Date: Tue, 24 Oct 2023 17:25:29 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272842] Missing WireGuard integration into the base system rc.d scripts Message-ID: <bug-272842-227-IZzqDjpoMD@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-272842-227@https.bugs.freebsd.org/bugzilla/> References: <bug-272842-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272842 --- Comment #7 from crest@rlwinm.de --- The problem is harder than it looks. The wg-quick script contains an ugly h= ack that amounts to a daemon monitoring a route socket to allow WireGuard not j= ust collect all peers AllowedIPs per tunnel and add an interface route once, but also resolve conflicts inside a single routing table at runtime which is br= oken by design. FreeBSD has the required features (setfib, vnet) to express such= a setup without fragile racy hacks or shells scripts with O(n^2) overhead (wi= th n =3D number of routes). This is the third version of this shell script and I removed a few features because the rc.d script ran into Greenspun's tenth rule and turned /bin/sh = into a dynamically scoped LISP. That version contained higher order functions to loop over peers and their settings for use in the {Pre,Post}x{Up,Down} hooks which would make it trivial to inject the routes from the PostUp hook. The version I've submitted in this PR lacks such features. To automate it u= sing this rc.d script you have to parse the WireGuard configuration inside a hoo= k. It implements both the wg-quick style hooks (it executes them in /bin/sh instead of /bin/bash) and well as call into /etc/rc.d/netif allowing all the usual ways to hook interfaces configuration changes to work too. I can dig out the "semi sentient" rc.d script if you really want to dig thr= ough it, but the version in this PR already contains code to extract only the fi= elds understood by the kernel from a wg-quick configuration. As long as you only want to collect the AllowedIPs per interface without preserving which peer = they belong to collecting the AllowedIPs into a single variable would work the s= ame as collecting multiple Address lines into a single variable. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272842-227-IZzqDjpoMD>