings added when these situations may occur.
The next step is to add an exclusive flag and search to route and
resolvd.
Reported-by: Matthieu Herrb <matthieu@herrb.eu>
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
On macOS, under specific configurations, the `netstat -nr -f inet` and
`netstat -nr -f inet6` outputs break gateway collection.
Signed-off-by: Laura Hausmann <laura@hausmann.dev>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
If the route monitor doesn't attempt to write more to stdout, then this
leaves a process hanging around. Kill it explicitly. We also switch to
using exec in the process substitution, to reduce a bash process.
Closes: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255286
Reported-by: Christos Chatzaras <chris@cretaforce.gr>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
We no longer need the arp hack, as these bugs have been fixed in the
FreeBSD kernel.
This partially reverts 090639ae90.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
FreeBSD's bash doesn't handle <(...) safely, creating a temporary file
instead of using /proc/self/fd/N like on Linux. Work around this by
using a simple pipeline with /dev/stdin.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
With alignment between the kernel and userspace, along with userspace
packages, we can now rely on the kernel in the future always having
wg(4).
This also simplifies the interface selection logic, and stores the
wg-quick interface name as the description.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This reverts commit 26683f6c9a, which
means the old problem comes back. That's an issue. But waiting on
process substitutions is not available with commonly used bash versions:
# wg-quick up demo
[#] ip link add demo type wireguard
[#] wg setconf demo /dev/fd/63
/usr/bin/wg-quick: line 251: wait: pid 2955 is not a child of this shell
[#] ip link delete dev demo
This means we have to wait a few years before fixing this issue. IOW,
bash limitation; can't fix.
Reported-by: Theodore Mozzo <theodore.mozzo@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Android 11's ndc regresses even more, but it turns out that netd doesn't
need to track up/down state via direct invocation, so just set the
interface up by way of normal iproute2.
Reported-by: Harsh Shandilya <me@msfjarvis.dev>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Bash does not propagate error values, which is a bummer, but process
substitutions are a useful feature. Introduce a new idiom to deal with
this: either "; wait $!" after the line to propagate the error, or "||
true" to indicate explicitly that we don't care about the error.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
If DNS= has an IP in it, treat it as a DNS server. If DNS= has a non-IP
in it, treat it as a DNS search domain.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Prior we only supported a blacklist, but actually a whitelist is an
easier algorithm because that's internally how netd considers it, so we
don't need to find range spans. This commit adds an IncludedApplications
key.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Different versions of netd have different limits on how many can be
passed at once.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Alexey <zaranecc@bk.ru>
Otherwise nft(8) has strange ideas of what a string is.
Suggested-by: RistiCore <RistiCore@mail.ee>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The ADDRESSES array might not have addresses added during PreUp. But
moreover, nft(8) and iptables(8) don't like ip addresses in the form
somev6prefix::someipv4suffix, such as fd00::1.2.3.4, while ip(8) can
handle it. So by adding these first and then asking for them back, we
always get normalized addresses suitable for nft(8) and iptables(8).
Reported-by: Silvan Nagl <mail@53c70r.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Daniel argues that technically a package manager could install nft(8)
after previously having started wg-quick(8) using iptables(8).
Suggested-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Older nft(8), such as that on Ubuntu, does not accept the - parameter to
the -f argument and doesn't accept symbolic priority names. So instead
use the canonical numeric priority forms and use <(echo) instead of -.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
If nft(8) is installed, use it. These rules should be identical to the
iptables-restore(8) ones, with the advantage that cleanup is easy
because we use custom table names.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
systemd-resolved has a compatibility interface for use with resolvconf
scripts when resolvectl is called from a symlink from resolvconf.
However, when tearing down the interface, cmd_down calls del_if and then
unset_dns. In the case of systemd-resolved, deleting the interface also
removes the systemd-resolved entry and causes resolvconf -d to fail when
resolvconf really is a symlink to resolvectl. This causes `wg-quick
down` and 'wg-quick@.service' to exit with failure.
Instead we use the resolvconf '-f' flag to ignore non-existent
interfaces, supported by both openresolv and sd-resolved resolvconf.
Signed-off-by: Ronan Pigott <rpigott@berkeley.edu>
[zx2c4: moved -f argument to end to remain compatible with Debian's resolvconf]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
route(8) has always used the `-T` option to specify the
routing table; there is no `rdomain` option.
Signed-off-by: Ankur Kothari <ankur@lipidity.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This causes wg-quick up to wait for the monitor to exit before it exits,
so that launchd can correctly wait on it.
Reported-by: Cameron Palmer <cameron@promon.no>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
`wg-quick strip` prints the config file to stdout after stripping it of
all wg-quick-specific options.
This enables tricks such as `wg addconf $DEV <(wg-quick strip $DEV)`.
Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The commit 7c833642 ("wg-quick: freebsd: allow loopback to work") was
supposed to make things better, but actually it just started sending
legitimate localhost traffic over the WireGuard interface, which is
really quite bad.
This reverts commit 7c833642dfa342218602ab18e7091e86408d2982.
Reported-by: Matt Smith <matt.xtaz@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Tom Yan
Jason A. Donenfeld
Matt Dunwoodie
Laura Hausmann
Josh Soref
Nicolas Douma
Ronan Pigott
Ankur Kothari
Luis Ressel