Page MenuHomeFreeBSD

kern: wg: add support for removing Allowed-IPs
Needs ReviewPublic

Authored by kevans on Wed, May 21, 4:00 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, May 24, 9:12 AM
Unknown Object (File)
Fri, May 23, 11:21 PM
Unknown Object (File)
Fri, May 23, 6:56 PM
Unknown Object (File)
Thu, May 22, 10:03 PM
Unknown Object (File)
Thu, May 22, 9:34 PM

Details

Summary

This was recently added to Linux to improve incremental update support,
as you could previously add Allowed-IPs but not remove without replacing
the whole set (and thus, potentially disrupting existing traffic).

Removal is incredibly straightforward; we'll find it in p_aips first
to ensure that it's actually valid for this peer, then we'll delete it
from the radix tree before we remove the corresponding p_aips entry.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 64334
Build 61218: arc lint + arc unit

Event Timeline

jason_zx2c4.com added inline comments.
sys/dev/wg/if_wg.c
633

This seems kind of inefficient -- O(n). Instead, you can look up the IP in the trie itself, making sure that it's an exact match, and then after double check that node->peer==peer.

That's what we do on Linux and in Go:

https://git.zx2c4.com/wireguard-linux/tree/drivers/net/wireguard/allowedips.c?h=devel#n283
https://git.zx2c4.com/wireguard-go/tree/device/allowedips.go#n259

sys/dev/wg/if_wg.h
37

Would it be better to have this macro be constructed by oring together the various supported flags for future proofing?