Commit 31a3ed49 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'wireguard-6.19-rc1-for-jakub' of... 

Merge tag 'wireguard-6.19-rc1-for-jakub' of https://git.kernel.org/pub/scm/linux/kernel/git/zx2c4/wireguard-linux

Jason A. Donenfeld says:

====================
WireGuard updates for Linux 6.19-rc1.

Please find here Asbjørn's ynl series. This has been sitting in my
testing for the last week or so, since he sent out the latest series.
I've dropped the yml sample code, as he found an issue in that last
minute, but otherwise, we've sat on this code for long enough, so
let's see how it goes.

* tag 'wireguard-6.19-rc1-for-jakub' of https://git.kernel.org/pub/scm/linux/kernel/git/zx2c4/wireguard-linux:
  wireguard: netlink: generate netlink code
  wireguard: uapi: generate header with ynl-gen
  wireguard: uapi: move flag enums
  wireguard: uapi: move enum wg_cmd
  wireguard: netlink: add YNL specification
  wireguard: netlink: lower .maxattr for WG_CMD_GET_DEVICE
  wireguard: netlink: convert to split ops
  wireguard: netlink: use WG_KEY_LEN in policies
  wireguard: netlink: validate nested arrays in policy
  wireguard: netlink: enable strict genetlink validation
====================

Link: https://patch.msgid.link/


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents cbc19b32 3fd2f3d2

Documentation/netlink/specs/wireguard.yaml

0 → 100644
+298 −0
Original line number Diff line number Diff line 
# SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)

---

name: wireguard

protocol: genetlink-legacy



doc: |

  **Netlink protocol to control WireGuard network devices.**



  The below enums and macros are for interfacing with WireGuard, using generic

  netlink, with family ``WG_GENL_NAME`` and version ``WG_GENL_VERSION``. It

  defines two commands: get and set. Note that while they share many common

  attributes, these two commands actually accept a slightly different set of

  inputs and outputs. These differences are noted under the individual

  attributes.

c-family-name: wg-genl-name

c-version-name: wg-genl-version

max-by-define: true



definitions:

  -

    name-prefix: wg-

    name: key-len

    type: const

    value: 32

  -

    name: --kernel-timespec

    type: struct

    header: linux/time_types.h

    members:

      -

        name: sec

        type: u64

        doc: Number of seconds, since UNIX epoch.

      -

        name: nsec

        type: u64

        doc: Number of nanoseconds, after the second began.

  -

    name: wgdevice-flags

    name-prefix: wgdevice-f-

    enum-name: wgdevice-flag

    type: flags

    entries:

      - replace-peers

  -

    name: wgpeer-flags

    name-prefix: wgpeer-f-

    enum-name: wgpeer-flag

    type: flags

    entries:

      - remove-me

      - replace-allowedips

      - update-only

  -

    name: wgallowedip-flags

    name-prefix: wgallowedip-f-

    enum-name: wgallowedip-flag

    type: flags

    entries:

      - remove-me



attribute-sets:

  -

    name: wgdevice

    enum-name: wgdevice-attribute

    name-prefix: wgdevice-a-

    attr-cnt-name: --wgdevice-a-last

    attributes:

      -

        name: unspec

        type: unused

        value: 0

      -

        name: ifindex

        type: u32

      -

        name: ifname

        type: string

        checks:

          max-len: 15

      -

        name: private-key

        type: binary

        doc: Set to all zeros to remove.

        display-hint: hex

        checks:

          exact-len: wg-key-len

      -

        name: public-key

        type: binary

        display-hint: hex

        checks:

          exact-len: wg-key-len

      -

        name: flags

        type: u32

        doc: |

          ``0`` or ``WGDEVICE_F_REPLACE_PEERS`` if all current peers should be

          removed prior to adding the list below.

        enum: wgdevice-flags

      -

        name: listen-port

        type: u16

        doc: Set as ``0`` to choose randomly.

      -

        name: fwmark

        type: u32

        doc: Set as ``0`` to disable.

      -

        name: peers

        type: indexed-array

        sub-type: nest

        nested-attributes: wgpeer

        doc: |

          The index/type parameter is unused on ``SET_DEVICE`` operations and is

          zero on ``GET_DEVICE`` operations.

  -

    name: wgpeer

    enum-name: wgpeer-attribute

    name-prefix: wgpeer-a-

    attr-cnt-name: --wgpeer-a-last

    attributes:

      -

        name: unspec

        type: unused

        value: 0

      -

        name: public-key

        type: binary

        display-hint: hex

        checks:

          exact-len: wg-key-len

      -

        name: preshared-key

        type: binary

        doc: Set as all zeros to remove.

        display-hint: hex

        checks:

          exact-len: wg-key-len

      -

        name: flags

        type: u32

        doc: |

          ``0`` and/or ``WGPEER_F_REMOVE_ME`` if the specified peer should not

          exist at the end of the operation, rather than added/updated and/or

          ``WGPEER_F_REPLACE_ALLOWEDIPS`` if all current allowed IPs of this

          peer should be removed prior to adding the list below and/or

          ``WGPEER_F_UPDATE_ONLY`` if the peer should only be set if it already

          exists.

        enum: wgpeer-flags

      -

        name: endpoint

        type: binary

        doc: struct sockaddr_in or struct sockaddr_in6

        checks:

          min-len: 16

      -

        name: persistent-keepalive-interval

        type: u16

        doc: Set as ``0`` to disable.

      -

        name: last-handshake-time

        type: binary

        struct: --kernel-timespec

        checks:

          exact-len: 16

      -

        name: rx-bytes

        type: u64

      -

        name: tx-bytes

        type: u64

      -

        name: allowedips

        type: indexed-array

        sub-type: nest

        nested-attributes: wgallowedip

        doc: |

          The index/type parameter is unused on ``SET_DEVICE`` operations and is

          zero on ``GET_DEVICE`` operations.

      -

        name: protocol-version

        type: u32

        doc: |

          Should not be set or used at all by most users of this API, as the

          most recent protocol will be used when this is unset. Otherwise,

          must be set to ``1``.

  -

    name: wgallowedip

    enum-name: wgallowedip-attribute

    name-prefix: wgallowedip-a-

    attr-cnt-name: --wgallowedip-a-last

    attributes:

      -

        name: unspec

        type: unused

        value: 0

      -

        name: family

        type: u16

        doc: IP family, either ``AF_INET`` or ``AF_INET6``.

      -

        name: ipaddr

        type: binary

        doc: Either ``struct in_addr`` or ``struct in6_addr``.

        display-hint: ipv4-or-v6

        checks:

          min-len: 4

      -

        name: cidr-mask

        type: u8

      -

        name: flags

        type: u32

        doc: |

          ``WGALLOWEDIP_F_REMOVE_ME`` if the specified IP should be removed;

          otherwise, this IP will be added if it is not already present.

        enum: wgallowedip-flags



operations:

  enum-name: wg-cmd

  name-prefix: wg-cmd-

  list:

    -

      name: get-device

      value: 0

      doc: |

        Retrieve WireGuard device

        ~~~~~~~~~~~~~~~~~~~~~~~~~



        The command should be called with one but not both of:



        - ``WGDEVICE_A_IFINDEX``

        - ``WGDEVICE_A_IFNAME``



        The kernel will then return several messages (``NLM_F_MULTI``). It is

        possible that all of the allowed IPs of a single peer will not fit

        within a single netlink message. In that case, the same peer will be

        written in the following message, except it will only contain

        ``WGPEER_A_PUBLIC_KEY`` and ``WGPEER_A_ALLOWEDIPS``. This may occur

        several times in a row for the same peer. It is then up to the receiver

        to coalesce adjacent peers. Likewise, it is possible that all peers will

        not fit within a single message. So, subsequent peers will be sent in

        following messages, except those will only contain ``WGDEVICE_A_IFNAME``

        and ``WGDEVICE_A_PEERS``. It is then up to the receiver to coalesce

        these messages to form the complete list of peers.



        Since this is an ``NLA_F_DUMP`` command, the final message will always

        be ``NLMSG_DONE``, even if an error occurs. However, this ``NLMSG_DONE``

        message contains an integer error code. It is either zero or a negative

        error code corresponding to the errno.

      attribute-set: wgdevice

      flags: [uns-admin-perm]



      dump:

        pre: wg-get-device-start

        post: wg-get-device-done

        request:

          attributes:

            - ifindex

            - ifname

        reply: &all-attrs

          attributes:

            - ifindex

            - ifname

            - private-key

            - public-key

            - flags

            - listen-port

            - fwmark

            - peers

    -

      name: set-device

      value: 1

      doc: |

        Set WireGuard device

        ~~~~~~~~~~~~~~~~~~~~



        This command should be called with a wgdevice set, containing one but

        not both of ``WGDEVICE_A_IFINDEX`` and ``WGDEVICE_A_IFNAME``.



        It is possible that the amount of configuration data exceeds that of the

        maximum message length accepted by the kernel. In that case, several

        messages should be sent one after another, with each successive one

        filling in information not contained in the prior. Note that if

        ``WGDEVICE_F_REPLACE_PEERS`` is specified in the first message, it

        probably should not be specified in fragments that come after, so that

        the list of peers is only cleared the first time but appended after.

        Likewise for peers, if ``WGPEER_F_REPLACE_ALLOWEDIPS`` is specified in

        the first message of a peer, it likely should not be specified in

        subsequent fragments.



        If an error occurs, ``NLMSG_ERROR`` will reply containing an errno.

      attribute-set: wgdevice

      flags: [uns-admin-perm]



      do:

        request: *all-attrs

MAINTAINERS

+1 −0
Original line number Diff line number Diff line
@@ -27674,6 +27674,7 @@ M: Jason A. Donenfeld <Jason@zx2c4.com> 
L:	wireguard@lists.zx2c4.com

L:	netdev@vger.kernel.org

S:	Maintained

F:	Documentation/netlink/specs/wireguard.yaml

F:	drivers/net/wireguard/

F:	tools/testing/selftests/wireguard/

























drivers/net/wireguard/Makefile



+1
−1






























Original line number
Diff line number
Diff line







@@ -13,5 +13,5 @@ wireguard-y += peerlookup.o







wireguard-y += allowedips.o









wireguard-y += ratelimiter.o









wireguard-y += cookie.o









wireguard-y += netlink.o









wireguard-y += netlink.o generated/netlink.o









obj-$(CONFIG_WIREGUARD) := wireguard.o
























drivers/net/wireguard/generated/netlink.c
0 → 100644



+73
−0






























Original line number
Diff line number
Diff line









// SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)









/* Do not edit directly, auto-generated from: */









/*	Documentation/netlink/specs/wireguard.yaml */









/* YNL-GEN kernel source */









/* YNL-ARG --function-prefix wg */









/* To regenerate run: tools/net/ynl/ynl-regen.sh */



















#include <net/netlink.h>









#include <net/genetlink.h>



















#include "netlink.h"



















#include <uapi/linux/wireguard.h>









#include <linux/time_types.h>



















/* Common nested types */









const struct nla_policy wireguard_wgallowedip_nl_policy[WGALLOWEDIP_A_FLAGS + 1] = {









	[WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16, },









	[WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(4),









	[WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8, },









	[WGALLOWEDIP_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, 0x1),









};



















const struct nla_policy wireguard_wgpeer_nl_policy[WGPEER_A_PROTOCOL_VERSION + 1] = {









	[WGPEER_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(WG_KEY_LEN),









	[WGPEER_A_PRESHARED_KEY] = NLA_POLICY_EXACT_LEN(WG_KEY_LEN),









	[WGPEER_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, 0x7),









	[WGPEER_A_ENDPOINT] = NLA_POLICY_MIN_LEN(16),









	[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16, },









	[WGPEER_A_LAST_HANDSHAKE_TIME] = NLA_POLICY_EXACT_LEN(16),









	[WGPEER_A_RX_BYTES] = { .type = NLA_U64, },









	[WGPEER_A_TX_BYTES] = { .type = NLA_U64, },









	[WGPEER_A_ALLOWEDIPS] = NLA_POLICY_NESTED_ARRAY(wireguard_wgallowedip_nl_policy),









	[WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32, },









};



















/* WG_CMD_GET_DEVICE - dump */









static const struct nla_policy wireguard_get_device_nl_policy[WGDEVICE_A_IFNAME + 1] = {









	[WGDEVICE_A_IFINDEX] = { .type = NLA_U32, },









	[WGDEVICE_A_IFNAME] = { .type = NLA_NUL_STRING, .len = 15, },









};



















/* WG_CMD_SET_DEVICE - do */









static const struct nla_policy wireguard_set_device_nl_policy[WGDEVICE_A_PEERS + 1] = {









	[WGDEVICE_A_IFINDEX] = { .type = NLA_U32, },









	[WGDEVICE_A_IFNAME] = { .type = NLA_NUL_STRING, .len = 15, },









	[WGDEVICE_A_PRIVATE_KEY] = NLA_POLICY_EXACT_LEN(WG_KEY_LEN),









	[WGDEVICE_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(WG_KEY_LEN),









	[WGDEVICE_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, 0x1),









	[WGDEVICE_A_LISTEN_PORT] = { .type = NLA_U16, },









	[WGDEVICE_A_FWMARK] = { .type = NLA_U32, },









	[WGDEVICE_A_PEERS] = NLA_POLICY_NESTED_ARRAY(wireguard_wgpeer_nl_policy),









};



















/* Ops table for wireguard */









const struct genl_split_ops wireguard_nl_ops[2] = {









	{









		.cmd		= WG_CMD_GET_DEVICE,









		.start		= wg_get_device_start,









		.dumpit		= wg_get_device_dumpit,









		.done		= wg_get_device_done,









		.policy		= wireguard_get_device_nl_policy,









		.maxattr	= WGDEVICE_A_IFNAME,









		.flags		= GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DUMP,









	},









	{









		.cmd		= WG_CMD_SET_DEVICE,









		.doit		= wg_set_device_doit,









		.policy		= wireguard_set_device_nl_policy,









		.maxattr	= WGDEVICE_A_PEERS,









		.flags		= GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO,









	},









};
























drivers/net/wireguard/generated/netlink.h
0 → 100644



+30
−0






























Original line number
Diff line number
Diff line









/* SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) */









/* Do not edit directly, auto-generated from: */









/*	Documentation/netlink/specs/wireguard.yaml */









/* YNL-GEN kernel header */









/* YNL-ARG --function-prefix wg */









/* To regenerate run: tools/net/ynl/ynl-regen.sh */



















#ifndef _LINUX_WIREGUARD_GEN_H









#define _LINUX_WIREGUARD_GEN_H



















#include <net/netlink.h>









#include <net/genetlink.h>



















#include <uapi/linux/wireguard.h>









#include <linux/time_types.h>



















/* Common nested types */









extern const struct nla_policy wireguard_wgallowedip_nl_policy[WGALLOWEDIP_A_FLAGS + 1];









extern const struct nla_policy wireguard_wgpeer_nl_policy[WGPEER_A_PROTOCOL_VERSION + 1];



















/* Ops table for wireguard */









extern const struct genl_split_ops wireguard_nl_ops[2];



















int wg_get_device_start(struct netlink_callback *cb);









int wg_get_device_done(struct netlink_callback *cb);



















int wg_get_device_dumpit(struct sk_buff *skb, struct netlink_callback *cb);









int wg_set_device_doit(struct sk_buff *skb, struct genl_info *info);



















#endif /* _LINUX_WIREGUARD_GEN_H */