Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wireguard-tools: 0.0.20191127 -> 0.0.20191212 #75565

Merged
merged 1 commit into from Dec 14, 2019

Conversation

@xwvvvvwx
Copy link
Contributor

@xwvvvvwx xwvvvvwx commented Dec 12, 2019

Motivation for this change

new snapshot: https://lists.zx2c4.com/pipermail/wireguard/2019-December/004764.html

This snapshot includes support for (and prefers) nftables as part of wg-quck's CVE-2019-14899 mitigations. I stuck with the existing iptables integration for the nix package because that's what we use in nixos, but I'm wondering how that interacts with nix installed on other distributions (e.g Fedora defaults to nftables now)?

nix-review wip passes for all kernels exept linux-libre-latest.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @elseym @ericsagnes @Mic92 @zx2c4 @globin @Ma27

@zx2c4
Copy link
Contributor

@zx2c4 zx2c4 commented Dec 12, 2019

The dependencies/wrapped programs should now be "nftables OR iptables".

@ivan
ivan approved these changes Dec 14, 2019
Copy link
Member

@ivan ivan left a comment

Tested on NixOS master and it appears to work fine

@Ma27
Copy link
Member

@Ma27 Ma27 commented Dec 14, 2019

@GrahamcOfBorg test wireguard

@zx2c4
Copy link
Contributor

@zx2c4 zx2c4 commented Dec 14, 2019

Please remember to update the iptables||nftables dependency.

@ivan did you approve this prematurely?

Copy link
Contributor

@jonringer jonringer left a comment

diff LGTM
wireguard-tools executables seem to work
nixos test passes

linuxPackages-libre version is broken on master with same error, I don't consider this a regression

[16 built (1 failed), 30 copied (2281.0 MiB), 1078.0 MiB DL]
error: build of '/nix/store/vdn11nyx66rnkwa5v55gjfysyzzaji6w-env.drv' failed
https://github.com/NixOS/nixpkgs/pull/75565
2 package are marked as broken and were skipped:
linuxPackages_hardkernel_4_14.wireguard linuxPackages_hardkernel_latest.wireguard

1 package failed to build:
linuxPackages_latest-libre.wireguard

14 package were built:
linuxPackages-libre.wireguard linuxPackages.wireguard linuxPackages_4_14.wireguard linuxPackages_4_4.wireguard linuxPackages_4_9.wireguard linuxPackages_5_3.wireguard linuxPackages_5_4.wireguard linuxPackages_hardened.wireguard linuxPackages_latest_hardened.wireguard linuxPackages_latest_xen_dom0.wireguard linuxPackages_testing_bcachefs.wireguard linuxPackages_testing_hardened.wireguard linuxPackages_xen_dom0.wireguard wireguard-tools
@Mic92
Copy link
Contributor

@Mic92 Mic92 commented Dec 14, 2019

Regarding nftables: Nix only has fixed dependencies for packages, there is no either/or without moving the PATH wrapper outside of the package itself. However I don't consider that a practical problem for nftables user on NixOS. If they use the nftables module (https://nixos.org/nixos/options.html#networking.nftables.enable) than they will have nft in $PATH. For non-NixOS nix user the userland tools are not a good option anyway: Since the kernel modules have to be installed from their distribution package manager, they should install wireguard-tools using the same to match the version.

@Mic92 Mic92 merged commit 259139f into NixOS:master Dec 14, 2019
17 checks passed
17 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
tests.wireguard on aarch64-linux Success
Details
tests.wireguard on x86_64-linux Success
Details
wireguard-tools on aarch64-linux Success
Details
wireguard-tools on x86_64-linux Success
Details
@xwvvvvwx xwvvvvwx deleted the xwvvvvwx:wg-tools-20191212 branch Jan 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

6 participants
You can’t perform that action at this time.