kern: wg: add support for removing Allowed-IPs
Needs ReviewPublic
Actions

Authored by kevans on Wed, May 21, 4:00 AM.

Details

Reviewers

ivy
jhb
markj
aly_aaronly.me

Summary

This was recently added to Linux to improve incremental update support,
as you could previously add Allowed-IPs but not remove without replacing
the whole set (and thus, potentially disrupting existing traffic).

Removal is incredibly straightforward; we'll find it in p_aips first
to ensure that it's actually valid for this peer, then we'll delete it
from the radix tree before we remove the corresponding p_aips entry.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 64334
Build 61218: arc lint + arc unit

Event Timeline

kevans created this revision.Wed, May 21, 4:00 AM

Herald added a subscriber: imp. · View Herald TranscriptWed, May 21, 4:00 AM

kevans requested review of this revision.Wed, May 21, 4:00 AM

Harbormaster completed remote builds in B64334: Diff 155803.Wed, May 21, 4:00 AM

kevans added a parent revision: D50447: kern: wg: split address/mask construction out of wg_aip_add().Wed, May 21, 4:00 AM

kevans added a child revision: D50449: tests: extend wireguard test to cover incremental allowed-ips updates.

jason_zx2c4.com added a subscriber: jason_zx2c4.com.Thu, May 22, 12:29 AM

jason_zx2c4.com added inline comments.

sys/dev/wg/if_wg.c
633	This seems kind of inefficient -- O(n). Instead, you can look up the IP in the trie itself, making sure that it's an exact match, and then after double check that node->peer==peer. That's what we do on Linux and in Go: https://git.zx2c4.com/wireguard-linux/tree/drivers/net/wireguard/allowedips.c?h=devel#n283 https://git.zx2c4.com/wireguard-go/tree/device/allowedips.go#n259