From nobody Mon Jul 21 02:13:44 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4blkTj00kTz61xW1; Mon, 21 Jul 2025 02:13:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4blkTh1l8Bz3NDs; Mon, 21 Jul 2025 02:13:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1753064024; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HYlf/UFxbAHEStE852Nj7FGq5ya28DS+Tg46rCxr1Fw=; b=BeEMYil/BzHGAOgv7zZ4WVX9X3qLlO2FYUtttoDwOQ2qT05IgfZ1CDIc4Bv3EJvBDh55pe 9dGQvLWOGvX9CJ26Nn9R5glI3Jkm4BbaMdgKE/ozoZEoB9mTAJaKhUPtjkr0Hrc3GkaDs6 o7pxYgrqwrRPU5fWiRhycSjwodshqFkohoUx9JcA0xxWmFds5Nzoyp+JUL973XHk7reae+ xqc5pdKoyFOEphtS07HfLC9FCC2yDiIjUDyBaQNyk/tAqulysPPDSKvPXYrsUFBVMaB2Y9 cRZaSyB0GDGwgYy8482u0qrjdOVvHpRqGPTsBBhNfTWQgeLq1i+v+ih8IUEqzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1753064024; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HYlf/UFxbAHEStE852Nj7FGq5ya28DS+Tg46rCxr1Fw=; b=B0HnEMTHZltFzaYCrfJekNAcNx5toziZQHSnUS/cmfCXZME2qeYjMV0tHVvxMddQ+nXuUO BzcHqpXRj3HPHRkzaGomdMQpq+D/JuwEZHznwatwJp9EMdsAe4iVp9RvEeGyE3zKCrFR4T zt4+GWcW7vnflE5961EJij9nnfFEctcwjEsyk6Q7aHVbvyBOKAx+KkIGnyshGGRKOBSEj1 yIGuAq5l6uyHfRyxqX7lBi7LrkC5JHykFWW7XhNMH/pSxybBb98IGy05vGlBuDBGBIalVr +0vpTSPNiFaGlwWXzv29tA3Bo3i5c59o93QQ9xIm7sc910v1IqSQVb2GuqDGYQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1753064024; a=rsa-sha256; cv=none; b=QIdA8Hdwp8Qq3ap1myNy1J8B7vNwtQFJYY0gF3P7QWGY0PZsGiYbU/9W1nuoe1R7cBQaeO KUcgO4zrVzH9PN4BPwRu6K17MQbxEVYl078iDj8l/7dJNbyC1d61oy6nPrLS09QUhZN3RO qvi4+QH9Br2KmcjHjIWYyWf/eg04uQe9oSN9hW+BrHKmoyiEymBMIko1ksui5/k05z6RNv q5wtJc04hWsjz6Au9PhUIysAt5+YYlMWLXGnrCsR7G1qUi7POBrZisBTHGbIt2N5h6Q1at tQMpsVilJVgT1PhNKfz56OZPZ63fBBkwmRxv6aJBbE6fiEJWz8vzgpeXvxJ25g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4blkTh1Jw1zdjs; Mon, 21 Jul 2025 02:13:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56L2Di7C013476; Mon, 21 Jul 2025 02:13:44 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56L2Dibe013473; Mon, 21 Jul 2025 02:13:44 GMT (envelope-from git) Date: Mon, 21 Jul 2025 02:13:44 GMT Message-Id: <202507210213.56L2Dibe013473@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 785abf57ab46 - stable/14 - Merge commit '2a7e45eef31292cf9dd82caf3346eb2acb5b6225' List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 785abf57ab46cd890e5f5efc05d897b27edb2f35 Auto-Submitted: auto-generated The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=785abf57ab46cd890e5f5efc05d897b27edb2f35 commit 785abf57ab46cd890e5f5efc05d897b27edb2f35 Author: Kyle Evans AuthorDate: 2025-05-21 01:36:07 +0000 Commit: Kyle Evans CommitDate: 2025-07-21 02:12:24 +0000 Merge commit '2a7e45eef31292cf9dd82caf3346eb2acb5b6225' Update wireguard-tools to the latest version, which has some stubbed out support for incremental Allowed-IPs updates that we would need to add kernel support for. (cherry picked from commit 137de4b34d45192985e21f6d6163533da547fbac) --- contrib/wireguard-tools/config.c | 23 +++++++++++++++++++++++ contrib/wireguard-tools/containers.h | 5 +++++ contrib/wireguard-tools/ipc-freebsd.h | 5 +++++ contrib/wireguard-tools/ipc-uapi.h | 2 +- contrib/wireguard-tools/man/wg.8 | 8 ++++++-- contrib/wireguard-tools/set.c | 2 +- contrib/wireguard-tools/show.c | 4 ++-- contrib/wireguard-tools/version.h | 2 +- 8 files changed, 44 insertions(+), 7 deletions(-) diff --git a/contrib/wireguard-tools/config.c b/contrib/wireguard-tools/config.c index 81ccb479c367..6b8aa58700ce 100644 --- a/contrib/wireguard-tools/config.c +++ b/contrib/wireguard-tools/config.c @@ -337,6 +337,20 @@ static bool validate_netmask(struct wgallowedip *allowedip) return true; } +static inline void parse_ip_prefix(struct wgpeer *peer, uint32_t *flags, char **mask) +{ + /* If the IP is prefixed with either '+' or '-' consider this an + * incremental change. Disable WGPEER_REPLACE_ALLOWEDIPS. */ + switch ((*mask)[0]) { + case '-': + *flags |= WGALLOWEDIP_REMOVE_ME; + /* fall through */ + case '+': + peer->flags &= ~WGPEER_REPLACE_ALLOWEDIPS; + ++(*mask); + } +} + static inline bool parse_allowedips(struct wgpeer *peer, struct wgallowedip **last_allowedip, const char *value) { struct wgallowedip *allowedip = *last_allowedip, *new_allowedip; @@ -353,10 +367,18 @@ static inline bool parse_allowedips(struct wgpeer *peer, struct wgallowedip **la } sep = mutable; while ((mask = strsep(&sep, ","))) { + uint32_t flags = 0; unsigned long cidr; char *end, *ip; + parse_ip_prefix(peer, &flags, &mask); + saved_entry = strdup(mask); + if (!saved_entry) { + perror("strdup"); + free(mutable); + return false; + } ip = strsep(&mask, "/"); new_allowedip = calloc(1, sizeof(*new_allowedip)); @@ -387,6 +409,7 @@ static inline bool parse_allowedips(struct wgpeer *peer, struct wgallowedip **la else goto err; new_allowedip->cidr = cidr; + new_allowedip->flags = flags; if (!validate_netmask(new_allowedip)) fprintf(stderr, "Warning: AllowedIP has nonzero host part: %s/%s\n", ip, mask); diff --git a/contrib/wireguard-tools/containers.h b/contrib/wireguard-tools/containers.h index a82e8ddee46a..8fd813aff342 100644 --- a/contrib/wireguard-tools/containers.h +++ b/contrib/wireguard-tools/containers.h @@ -28,6 +28,10 @@ struct timespec64 { int64_t tv_nsec; }; +enum { + WGALLOWEDIP_REMOVE_ME = 1U << 0, +}; + struct wgallowedip { uint16_t family; union { @@ -35,6 +39,7 @@ struct wgallowedip { struct in6_addr ip6; }; uint8_t cidr; + uint32_t flags; struct wgallowedip *next_allowedip; }; diff --git a/contrib/wireguard-tools/ipc-freebsd.h b/contrib/wireguard-tools/ipc-freebsd.h index 446f13cacac2..58e5e71ce5cb 100644 --- a/contrib/wireguard-tools/ipc-freebsd.h +++ b/contrib/wireguard-tools/ipc-freebsd.h @@ -307,6 +307,11 @@ static int kernel_set_device(struct wgdevice *dev) nvl_aips[j] = nvlist_create(0); if (!nvl_aips[j]) goto err_peer; + if (aip->flags) { + //TODO: implement me + ret = -EOPNOTSUPP; + goto err_peer; + } nvlist_add_number(nvl_aips[j], "cidr", aip->cidr); if (aip->family == AF_INET) nvlist_add_binary(nvl_aips[j], "ipv4", &aip->ip4, sizeof(aip->ip4)); diff --git a/contrib/wireguard-tools/ipc-uapi.h b/contrib/wireguard-tools/ipc-uapi.h index f582916ecc9f..1d8a2710250a 100644 --- a/contrib/wireguard-tools/ipc-uapi.h +++ b/contrib/wireguard-tools/ipc-uapi.h @@ -89,7 +89,7 @@ static int userspace_set_device(struct wgdevice *dev) continue; } else continue; - fprintf(f, "allowed_ip=%s/%d\n", ip, allowedip->cidr); + fprintf(f, "allowed_ip=%s%s/%d\n", (allowedip->flags & WGALLOWEDIP_REMOVE_ME) ? "-" : "", ip, allowedip->cidr); } } fprintf(f, "\n"); diff --git a/contrib/wireguard-tools/man/wg.8 b/contrib/wireguard-tools/man/wg.8 index 79845391ec02..a0fc04c04cf1 100644 --- a/contrib/wireguard-tools/man/wg.8 +++ b/contrib/wireguard-tools/man/wg.8 @@ -55,7 +55,7 @@ transfer-rx, transfer-tx, persistent-keepalive. Shows the current configuration of \fI\fP in the format described by \fICONFIGURATION FILE FORMAT\fP below. .TP -\fBset\fP \fI\fP [\fIlisten-port\fP \fI\fP] [\fIfwmark\fP \fI\fP] [\fIprivate-key\fP \fI\fP] [\fIpeer\fP \fI\fP [\fIremove\fP] [\fIpreshared-key\fP \fI\fP] [\fIendpoint\fP \fI:\fP] [\fIpersistent-keepalive\fP \fI\fP] [\fIallowed-ips\fP \fI/\fP[,\fI/\fP]...] ]... +\fBset\fP \fI\fP [\fIlisten-port\fP \fI\fP] [\fIfwmark\fP \fI\fP] [\fIprivate-key\fP \fI\fP] [\fIpeer\fP \fI\fP [\fIremove\fP] [\fIpreshared-key\fP \fI\fP] [\fIendpoint\fP \fI:\fP] [\fIpersistent-keepalive\fP \fI\fP] [\fIallowed-ips\fP \fI[+|-]/\fP[,\fI[+|-]/\fP]...] ]... Sets configuration values for the specified \fI\fP. Multiple \fIpeer\fPs may be specified, and if the \fIremove\fP argument is given for a peer, that peer is removed, not configured. If \fIlisten-port\fP @@ -72,7 +72,11 @@ the device. The use of \fIpreshared-key\fP is optional, and may be omitted; it adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance. If \fIallowed-ips\fP is specified, but the value is the empty string, all -allowed ips are removed from the peer. The use of \fIpersistent-keepalive\fP +allowed ips are removed from the peer. By default, \fIallowed-ips\fP replaces +a peer's allowed ips. If + or - is prepended to any of the ips then +the update is incremental; ips prefixed with '+' or '' are added to the peer's +allowed ips if not present while ips prefixed with '-' are removed if present. +The use of \fIpersistent-keepalive\fP is optional and is by default off; setting it to 0 or "off" disables it. Otherwise it represents, in seconds, between 1 and 65535 inclusive, how often to send an authenticated empty packet to the peer, for the purpose of keeping diff --git a/contrib/wireguard-tools/set.c b/contrib/wireguard-tools/set.c index 75560fd8cf62..992ffa205d6b 100644 --- a/contrib/wireguard-tools/set.c +++ b/contrib/wireguard-tools/set.c @@ -18,7 +18,7 @@ int set_main(int argc, const char *argv[]) int ret = 1; if (argc < 3) { - fprintf(stderr, "Usage: %s %s [listen-port ] [fwmark ] [private-key ] [peer [remove] [preshared-key ] [endpoint :] [persistent-keepalive ] [allowed-ips /[,/]...] ]...\n", PROG_NAME, argv[0]); + fprintf(stderr, "Usage: %s %s [listen-port ] [fwmark ] [private-key ] [peer [remove] [preshared-key ] [endpoint :] [persistent-keepalive ] [allowed-ips [+|-]/[,[+|-]/]...] ]...\n", PROG_NAME, argv[0]); return 1; } diff --git a/contrib/wireguard-tools/show.c b/contrib/wireguard-tools/show.c index 3fd3d9e2a151..13777cf04280 100644 --- a/contrib/wireguard-tools/show.c +++ b/contrib/wireguard-tools/show.c @@ -312,9 +312,9 @@ static bool ugly_print(struct wgdevice *device, const char *param, bool with_int else printf("off\n"); } else if (!strcmp(param, "endpoints")) { - if (with_interface) - printf("%s\t", device->name); for_each_wgpeer(device, peer) { + if (with_interface) + printf("%s\t", device->name); printf("%s\t", key(peer->public_key)); if (peer->endpoint.addr.sa_family == AF_INET || peer->endpoint.addr.sa_family == AF_INET6) printf("%s\n", endpoint(&peer->endpoint.addr)); diff --git a/contrib/wireguard-tools/version.h b/contrib/wireguard-tools/version.h index c3ca131aadf4..0a7ef8daf041 100644 --- a/contrib/wireguard-tools/version.h +++ b/contrib/wireguard-tools/version.h @@ -1,3 +1,3 @@ #ifndef WIREGUARD_TOOLS_VERSION -#define WIREGUARD_TOOLS_VERSION "1.0.20210914" +#define WIREGUARD_TOOLS_VERSION "1.0.20250521" #endif