wg: ipc: add allowed-ip flags support for FreeBSD
ClosedPublic
Actions

Authored by kevans on May 21 2025, 4:00 AM.

Details

Reviewers

ivy
jhb
markj
aly_aaronly.me
jason_zx2c4.com

Commits

rGf6d9e22982a1: wg: ipc: add allowed-ip flags support for FreeBSD

Summary

For $reasons, we can't rely on flags in wireguard-tools for the kernel
side of WireGuard. Provide a mapping function that uses flags from the
kernel that we're building against and fail the operation if we made it
to the end without turning some wg(8) flag off.

Signed-off-by: Kyle Evans <kevans@FreeBSD.org>

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kevans created this revision.May 21 2025, 4:00 AM

Herald added a subscriber: imp. · View Herald TranscriptMay 21 2025, 4:00 AM

kevans requested review of this revision.May 21 2025, 4:00 AM

Harbormaster completed remote builds in B64336: Diff 155805.May 21 2025, 4:00 AM

kevans added a parent revision: D50449: tests: extend wireguard test to cover incremental allowed-ips updates.May 21 2025, 4:00 AM

ivy accepted this revision.May 23 2025, 7:48 PM

This revision is now accepted and ready to land.May 23 2025, 7:48 PM

For $reasons

Specifically, for the sake of out-of-tree builds of the wireguard tools on older FreeBSD? Or something else?

contrib/wireguard-tools/ipc-freebsd.h
24	Make this const and `allowedip_flagp` a pointer to const?

jhb added inline comments.May 30 2025, 7:02 PM

contrib/wireguard-tools/ipc-freebsd.h
26	Can we not just choose to make the flag you add in the kernel use the same constant value and name as the existing flag?

In D50450#1153196, @markj wrote:

For $reasons

Specifically, for the sake of out-of-tree builds of the wireguard tools on older FreeBSD? Or something else?

Right; I've since chatted with @jason_zx2c4.com a bit and he pointed out that the linux/uap version won't bother validating beforehand, so I think it makes sense to just keep the flag bits in sync, pass them through and let the kernel complain (or not).

kevans added inline comments.Jun 12 2025, 12:52 AM

contrib/wireguard-tools/ipc-freebsd.h
26	I went ahead and ripped all of this out, renamed the flag and noted to keep it in sync with containers.h.

Rip out everything existing, let's just assume FreeBSD's kernel module syncs
the flag bits appropriately and will reject flags it doesn't know about yet.

Also note that this fixes a Coverity report after the last wireguard-tools
import, but I don't have the CID on-hand. The assignment to ret in the
EOPNOTSUPP path is immediately made redundant as the first instruction after
the err_peer label is to re-assign ret.

This revision now requires review to proceed.Jun 12 2025, 1:00 AM

Harbormaster completed remote builds in B64782: Diff 156860.Jun 12 2025, 1:01 AM

jhb accepted this revision.Jun 17 2025, 5:05 PM

This revision is now accepted and ready to land.Jun 17 2025, 5:05 PM

jason_zx2c4.com accepted this revision.Thu, Jun 19, 6:25 PM

Closed by commit rGf6d9e22982a1: wg: ipc: add allowed-ip flags support for FreeBSD (authored by kevans). · Explain WhyThu, Jun 26, 2:59 AM

This revision was automatically updated to reflect the committed changes.

kevans added a commit: rGf6d9e22982a1: wg: ipc: add allowed-ip flags support for FreeBSD.