Permalink
Browse files

networkd: add support for wireguard interface type

More information may be found at wireguard.com.
  • Loading branch information...
Mic92 authored and keszybz committed Dec 18, 2017
1 parent 05d0c2e commit e5719363f54c8c45233ded86b5b18feb36b601f7
View
@@ -73,6 +73,18 @@
</a>
</xsl:template>
<xsl:template match="citerefentry[@project='wireguard']">
<a>
<xsl:attribute name="href">
<xsl:text>https://git.zx2c4.com/WireGuard/about/src/tools/</xsl:text>
<xsl:value-of select="refentrytitle"/>
<xsl:text>.</xsl:text>
<xsl:value-of select="manvolnum"/>
</xsl:attribute>
<xsl:call-template name="inline.charseq"/>
</a>
</xsl:template>
<xsl:template match="citerefentry[@project='mankier']">
<a>
<xsl:attribute name="href">
View
@@ -184,6 +184,9 @@
<entry>The virtual CAN tunnel driver (vxcan). Similar to the virtual ethernet driver veth, vxcan implements a local CAN traffic tunnel between two virtual CAN network devices. When creating a vxcan, two vxcan devices are created as pair. When one end receives the packet it appears on its pair and vice versa. The vxcan can be used for cross namespace communication.
</entry></row>
<row><entry><varname>wireguard</varname></entry>
<entry>WireGuard Secure Network Tunnel.</entry></row>
</tbody>
</tgroup>
</table>
@@ -1009,6 +1012,103 @@
as the <literal>[Tun]</literal> section.</para>
</refsect1>
<refsect1>
<title>[WireGuard] Section Options</title>
<para>The <literal>[WireGuard]</literal> section accepts the following
keys:</para>
<variablelist class='network-directives'>
<varlistentry>
<term><varname>PrivateKey=</varname></term>
<listitem>
<para>The Base64 encoded private key for the interface. It can be
generated using the <command>wg genkey</command> command
(see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
This option is mandatory to use wireguard.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>ListenPort=</varname></term>
<listitem>
<para>Sets UDP port for listening. Takes either value between 1 and 65535
or <literal>auto</literal>. If <literal>auto</literal> is specified,
the port is automatically generated based on interface name.
Defaults to <literal>auto</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>FwMark=</varname></term>
<listitem>
<para>Sets a firewall mark on outgoing wireguard packets from this interface.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>[WireGuardPeer] Section Options</title>
<para>The <literal>[WireGuardPeer]</literal> section accepts the following
keys:</para>
<variablelist class='network-directives'>
<varlistentry>
<term><varname>PublicKey=</varname></term>
<listitem>
<para>Sets a Base64 encoded public key calculated by <command>wg pubkey</command>
(see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
from a private key, and usually transmitted out of band to the
author of the configuration file. This option is mandatory for this
section.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>PresharedKey=</varname></term>
<listitem>
<para>Optional preshared key for the interface. It can be generated
by the <command>wg genpsk</command> command. This option adds an
additional layer of symmetric-key cryptography to be mixed into the
already existing public-key cryptography, for post-quantum
resistance.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>AllowedIPs=</varname></term>
<listitem>
<para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks
from which this peer is allowed to send incoming traffic and to
which outgoing traffic for this peer is directed. The catch-all
0.0.0.0/0 may be specified for matching all IPv4 addresses, and
::/0 may be specified for matching all IPv6 addresses. </para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Endpoint=</varname></term>
<listitem>
<para>Sets an endpoint IP address or hostname, followed by a colon, and then
a port number. This endpoint will be updated automatically once to
the most recent source IP address and port of correctly
authenticated packets from the peer at configuration time.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>PersistentKeepalive=</varname></term>
<listitem>
<para>Sets a seconds interval, between 1 and 65535 inclusive, of how often
to send an authenticated empty packet to the peer for the purpose
of keeping a stateful firewall or NAT mapping valid persistently.
For example, if the interface very rarely sends traffic, but it
might at anytime receive traffic from a peer, and it is behind NAT,
the interface might benefit from having a persistent keepalive
interval of 25 seconds. If set to 0 or "off", this option is
disabled. By default or when unspecified, this option is off.
Most users will not need this.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>[Bond] Section Options</title>
@@ -1391,6 +1491,21 @@ Name=macvtap-test
Kind=macvtap
</programlisting>
</example>
<example>
<title>/etc/systemd/network/25-wireguard.netdev</title>
<programlisting>[NetDev]
Name=wg0
Kind=wireguard
[WireGuard]
PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
ListenPort=51820
[WireGuardPeer]
PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
Endpoint=wireguard.example.com:51820</programlisting>
</example>
</refsect1>
<refsect1>
<title>See Also</title>
@@ -11,6 +11,7 @@ typedef struct {
static const genl_family genl_families[] = {
[SD_GENL_ID_CTRL] = { .name = "", .version = 1 },
[SD_GENL_WIREGUARD] = { .name = "wireguard", .version = 1 },
};
int sd_genl_socket_open(sd_netlink **ret) {
@@ -47,6 +47,7 @@
#include "netlink-types.h"
#include "string-table.h"
#include "util.h"
#include "wireguard-netlink.h"
#include "sd-netlink.h"
/* Maximum ARP IP target defined in kernel */
@@ -340,7 +341,7 @@ static const char* const nl_union_link_info_data_table[] = {
[NL_UNION_LINK_INFO_DATA_VCAN] = "vcan",
[NL_UNION_LINK_INFO_DATA_GENEVE] = "geneve",
[NL_UNION_LINK_INFO_DATA_VXCAN] = "vxcan",
[NL_UNION_LINK_INFO_DATA_WIREGUARD] = "wireguard",
};
DEFINE_STRING_TABLE_LOOKUP(nl_union_link_info_data, NLUnionLinkInfoData);
@@ -672,6 +673,54 @@ const NLTypeSystem rtnl_type_system_root = {
.types = rtnl_types,
};
static const NLType genl_wireguard_allowedip_types[] = {
[WGALLOWEDIP_A_FAMILY] = { .type = NETLINK_TYPE_U16 },
[WGALLOWEDIP_A_IPADDR] = { .type = NETLINK_TYPE_IN_ADDR },
[WGALLOWEDIP_A_CIDR_MASK] = { .type = NETLINK_TYPE_U8 },
};
static const NLTypeSystem genl_wireguard_allowedip_type_system = {
.count = ELEMENTSOF(genl_wireguard_allowedip_types),
.types = genl_wireguard_allowedip_types,
};
static const NLType genl_wireguard_peer_types[] = {
[WGPEER_A_PUBLIC_KEY] = { .size = WG_KEY_LEN },
[WGPEER_A_FLAGS] = { .type = NETLINK_TYPE_U32 },
[WGPEER_A_PRESHARED_KEY] = { .size = WG_KEY_LEN },
[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NETLINK_TYPE_U32 },
[WGPEER_A_ENDPOINT] = { /* either size of sockaddr_in or sockaddr_in6 depending on address family */ },
[WGPEER_A_ALLOWEDIPS] = { .type = NETLINK_TYPE_NESTED, .type_system = &genl_wireguard_allowedip_type_system },
};
static const NLTypeSystem genl_wireguard_peer_type_system = {
.count = ELEMENTSOF(genl_wireguard_peer_types),
.types = genl_wireguard_peer_types,
};
static const NLType genl_wireguard_set_device_types[] = {
[WGDEVICE_A_IFINDEX] = { .type = NETLINK_TYPE_U32 },
[WGDEVICE_A_IFNAME] = { .type = NETLINK_TYPE_STRING },
[WGDEVICE_A_FLAGS] = { .type = NETLINK_TYPE_U32 },
[WGDEVICE_A_PRIVATE_KEY] = { .size = WG_KEY_LEN },
[WGDEVICE_A_LISTEN_PORT] = { .type = NETLINK_TYPE_U16 },
[WGDEVICE_A_FWMARK] = { .type = NETLINK_TYPE_U32 },
[WGDEVICE_A_PEERS] = { .type = NETLINK_TYPE_NESTED, .type_system = &genl_wireguard_peer_type_system },
};
static const NLTypeSystem genl_wireguard_set_device_type_system = {
.count = ELEMENTSOF(genl_wireguard_set_device_types),
.types = genl_wireguard_set_device_types,
};
static const NLType genl_wireguard_cmds[] = {
[WG_CMD_SET_DEVICE] = { .type = NETLINK_TYPE_NESTED, .type_system = &genl_wireguard_set_device_type_system },
};
static const NLTypeSystem genl_wireguard_type_system = {
.count = ELEMENTSOF(genl_wireguard_cmds),
.types = genl_wireguard_cmds,
};
static const NLType genl_get_family_types[] = {
[CTRL_ATTR_FAMILY_NAME] = { .type = NETLINK_TYPE_STRING },
@@ -694,6 +743,7 @@ static const NLTypeSystem genl_ctrl_id_ctrl_type_system = {
static const NLType genl_families[] = {
[SD_GENL_ID_CTRL] = { .type = NETLINK_TYPE_NESTED, .type_system = &genl_ctrl_id_ctrl_type_system },
[SD_GENL_WIREGUARD] = { .type = NETLINK_TYPE_NESTED, .type_system = &genl_wireguard_type_system },
};
const NLTypeSystem genl_family_type_system_root = {
@@ -94,6 +94,7 @@ typedef enum NLUnionLinkInfoData {
NL_UNION_LINK_INFO_DATA_VCAN,
NL_UNION_LINK_INFO_DATA_GENEVE,
NL_UNION_LINK_INFO_DATA_VXCAN,
NL_UNION_LINK_INFO_DATA_WIREGUARD,
_NL_UNION_LINK_INFO_DATA_MAX,
_NL_UNION_LINK_INFO_DATA_INVALID = -1
} NLUnionLinkInfoData;
View
@@ -46,6 +46,8 @@ sources = files('''
netdev/geneve.h
netdev/vxcan.c
netdev/vxcan.h
netdev/wireguard.c
netdev/wireguard.h
networkd-address-label.c
networkd-address-label.h
networkd-address-pool.c
Oops, something went wrong.

0 comments on commit e571936

Please sign in to comment.