Different versions of netd have different limits on how many can be
passed at once.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Alexey <zaranecc@bk.ru>
We previously included $(pwd) in the compile output pretty printer,
because it matched our parent out-of-tree module build. Since we're no
longer coupled to the module, we can return to a prettier scheme of just
using the object name.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Fixes: eb68ad07 ("Makefile: even prettier output")
Otherwise nft(8) has strange ideas of what a string is.
Suggested-by: RistiCore <RistiCore@mail.ee>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
We used to reach back into parent directories for this, but with the
repo split, we now require our own copy.
We use -idirafter in case system headers are installed for the
wireguard.h netlink definitions.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The ADDRESSES array might not have addresses added during PreUp. But
moreover, nft(8) and iptables(8) don't like ip addresses in the form
somev6prefix::someipv4suffix, such as fd00::1.2.3.4, while ip(8) can
handle it. So by adding these first and then asking for them back, we
always get normalized addresses suitable for nft(8) and iptables(8).
Reported-by: Silvan Nagl <mail@53c70r.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Daniel argues that technically a package manager could install nft(8)
after previously having started wg-quick(8) using iptables(8).
Suggested-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Older nft(8), such as that on Ubuntu, does not accept the - parameter to
the -f argument and doesn't accept symbolic priority names. So instead
use the canonical numeric priority forms and use <(echo) instead of -.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
If nft(8) is installed, use it. These rules should be identical to the
iptables-restore(8) ones, with the advantage that cleanup is easy
because we use custom table names.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
systemd-resolved has a compatibility interface for use with resolvconf
scripts when resolvectl is called from a symlink from resolvconf.
However, when tearing down the interface, cmd_down calls del_if and then
unset_dns. In the case of systemd-resolved, deleting the interface also
removes the systemd-resolved entry and causes resolvconf -d to fail when
resolvconf really is a symlink to resolvectl. This causes `wg-quick
down` and 'wg-quick@.service' to exit with failure.
Instead we use the resolvconf '-f' flag to ignore non-existent
interfaces, supported by both openresolv and sd-resolved resolvconf.
Signed-off-by: Ronan Pigott <rpigott@berkeley.edu>
[zx2c4: moved -f argument to end to remain compatible with Debian's resolvconf]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
route(8) has always used the `-T` option to specify the
routing table; there is no `rdomain` option.
Signed-off-by: Ankur Kothari <ankur@lipidity.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Jason A. Donenfeld
Devin Smith
Kai Haberzettl
Josh Soref
Nicolas Douma
Ronan Pigott
Ankur Kothari