Merge tag 'wireguard-6.19-rc1-for-jakub' of https://git.kernel.org/pub/scm/linux/kernel/git/zx2c4/wireguard-linux

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Jason A. Donenfeld says:

====================
WireGuard updates for Linux 6.19-rc1.

Please find here Asbjørn's ynl series. This has been sitting in my
testing for the last week or so, since he sent out the latest series.
I've dropped the yml sample code, as he found an issue in that last
minute, but otherwise, we've sat on this code for long enough, so
let's see how it goes.

* tag 'wireguard-6.19-rc1-for-jakub' of https://git.kernel.org/pub/scm/linux/kernel/git/zx2c4/wireguard-linux:
wireguard: netlink: generate netlink code
wireguard: uapi: generate header with ynl-gen
wireguard: uapi: move flag enums
wireguard: uapi: move enum wg_cmd
wireguard: netlink: add YNL specification
wireguard: netlink: lower .maxattr for WG_CMD_GET_DEVICE
wireguard: netlink: convert to split ops
wireguard: netlink: use WG_KEY_LEN in policies
wireguard: netlink: validate nested arrays in policy
wireguard: netlink: enable strict genetlink validation
====================

Link: https://patch.msgid.link/
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 4 months ago 31a3ed49 cbc19b32

+449 -216

7 changed files

expand all

Documentation

netlink

specs

wireguard.yaml

MAINTAINERS

drivers

net

wireguard

Makefile

generated

netlink.c

netlink.h

netlink.c

include

uapi

linux

wireguard.h

+298

Documentation/netlink/specs/wireguard.yaml

··· 1 + # SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 2 + --- 3 + name: wireguard 4 + protocol: genetlink-legacy 5 + 6 + doc: | 7 + **Netlink protocol to control WireGuard network devices.** 8 + 9 + The below enums and macros are for interfacing with WireGuard, using generic 10 + netlink, with family ``WG_GENL_NAME`` and version ``WG_GENL_VERSION``. It 11 + defines two commands: get and set. Note that while they share many common 12 + attributes, these two commands actually accept a slightly different set of 13 + inputs and outputs. These differences are noted under the individual 14 + attributes. 15 + c-family-name: wg-genl-name 16 + c-version-name: wg-genl-version 17 + max-by-define: true 18 + 19 + definitions: 20 + - 21 + name-prefix: wg- 22 + name: key-len 23 + type: const 24 + value: 32 25 + - 26 + name: --kernel-timespec 27 + type: struct 28 + header: linux/time_types.h 29 + members: 30 + - 31 + name: sec 32 + type: u64 33 + doc: Number of seconds, since UNIX epoch. 34 + - 35 + name: nsec 36 + type: u64 37 + doc: Number of nanoseconds, after the second began. 38 + - 39 + name: wgdevice-flags 40 + name-prefix: wgdevice-f- 41 + enum-name: wgdevice-flag 42 + type: flags 43 + entries: 44 + - replace-peers 45 + - 46 + name: wgpeer-flags 47 + name-prefix: wgpeer-f- 48 + enum-name: wgpeer-flag 49 + type: flags 50 + entries: 51 + - remove-me 52 + - replace-allowedips 53 + - update-only 54 + - 55 + name: wgallowedip-flags 56 + name-prefix: wgallowedip-f- 57 + enum-name: wgallowedip-flag 58 + type: flags 59 + entries: 60 + - remove-me 61 + 62 + attribute-sets: 63 + - 64 + name: wgdevice 65 + enum-name: wgdevice-attribute 66 + name-prefix: wgdevice-a- 67 + attr-cnt-name: --wgdevice-a-last 68 + attributes: 69 + - 70 + name: unspec 71 + type: unused 72 + value: 0 73 + - 74 + name: ifindex 75 + type: u32 76 + - 77 + name: ifname 78 + type: string 79 + checks: 80 + max-len: 15 81 + - 82 + name: private-key 83 + type: binary 84 + doc: Set to all zeros to remove. 85 + display-hint: hex 86 + checks: 87 + exact-len: wg-key-len 88 + - 89 + name: public-key 90 + type: binary 91 + display-hint: hex 92 + checks: 93 + exact-len: wg-key-len 94 + - 95 + name: flags 96 + type: u32 97 + doc: | 98 + ``0`` or ``WGDEVICE_F_REPLACE_PEERS`` if all current peers should be 99 + removed prior to adding the list below. 100 + enum: wgdevice-flags 101 + - 102 + name: listen-port 103 + type: u16 104 + doc: Set as ``0`` to choose randomly. 105 + - 106 + name: fwmark 107 + type: u32 108 + doc: Set as ``0`` to disable. 109 + - 110 + name: peers 111 + type: indexed-array 112 + sub-type: nest 113 + nested-attributes: wgpeer 114 + doc: | 115 + The index/type parameter is unused on ``SET_DEVICE`` operations and is 116 + zero on ``GET_DEVICE`` operations. 117 + - 118 + name: wgpeer 119 + enum-name: wgpeer-attribute 120 + name-prefix: wgpeer-a- 121 + attr-cnt-name: --wgpeer-a-last 122 + attributes: 123 + - 124 + name: unspec 125 + type: unused 126 + value: 0 127 + - 128 + name: public-key 129 + type: binary 130 + display-hint: hex 131 + checks: 132 + exact-len: wg-key-len 133 + - 134 + name: preshared-key 135 + type: binary 136 + doc: Set as all zeros to remove. 137 + display-hint: hex 138 + checks: 139 + exact-len: wg-key-len 140 + - 141 + name: flags 142 + type: u32 143 + doc: | 144 + ``0`` and/or ``WGPEER_F_REMOVE_ME`` if the specified peer should not 145 + exist at the end of the operation, rather than added/updated and/or 146 + ``WGPEER_F_REPLACE_ALLOWEDIPS`` if all current allowed IPs of this 147 + peer should be removed prior to adding the list below and/or 148 + ``WGPEER_F_UPDATE_ONLY`` if the peer should only be set if it already 149 + exists. 150 + enum: wgpeer-flags 151 + - 152 + name: endpoint 153 + type: binary 154 + doc: struct sockaddr_in or struct sockaddr_in6 155 + checks: 156 + min-len: 16 157 + - 158 + name: persistent-keepalive-interval 159 + type: u16 160 + doc: Set as ``0`` to disable. 161 + - 162 + name: last-handshake-time 163 + type: binary 164 + struct: --kernel-timespec 165 + checks: 166 + exact-len: 16 167 + - 168 + name: rx-bytes 169 + type: u64 170 + - 171 + name: tx-bytes 172 + type: u64 173 + - 174 + name: allowedips 175 + type: indexed-array 176 + sub-type: nest 177 + nested-attributes: wgallowedip 178 + doc: | 179 + The index/type parameter is unused on ``SET_DEVICE`` operations and is 180 + zero on ``GET_DEVICE`` operations. 181 + - 182 + name: protocol-version 183 + type: u32 184 + doc: | 185 + Should not be set or used at all by most users of this API, as the 186 + most recent protocol will be used when this is unset. Otherwise, 187 + must be set to ``1``. 188 + - 189 + name: wgallowedip 190 + enum-name: wgallowedip-attribute 191 + name-prefix: wgallowedip-a- 192 + attr-cnt-name: --wgallowedip-a-last 193 + attributes: 194 + - 195 + name: unspec 196 + type: unused 197 + value: 0 198 + - 199 + name: family 200 + type: u16 201 + doc: IP family, either ``AF_INET`` or ``AF_INET6``. 202 + - 203 + name: ipaddr 204 + type: binary 205 + doc: Either ``struct in_addr`` or ``struct in6_addr``. 206 + display-hint: ipv4-or-v6 207 + checks: 208 + min-len: 4 209 + - 210 + name: cidr-mask 211 + type: u8 212 + - 213 + name: flags 214 + type: u32 215 + doc: | 216 + ``WGALLOWEDIP_F_REMOVE_ME`` if the specified IP should be removed; 217 + otherwise, this IP will be added if it is not already present. 218 + enum: wgallowedip-flags 219 + 220 + operations: 221 + enum-name: wg-cmd 222 + name-prefix: wg-cmd- 223 + list: 224 + - 225 + name: get-device 226 + value: 0 227 + doc: | 228 + Retrieve WireGuard device 229 + ~~~~~~~~~~~~~~~~~~~~~~~~~ 230 + 231 + The command should be called with one but not both of: 232 + 233 + - ``WGDEVICE_A_IFINDEX`` 234 + - ``WGDEVICE_A_IFNAME`` 235 + 236 + The kernel will then return several messages (``NLM_F_MULTI``). It is 237 + possible that all of the allowed IPs of a single peer will not fit 238 + within a single netlink message. In that case, the same peer will be 239 + written in the following message, except it will only contain 240 + ``WGPEER_A_PUBLIC_KEY`` and ``WGPEER_A_ALLOWEDIPS``. This may occur 241 + several times in a row for the same peer. It is then up to the receiver 242 + to coalesce adjacent peers. Likewise, it is possible that all peers will 243 + not fit within a single message. So, subsequent peers will be sent in 244 + following messages, except those will only contain ``WGDEVICE_A_IFNAME`` 245 + and ``WGDEVICE_A_PEERS``. It is then up to the receiver to coalesce 246 + these messages to form the complete list of peers. 247 + 248 + Since this is an ``NLA_F_DUMP`` command, the final message will always 249 + be ``NLMSG_DONE``, even if an error occurs. However, this ``NLMSG_DONE`` 250 + message contains an integer error code. It is either zero or a negative 251 + error code corresponding to the errno. 252 + attribute-set: wgdevice 253 + flags: [uns-admin-perm] 254 + 255 + dump: 256 + pre: wg-get-device-start 257 + post: wg-get-device-done 258 + request: 259 + attributes: 260 + - ifindex 261 + - ifname 262 + reply: &all-attrs 263 + attributes: 264 + - ifindex 265 + - ifname 266 + - private-key 267 + - public-key 268 + - flags 269 + - listen-port 270 + - fwmark 271 + - peers 272 + - 273 + name: set-device 274 + value: 1 275 + doc: | 276 + Set WireGuard device 277 + ~~~~~~~~~~~~~~~~~~~~ 278 + 279 + This command should be called with a wgdevice set, containing one but 280 + not both of ``WGDEVICE_A_IFINDEX`` and ``WGDEVICE_A_IFNAME``. 281 + 282 + It is possible that the amount of configuration data exceeds that of the 283 + maximum message length accepted by the kernel. In that case, several 284 + messages should be sent one after another, with each successive one 285 + filling in information not contained in the prior. Note that if 286 + ``WGDEVICE_F_REPLACE_PEERS`` is specified in the first message, it 287 + probably should not be specified in fragments that come after, so that 288 + the list of peers is only cleared the first time but appended after. 289 + Likewise for peers, if ``WGPEER_F_REPLACE_ALLOWEDIPS`` is specified in 290 + the first message of a peer, it likely should not be specified in 291 + subsequent fragments. 292 + 293 + If an error occurs, ``NLMSG_ERROR`` will reply containing an errno. 294 + attribute-set: wgdevice 295 + flags: [uns-admin-perm] 296 + 297 + do: 298 + request: *all-attrs

MAINTAINERS

··· 27674 27674 L: wireguard@lists.zx2c4.com 27675 27675 L: netdev@vger.kernel.org 27676 27676 S: Maintained 27677 + F: Documentation/netlink/specs/wireguard.yaml 27677 27678 F: drivers/net/wireguard/ 27678 27679 F: tools/testing/selftests/wireguard/ 27679 27680

+1 -1

drivers/net/wireguard/Makefile

··· 13 13 wireguard-y += allowedips.o 14 14 wireguard-y += ratelimiter.o 15 15 wireguard-y += cookie.o 16 - wireguard-y += netlink.o 16 + wireguard-y += netlink.o generated/netlink.o 17 17 obj-$(CONFIG_WIREGUARD) := wireguard.o

+73

drivers/net/wireguard/generated/netlink.c

··· 1 + // SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 2 + /* Do not edit directly, auto-generated from: */ 3 + /* Documentation/netlink/specs/wireguard.yaml */ 4 + /* YNL-GEN kernel source */ 5 + /* YNL-ARG --function-prefix wg */ 6 + /* To regenerate run: tools/net/ynl/ynl-regen.sh */ 7 + 8 + #include <net/netlink.h> 9 + #include <net/genetlink.h> 10 + 11 + #include "netlink.h" 12 + 13 + #include <uapi/linux/wireguard.h> 14 + #include <linux/time_types.h> 15 + 16 + /* Common nested types */ 17 + const struct nla_policy wireguard_wgallowedip_nl_policy[WGALLOWEDIP_A_FLAGS + 1] = { 18 + [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16, }, 19 + [WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(4), 20 + [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8, }, 21 + [WGALLOWEDIP_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, 0x1), 22 + }; 23 + 24 + const struct nla_policy wireguard_wgpeer_nl_policy[WGPEER_A_PROTOCOL_VERSION + 1] = { 25 + [WGPEER_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(WG_KEY_LEN), 26 + [WGPEER_A_PRESHARED_KEY] = NLA_POLICY_EXACT_LEN(WG_KEY_LEN), 27 + [WGPEER_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, 0x7), 28 + [WGPEER_A_ENDPOINT] = NLA_POLICY_MIN_LEN(16), 29 + [WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16, }, 30 + [WGPEER_A_LAST_HANDSHAKE_TIME] = NLA_POLICY_EXACT_LEN(16), 31 + [WGPEER_A_RX_BYTES] = { .type = NLA_U64, }, 32 + [WGPEER_A_TX_BYTES] = { .type = NLA_U64, }, 33 + [WGPEER_A_ALLOWEDIPS] = NLA_POLICY_NESTED_ARRAY(wireguard_wgallowedip_nl_policy), 34 + [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32, }, 35 + }; 36 + 37 + /* WG_CMD_GET_DEVICE - dump */ 38 + static const struct nla_policy wireguard_get_device_nl_policy[WGDEVICE_A_IFNAME + 1] = { 39 + [WGDEVICE_A_IFINDEX] = { .type = NLA_U32, }, 40 + [WGDEVICE_A_IFNAME] = { .type = NLA_NUL_STRING, .len = 15, }, 41 + }; 42 + 43 + /* WG_CMD_SET_DEVICE - do */ 44 + static const struct nla_policy wireguard_set_device_nl_policy[WGDEVICE_A_PEERS + 1] = { 45 + [WGDEVICE_A_IFINDEX] = { .type = NLA_U32, }, 46 + [WGDEVICE_A_IFNAME] = { .type = NLA_NUL_STRING, .len = 15, }, 47 + [WGDEVICE_A_PRIVATE_KEY] = NLA_POLICY_EXACT_LEN(WG_KEY_LEN), 48 + [WGDEVICE_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(WG_KEY_LEN), 49 + [WGDEVICE_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, 0x1), 50 + [WGDEVICE_A_LISTEN_PORT] = { .type = NLA_U16, }, 51 + [WGDEVICE_A_FWMARK] = { .type = NLA_U32, }, 52 + [WGDEVICE_A_PEERS] = NLA_POLICY_NESTED_ARRAY(wireguard_wgpeer_nl_policy), 53 + }; 54 + 55 + /* Ops table for wireguard */ 56 + const struct genl_split_ops wireguard_nl_ops[2] = { 57 + { 58 + .cmd = WG_CMD_GET_DEVICE, 59 + .start = wg_get_device_start, 60 + .dumpit = wg_get_device_dumpit, 61 + .done = wg_get_device_done, 62 + .policy = wireguard_get_device_nl_policy, 63 + .maxattr = WGDEVICE_A_IFNAME, 64 + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DUMP, 65 + }, 66 + { 67 + .cmd = WG_CMD_SET_DEVICE, 68 + .doit = wg_set_device_doit, 69 + .policy = wireguard_set_device_nl_policy, 70 + .maxattr = WGDEVICE_A_PEERS, 71 + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, 72 + }, 73 + };

+30

drivers/net/wireguard/generated/netlink.h

··· 1 + /* SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) */ 2 + /* Do not edit directly, auto-generated from: */ 3 + /* Documentation/netlink/specs/wireguard.yaml */ 4 + /* YNL-GEN kernel header */ 5 + /* YNL-ARG --function-prefix wg */ 6 + /* To regenerate run: tools/net/ynl/ynl-regen.sh */ 7 + 8 + #ifndef _LINUX_WIREGUARD_GEN_H 9 + #define _LINUX_WIREGUARD_GEN_H 10 + 11 + #include <net/netlink.h> 12 + #include <net/genetlink.h> 13 + 14 + #include <uapi/linux/wireguard.h> 15 + #include <linux/time_types.h> 16 + 17 + /* Common nested types */ 18 + extern const struct nla_policy wireguard_wgallowedip_nl_policy[WGALLOWEDIP_A_FLAGS + 1]; 19 + extern const struct nla_policy wireguard_wgpeer_nl_policy[WGPEER_A_PROTOCOL_VERSION + 1]; 20 + 21 + /* Ops table for wireguard */ 22 + extern const struct genl_split_ops wireguard_nl_ops[2]; 23 + 24 + int wg_get_device_start(struct netlink_callback *cb); 25 + int wg_get_device_done(struct netlink_callback *cb); 26 + 27 + int wg_get_device_dumpit(struct sk_buff *skb, struct netlink_callback *cb); 28 + int wg_set_device_doit(struct sk_buff *skb, struct genl_info *info); 29 + 30 + #endif /* _LINUX_WIREGUARD_GEN_H */

+12 -56

drivers/net/wireguard/netlink.c

··· 9 9 #include "socket.h" 10 10 #include "queueing.h" 11 11 #include "messages.h" 12 + #include "generated/netlink.h" 12 13 13 14 #include <uapi/linux/wireguard.h> 14 15 ··· 19 18 #include <crypto/utils.h> 20 19 21 20 static struct genl_family genl_family; 22 - 23 - static const struct nla_policy device_policy[WGDEVICE_A_MAX + 1] = { 24 - [WGDEVICE_A_IFINDEX] = { .type = NLA_U32 }, 25 - [WGDEVICE_A_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ - 1 }, 26 - [WGDEVICE_A_PRIVATE_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN), 27 - [WGDEVICE_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN), 28 - [WGDEVICE_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, __WGDEVICE_F_ALL), 29 - [WGDEVICE_A_LISTEN_PORT] = { .type = NLA_U16 }, 30 - [WGDEVICE_A_FWMARK] = { .type = NLA_U32 }, 31 - [WGDEVICE_A_PEERS] = { .type = NLA_NESTED } 32 - }; 33 - 34 - static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = { 35 - [WGPEER_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN), 36 - [WGPEER_A_PRESHARED_KEY] = NLA_POLICY_EXACT_LEN(NOISE_SYMMETRIC_KEY_LEN), 37 - [WGPEER_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, __WGPEER_F_ALL), 38 - [WGPEER_A_ENDPOINT] = NLA_POLICY_MIN_LEN(sizeof(struct sockaddr)), 39 - [WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16 }, 40 - [WGPEER_A_LAST_HANDSHAKE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)), 41 - [WGPEER_A_RX_BYTES] = { .type = NLA_U64 }, 42 - [WGPEER_A_TX_BYTES] = { .type = NLA_U64 }, 43 - [WGPEER_A_ALLOWEDIPS] = { .type = NLA_NESTED }, 44 - [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 } 45 - }; 46 - 47 - static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = { 48 - [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 }, 49 - [WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(sizeof(struct in_addr)), 50 - [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 }, 51 - [WGALLOWEDIP_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, __WGALLOWEDIP_F_ALL), 52 - }; 53 21 54 22 static struct wg_device *lookup_interface(struct nlattr **attrs, 55 23 struct sk_buff *skb) ··· 167 197 return -EMSGSIZE; 168 198 } 169 199 170 - static int wg_get_device_start(struct netlink_callback *cb) 200 + int wg_get_device_start(struct netlink_callback *cb) 171 201 { 172 202 struct wg_device *wg; 173 203 ··· 178 208 return 0; 179 209 } 180 210 181 - static int wg_get_device_dump(struct sk_buff *skb, struct netlink_callback *cb) 211 + int wg_get_device_dumpit(struct sk_buff *skb, struct netlink_callback *cb) 182 212 { 183 213 struct wg_peer *peer, *next_peer_cursor; 184 214 struct dump_ctx *ctx = DUMP_CTX(cb); ··· 272 302 */ 273 303 } 274 304 275 - static int wg_get_device_done(struct netlink_callback *cb) 305 + int wg_get_device_done(struct netlink_callback *cb) 276 306 { 277 307 struct dump_ctx *ctx = DUMP_CTX(cb); 278 308 ··· 437 467 438 468 nla_for_each_nested(attr, attrs[WGPEER_A_ALLOWEDIPS], rem) { 439 469 ret = nla_parse_nested(allowedip, WGALLOWEDIP_A_MAX, 440 - attr, allowedip_policy, NULL); 470 + attr, NULL, NULL); 441 471 if (ret < 0) 442 472 goto out; 443 473 ret = set_allowedip(peer, allowedip); ··· 470 500 return ret; 471 501 } 472 502 473 - static int wg_set_device(struct sk_buff *skb, struct genl_info *info) 503 + int wg_set_device_doit(struct sk_buff *skb, struct genl_info *info) 474 504 { 475 505 struct wg_device *wg = lookup_interface(info->attrs, skb); 476 506 u32 flags = 0; ··· 563 593 564 594 nla_for_each_nested(attr, info->attrs[WGDEVICE_A_PEERS], rem) { 565 595 ret = nla_parse_nested(peer, WGPEER_A_MAX, attr, 566 - peer_policy, NULL); 596 + NULL, NULL); 567 597 if (ret < 0) 568 598 goto out; 569 599 ret = set_peer(wg, peer); ··· 584 614 return ret; 585 615 } 586 616 587 - static const struct genl_ops genl_ops[] = { 588 - { 589 - .cmd = WG_CMD_GET_DEVICE, 590 - .start = wg_get_device_start, 591 - .dumpit = wg_get_device_dump, 592 - .done = wg_get_device_done, 593 - .flags = GENL_UNS_ADMIN_PERM 594 - }, { 595 - .cmd = WG_CMD_SET_DEVICE, 596 - .doit = wg_set_device, 597 - .flags = GENL_UNS_ADMIN_PERM 598 - } 599 - }; 600 - 601 617 static struct genl_family genl_family __ro_after_init = { 602 - .ops = genl_ops, 603 - .n_ops = ARRAY_SIZE(genl_ops), 604 - .resv_start_op = WG_CMD_SET_DEVICE + 1, 618 + .split_ops = wireguard_nl_ops, 619 + .n_split_ops = ARRAY_SIZE(wireguard_nl_ops), 605 620 .name = WG_GENL_NAME, 606 621 .version = WG_GENL_VERSION, 607 - .maxattr = WGDEVICE_A_MAX, 608 622 .module = THIS_MODULE, 609 - .policy = device_policy, 610 623 .netnsok = true 611 624 }; 612 625 613 626 int __init wg_genetlink_init(void) 614 627 { 628 + BUILD_BUG_ON(WG_KEY_LEN != NOISE_PUBLIC_KEY_LEN); 629 + BUILD_BUG_ON(WG_KEY_LEN != NOISE_SYMMETRIC_KEY_LEN); 630 + 615 631 return genl_register_family(&genl_family); 616 632 } 617 633

+34 -159

include/uapi/linux/wireguard.h

··· 1 - /* SPDX-License-Identifier: (GPL-2.0 WITH Linux-syscall-note) OR MIT */ 2 - /* 3 - * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 - * 5 - * Documentation 6 - * ============= 7 - * 8 - * The below enums and macros are for interfacing with WireGuard, using generic 9 - * netlink, with family WG_GENL_NAME and version WG_GENL_VERSION. It defines two 10 - * methods: get and set. Note that while they share many common attributes, 11 - * these two functions actually accept a slightly different set of inputs and 12 - * outputs. 13 - * 14 - * WG_CMD_GET_DEVICE 15 - * ----------------- 16 - * 17 - * May only be called via NLM_F_REQUEST | NLM_F_DUMP. The command should contain 18 - * one but not both of: 19 - * 20 - * WGDEVICE_A_IFINDEX: NLA_U32 21 - * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1 22 - * 23 - * The kernel will then return several messages (NLM_F_MULTI) containing the 24 - * following tree of nested items: 25 - * 26 - * WGDEVICE_A_IFINDEX: NLA_U32 27 - * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1 28 - * WGDEVICE_A_PRIVATE_KEY: NLA_EXACT_LEN, len WG_KEY_LEN 29 - * WGDEVICE_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN 30 - * WGDEVICE_A_LISTEN_PORT: NLA_U16 31 - * WGDEVICE_A_FWMARK: NLA_U32 32 - * WGDEVICE_A_PEERS: NLA_NESTED 33 - * 0: NLA_NESTED 34 - * WGPEER_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN 35 - * WGPEER_A_PRESHARED_KEY: NLA_EXACT_LEN, len WG_KEY_LEN 36 - * WGPEER_A_ENDPOINT: NLA_MIN_LEN(struct sockaddr), struct sockaddr_in or struct sockaddr_in6 37 - * WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL: NLA_U16 38 - * WGPEER_A_LAST_HANDSHAKE_TIME: NLA_EXACT_LEN, struct __kernel_timespec 39 - * WGPEER_A_RX_BYTES: NLA_U64 40 - * WGPEER_A_TX_BYTES: NLA_U64 41 - * WGPEER_A_ALLOWEDIPS: NLA_NESTED 42 - * 0: NLA_NESTED 43 - * WGALLOWEDIP_A_FAMILY: NLA_U16 44 - * WGALLOWEDIP_A_IPADDR: NLA_MIN_LEN(struct in_addr), struct in_addr or struct in6_addr 45 - * WGALLOWEDIP_A_CIDR_MASK: NLA_U8 46 - * 0: NLA_NESTED 47 - * ... 48 - * 0: NLA_NESTED 49 - * ... 50 - * ... 51 - * WGPEER_A_PROTOCOL_VERSION: NLA_U32 52 - * 0: NLA_NESTED 53 - * ... 54 - * ... 55 - * 56 - * It is possible that all of the allowed IPs of a single peer will not 57 - * fit within a single netlink message. In that case, the same peer will 58 - * be written in the following message, except it will only contain 59 - * WGPEER_A_PUBLIC_KEY and WGPEER_A_ALLOWEDIPS. This may occur several 60 - * times in a row for the same peer. It is then up to the receiver to 61 - * coalesce adjacent peers. Likewise, it is possible that all peers will 62 - * not fit within a single message. So, subsequent peers will be sent 63 - * in following messages, except those will only contain WGDEVICE_A_IFNAME 64 - * and WGDEVICE_A_PEERS. It is then up to the receiver to coalesce these 65 - * messages to form the complete list of peers. 66 - * 67 - * Since this is an NLA_F_DUMP command, the final message will always be 68 - * NLMSG_DONE, even if an error occurs. However, this NLMSG_DONE message 69 - * contains an integer error code. It is either zero or a negative error 70 - * code corresponding to the errno. 71 - * 72 - * WG_CMD_SET_DEVICE 73 - * ----------------- 74 - * 75 - * May only be called via NLM_F_REQUEST. The command should contain the 76 - * following tree of nested items, containing one but not both of 77 - * WGDEVICE_A_IFINDEX and WGDEVICE_A_IFNAME: 78 - * 79 - * WGDEVICE_A_IFINDEX: NLA_U32 80 - * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1 81 - * WGDEVICE_A_FLAGS: NLA_U32, 0 or WGDEVICE_F_REPLACE_PEERS if all current 82 - * peers should be removed prior to adding the list below. 83 - * WGDEVICE_A_PRIVATE_KEY: len WG_KEY_LEN, all zeros to remove 84 - * WGDEVICE_A_LISTEN_PORT: NLA_U16, 0 to choose randomly 85 - * WGDEVICE_A_FWMARK: NLA_U32, 0 to disable 86 - * WGDEVICE_A_PEERS: NLA_NESTED 87 - * 0: NLA_NESTED 88 - * WGPEER_A_PUBLIC_KEY: len WG_KEY_LEN 89 - * WGPEER_A_FLAGS: NLA_U32, 0 and/or WGPEER_F_REMOVE_ME if the 90 - * specified peer should not exist at the end of the 91 - * operation, rather than added/updated and/or 92 - * WGPEER_F_REPLACE_ALLOWEDIPS if all current allowed 93 - * IPs of this peer should be removed prior to adding 94 - * the list below and/or WGPEER_F_UPDATE_ONLY if the 95 - * peer should only be set if it already exists. 96 - * WGPEER_A_PRESHARED_KEY: len WG_KEY_LEN, all zeros to remove 97 - * WGPEER_A_ENDPOINT: struct sockaddr_in or struct sockaddr_in6 98 - * WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL: NLA_U16, 0 to disable 99 - * WGPEER_A_ALLOWEDIPS: NLA_NESTED 100 - * 0: NLA_NESTED 101 - * WGALLOWEDIP_A_FAMILY: NLA_U16 102 - * WGALLOWEDIP_A_IPADDR: struct in_addr or struct in6_addr 103 - * WGALLOWEDIP_A_CIDR_MASK: NLA_U8 104 - * WGALLOWEDIP_A_FLAGS: NLA_U32, WGALLOWEDIP_F_REMOVE_ME if 105 - * the specified IP should be removed; 106 - * otherwise, this IP will be added if 107 - * it is not already present. 108 - * 0: NLA_NESTED 109 - * ... 110 - * 0: NLA_NESTED 111 - * ... 112 - * ... 113 - * WGPEER_A_PROTOCOL_VERSION: NLA_U32, should not be set or used at 114 - * all by most users of this API, as the 115 - * most recent protocol will be used when 116 - * this is unset. Otherwise, must be set 117 - * to 1. 118 - * 0: NLA_NESTED 119 - * ... 120 - * ... 121 - * 122 - * It is possible that the amount of configuration data exceeds that of 123 - * the maximum message length accepted by the kernel. In that case, several 124 - * messages should be sent one after another, with each successive one 125 - * filling in information not contained in the prior. Note that if 126 - * WGDEVICE_F_REPLACE_PEERS is specified in the first message, it probably 127 - * should not be specified in fragments that come after, so that the list 128 - * of peers is only cleared the first time but appended after. Likewise for 129 - * peers, if WGPEER_F_REPLACE_ALLOWEDIPS is specified in the first message 130 - * of a peer, it likely should not be specified in subsequent fragments. 131 - * 132 - * If an error occurs, NLMSG_ERROR will reply containing an errno. 133 - */ 1 + /* SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) */ 2 + /* Do not edit directly, auto-generated from: */ 3 + /* Documentation/netlink/specs/wireguard.yaml */ 4 + /* YNL-GEN uapi header */ 5 + /* To regenerate run: tools/net/ynl/ynl-regen.sh */ 134 6 135 - #ifndef _WG_UAPI_WIREGUARD_H 136 - #define _WG_UAPI_WIREGUARD_H 7 + #ifndef _UAPI_LINUX_WIREGUARD_H 8 + #define _UAPI_LINUX_WIREGUARD_H 137 9 138 - #define WG_GENL_NAME "wireguard" 139 - #define WG_GENL_VERSION 1 10 + #define WG_GENL_NAME "wireguard" 11 + #define WG_GENL_VERSION 1 140 12 141 - #define WG_KEY_LEN 32 142 - 143 - enum wg_cmd { 144 - WG_CMD_GET_DEVICE, 145 - WG_CMD_SET_DEVICE, 146 - __WG_CMD_MAX 147 - }; 148 - #define WG_CMD_MAX (__WG_CMD_MAX - 1) 13 + #define WG_KEY_LEN 32 149 14 150 15 enum wgdevice_flag { 151 - WGDEVICE_F_REPLACE_PEERS = 1U << 0, 152 - __WGDEVICE_F_ALL = WGDEVICE_F_REPLACE_PEERS 16 + WGDEVICE_F_REPLACE_PEERS = 1, 153 17 }; 18 + 19 + enum wgpeer_flag { 20 + WGPEER_F_REMOVE_ME = 1, 21 + WGPEER_F_REPLACE_ALLOWEDIPS = 2, 22 + WGPEER_F_UPDATE_ONLY = 4, 23 + }; 24 + 25 + enum wgallowedip_flag { 26 + WGALLOWEDIP_F_REMOVE_ME = 1, 27 + }; 28 + 154 29 enum wgdevice_attribute { 155 30 WGDEVICE_A_UNSPEC, 156 31 WGDEVICE_A_IFINDEX, ··· 36 161 WGDEVICE_A_LISTEN_PORT, 37 162 WGDEVICE_A_FWMARK, 38 163 WGDEVICE_A_PEERS, 164 + 39 165 __WGDEVICE_A_LAST 40 166 }; 41 167 #define WGDEVICE_A_MAX (__WGDEVICE_A_LAST - 1) 42 168 43 - enum wgpeer_flag { 44 - WGPEER_F_REMOVE_ME = 1U << 0, 45 - WGPEER_F_REPLACE_ALLOWEDIPS = 1U << 1, 46 - WGPEER_F_UPDATE_ONLY = 1U << 2, 47 - __WGPEER_F_ALL = WGPEER_F_REMOVE_ME | WGPEER_F_REPLACE_ALLOWEDIPS | 48 - WGPEER_F_UPDATE_ONLY 49 - }; 50 169 enum wgpeer_attribute { 51 170 WGPEER_A_UNSPEC, 52 171 WGPEER_A_PUBLIC_KEY, ··· 53 184 WGPEER_A_TX_BYTES, 54 185 WGPEER_A_ALLOWEDIPS, 55 186 WGPEER_A_PROTOCOL_VERSION, 187 + 56 188 __WGPEER_A_LAST 57 189 }; 58 190 #define WGPEER_A_MAX (__WGPEER_A_LAST - 1) 59 191 60 - enum wgallowedip_flag { 61 - WGALLOWEDIP_F_REMOVE_ME = 1U << 0, 62 - __WGALLOWEDIP_F_ALL = WGALLOWEDIP_F_REMOVE_ME 63 - }; 64 192 enum wgallowedip_attribute { 65 193 WGALLOWEDIP_A_UNSPEC, 66 194 WGALLOWEDIP_A_FAMILY, 67 195 WGALLOWEDIP_A_IPADDR, 68 196 WGALLOWEDIP_A_CIDR_MASK, 69 197 WGALLOWEDIP_A_FLAGS, 198 + 70 199 __WGALLOWEDIP_A_LAST 71 200 }; 72 201 #define WGALLOWEDIP_A_MAX (__WGALLOWEDIP_A_LAST - 1) 73 202 74 - #endif /* _WG_UAPI_WIREGUARD_H */ 203 + enum wg_cmd { 204 + WG_CMD_GET_DEVICE, 205 + WG_CMD_SET_DEVICE, 206 + 207 + __WG_CMD_MAX 208 + }; 209 + #define WG_CMD_MAX (__WG_CMD_MAX - 1) 210 + 211 + #endif /* _UAPI_LINUX_WIREGUARD_H */