admin/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2025-12-07 20:06:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge tag 'wireguard-6.19-rc1-for-jakub' of https://git.kernel.org/pub/scm/linux/kernel/git/zx2c4/wireguard-linux

Browse Source 
Jason A. Donenfeld says:

====================
WireGuard updates for Linux 6.19-rc1.

Please find here Asbjørn's ynl series. This has been sitting in my
testing for the last week or so, since he sent out the latest series.
I've dropped the yml sample code, as he found an issue in that last
minute, but otherwise, we've sat on this code for long enough, so
let's see how it goes.

* tag 'wireguard-6.19-rc1-for-jakub' of https://git.kernel.org/pub/scm/linux/kernel/git/zx2c4/wireguard-linux:
  wireguard: netlink: generate netlink code
  wireguard: uapi: generate header with ynl-gen
  wireguard: uapi: move flag enums
  wireguard: uapi: move enum wg_cmd
  wireguard: netlink: add YNL specification
  wireguard: netlink: lower .maxattr for WG_CMD_GET_DEVICE
  wireguard: netlink: convert to split ops
  wireguard: netlink: use WG_KEY_LEN in policies
  wireguard: netlink: validate nested arrays in policy
  wireguard: netlink: enable strict genetlink validation
====================

Link: https://patch.msgid.link/
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski
2025-12-01 20:33:06 -08:00
parent cbc19b3229 3fd2f3d2f4
commit 31a3ed492d
7 changed files with 449 additions and 216 deletions
Download Patch File Download Diff File Expand all files Collapse all files

298
Documentation/netlink/specs/wireguard.yaml Normal file
View File

@@ -0,0 +1,298 @@
# SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)
---
name: wireguard
protocol: genetlink-legacy
doc: |
**Netlink protocol to control WireGuard network devices.**
The below enums and macros are for interfacing with WireGuard, using generic
netlink, with family ``WG_GENL_NAME`` and version ``WG_GENL_VERSION``. It
defines two commands: get and set. Note that while they share many common
attributes, these two commands actually accept a slightly different set of
inputs and outputs. These differences are noted under the individual
attributes.
c-family-name: wg-genl-name
c-version-name: wg-genl-version
max-by-define: true
definitions:
-
name-prefix: wg-
name: key-len
type: const
value: 32
-
name: --kernel-timespec
type: struct
header: linux/time_types.h
members:
-
name: sec
type: u64
doc: Number of seconds, since UNIX epoch.
-
name: nsec
type: u64
doc: Number of nanoseconds, after the second began.
-
name: wgdevice-flags
name-prefix: wgdevice-f-
enum-name: wgdevice-flag
type: flags
entries:
- replace-peers
-
name: wgpeer-flags
name-prefix: wgpeer-f-
enum-name: wgpeer-flag
type: flags
entries:
- remove-me
- replace-allowedips
- update-only
-
name: wgallowedip-flags
name-prefix: wgallowedip-f-
enum-name: wgallowedip-flag
type: flags
entries:
- remove-me
attribute-sets:
-
name: wgdevice
enum-name: wgdevice-attribute
name-prefix: wgdevice-a-
attr-cnt-name: --wgdevice-a-last
attributes:
-
name: unspec
type: unused
value: 0
-
name: ifindex
type: u32
-
name: ifname
type: string
checks:
max-len: 15
-
name: private-key
type: binary
doc: Set to all zeros to remove.
display-hint: hex
checks:
exact-len: wg-key-len
-
name: public-key
type: binary
display-hint: hex
checks:
exact-len: wg-key-len
-
name: flags
type: u32
doc: |
``0`` or ``WGDEVICE_F_REPLACE_PEERS`` if all current peers should be
removed prior to adding the list below.
enum: wgdevice-flags
-
name: listen-port
type: u16
doc: Set as ``0`` to choose randomly.
-
name: fwmark
type: u32
doc: Set as ``0`` to disable.
-
name: peers
type: indexed-array
sub-type: nest
nested-attributes: wgpeer
doc: |
The index/type parameter is unused on ``SET_DEVICE`` operations and is
zero on ``GET_DEVICE`` operations.
-
name: wgpeer
enum-name: wgpeer-attribute
name-prefix: wgpeer-a-
attr-cnt-name: --wgpeer-a-last
attributes:
-
name: unspec
type: unused
value: 0
-
name: public-key
type: binary
display-hint: hex
checks:
exact-len: wg-key-len
-
name: preshared-key
type: binary
doc: Set as all zeros to remove.
display-hint: hex
checks:
exact-len: wg-key-len
-
name: flags
type: u32
doc: |
``0`` and/or ``WGPEER_F_REMOVE_ME`` if the specified peer should not
exist at the end of the operation, rather than added/updated and/or
``WGPEER_F_REPLACE_ALLOWEDIPS`` if all current allowed IPs of this
peer should be removed prior to adding the list below and/or
``WGPEER_F_UPDATE_ONLY`` if the peer should only be set if it already
exists.
enum: wgpeer-flags
-
name: endpoint
type: binary
doc: struct sockaddr_in or struct sockaddr_in6
checks:
min-len: 16
-
name: persistent-keepalive-interval
type: u16
doc: Set as ``0`` to disable.
-
name: last-handshake-time
type: binary
struct: --kernel-timespec
checks:
exact-len: 16
-
name: rx-bytes
type: u64
-
name: tx-bytes
type: u64
-
name: allowedips
type: indexed-array
sub-type: nest
nested-attributes: wgallowedip
doc: |
The index/type parameter is unused on ``SET_DEVICE`` operations and is
zero on ``GET_DEVICE`` operations.
-
name: protocol-version
type: u32
doc: |
Should not be set or used at all by most users of this API, as the
most recent protocol will be used when this is unset. Otherwise,
must be set to ``1``.
-
name: wgallowedip
enum-name: wgallowedip-attribute
name-prefix: wgallowedip-a-
attr-cnt-name: --wgallowedip-a-last
attributes:
-
name: unspec
type: unused
value: 0
-
name: family
type: u16
doc: IP family, either ``AF_INET`` or ``AF_INET6``.
-
name: ipaddr
type: binary
doc: Either ``struct in_addr`` or ``struct in6_addr``.
display-hint: ipv4-or-v6
checks:
min-len: 4
-
name: cidr-mask
type: u8
-
name: flags
type: u32
doc: |
``WGALLOWEDIP_F_REMOVE_ME`` if the specified IP should be removed;
otherwise, this IP will be added if it is not already present.
enum: wgallowedip-flags
operations:
enum-name: wg-cmd
name-prefix: wg-cmd-
list:
-
name: get-device
value: 0
doc: |
Retrieve WireGuard device
~~~~~~~~~~~~~~~~~~~~~~~~~
The command should be called with one but not both of:
- ``WGDEVICE_A_IFINDEX``
- ``WGDEVICE_A_IFNAME``
The kernel will then return several messages (``NLM_F_MULTI``). It is
possible that all of the allowed IPs of a single peer will not fit
within a single netlink message. In that case, the same peer will be
written in the following message, except it will only contain
``WGPEER_A_PUBLIC_KEY`` and ``WGPEER_A_ALLOWEDIPS``. This may occur
several times in a row for the same peer. It is then up to the receiver
to coalesce adjacent peers. Likewise, it is possible that all peers will
not fit within a single message. So, subsequent peers will be sent in
following messages, except those will only contain ``WGDEVICE_A_IFNAME``
and ``WGDEVICE_A_PEERS``. It is then up to the receiver to coalesce
these messages to form the complete list of peers.
Since this is an ``NLA_F_DUMP`` command, the final message will always
be ``NLMSG_DONE``, even if an error occurs. However, this ``NLMSG_DONE``
message contains an integer error code. It is either zero or a negative
error code corresponding to the errno.
attribute-set: wgdevice
flags: [uns-admin-perm]
dump:
pre: wg-get-device-start
post: wg-get-device-done
request:
attributes:
- ifindex
- ifname
reply: &all-attrs
attributes:
- ifindex
- ifname
- private-key
- public-key
- flags
- listen-port
- fwmark
- peers
-
name: set-device
value: 1
doc: |
Set WireGuard device
~~~~~~~~~~~~~~~~~~~~
This command should be called with a wgdevice set, containing one but
not both of ``WGDEVICE_A_IFINDEX`` and ``WGDEVICE_A_IFNAME``.
It is possible that the amount of configuration data exceeds that of the
maximum message length accepted by the kernel. In that case, several
messages should be sent one after another, with each successive one
filling in information not contained in the prior. Note that if
``WGDEVICE_F_REPLACE_PEERS`` is specified in the first message, it
probably should not be specified in fragments that come after, so that
the list of peers is only cleared the first time but appended after.
Likewise for peers, if ``WGPEER_F_REPLACE_ALLOWEDIPS`` is specified in
the first message of a peer, it likely should not be specified in
subsequent fragments.
If an error occurs, ``NLMSG_ERROR`` will reply containing an errno.
attribute-set: wgdevice
flags: [uns-admin-perm]
do:
request: *all-attrs

1
MAINTAINERS
View File

@@ -27674,6 +27674,7 @@ M: Jason A. Donenfeld <Jason@zx2c4.com>
L: wireguard@lists.zx2c4.com
L: netdev@vger.kernel.org
S: Maintained
F: Documentation/netlink/specs/wireguard.yaml
F: drivers/net/wireguard/
F: tools/testing/selftests/wireguard/

2
drivers/net/wireguard/Makefile
View File

@@ -13,5 +13,5 @@ wireguard-y += peerlookup.o
wireguard-y += allowedips.o
wireguard-y += ratelimiter.o
wireguard-y += cookie.o
wireguard-y += netlink.o
wireguard-y += netlink.o generated/netlink.o
obj-$(CONFIG_WIREGUARD) := wireguard.o

73
drivers/net/wireguard/generated/netlink.c Normal file
View File

@@ -0,0 +1,73 @@
// SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)
/* Do not edit directly, auto-generated from: */
/* Documentation/netlink/specs/wireguard.yaml */
/* YNL-GEN kernel source */
/* YNL-ARG --function-prefix wg */
/* To regenerate run: tools/net/ynl/ynl-regen.sh */
#include <net/netlink.h>
#include <net/genetlink.h>
#include "netlink.h"
#include <uapi/linux/wireguard.h>
#include <linux/time_types.h>
/* Common nested types */
const struct nla_policy wireguard_wgallowedip_nl_policy[WGALLOWEDIP_A_FLAGS + 1] = {
[WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16, },
[WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(4),
[WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8, },
[WGALLOWEDIP_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, 0x1),
};
const struct nla_policy wireguard_wgpeer_nl_policy[WGPEER_A_PROTOCOL_VERSION + 1] = {
[WGPEER_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(WG_KEY_LEN),
[WGPEER_A_PRESHARED_KEY] = NLA_POLICY_EXACT_LEN(WG_KEY_LEN),
[WGPEER_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, 0x7),
[WGPEER_A_ENDPOINT] = NLA_POLICY_MIN_LEN(16),
[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16, },
[WGPEER_A_LAST_HANDSHAKE_TIME] = NLA_POLICY_EXACT_LEN(16),
[WGPEER_A_RX_BYTES] = { .type = NLA_U64, },
[WGPEER_A_TX_BYTES] = { .type = NLA_U64, },
[WGPEER_A_ALLOWEDIPS] = NLA_POLICY_NESTED_ARRAY(wireguard_wgallowedip_nl_policy),
[WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32, },
};
/* WG_CMD_GET_DEVICE - dump */
static const struct nla_policy wireguard_get_device_nl_policy[WGDEVICE_A_IFNAME + 1] = {
[WGDEVICE_A_IFINDEX] = { .type = NLA_U32, },
[WGDEVICE_A_IFNAME] = { .type = NLA_NUL_STRING, .len = 15, },
};
/* WG_CMD_SET_DEVICE - do */
static const struct nla_policy wireguard_set_device_nl_policy[WGDEVICE_A_PEERS + 1] = {
[WGDEVICE_A_IFINDEX] = { .type = NLA_U32, },
[WGDEVICE_A_IFNAME] = { .type = NLA_NUL_STRING, .len = 15, },
[WGDEVICE_A_PRIVATE_KEY] = NLA_POLICY_EXACT_LEN(WG_KEY_LEN),
[WGDEVICE_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(WG_KEY_LEN),
[WGDEVICE_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, 0x1),
[WGDEVICE_A_LISTEN_PORT] = { .type = NLA_U16, },
[WGDEVICE_A_FWMARK] = { .type = NLA_U32, },
[WGDEVICE_A_PEERS] = NLA_POLICY_NESTED_ARRAY(wireguard_wgpeer_nl_policy),
};
/* Ops table for wireguard */
const struct genl_split_ops wireguard_nl_ops[2] = {
{
.cmd = WG_CMD_GET_DEVICE,
.start = wg_get_device_start,
.dumpit = wg_get_device_dumpit,
.done = wg_get_device_done,
.policy = wireguard_get_device_nl_policy,
.maxattr = WGDEVICE_A_IFNAME,
.flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DUMP,
},
{
.cmd = WG_CMD_SET_DEVICE,
.doit = wg_set_device_doit,
.policy = wireguard_set_device_nl_policy,
.maxattr = WGDEVICE_A_PEERS,
.flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO,
},
};

30
drivers/net/wireguard/generated/netlink.h Normal file
View File

@@ -0,0 +1,30 @@
/* SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) */
/* Do not edit directly, auto-generated from: */
/* Documentation/netlink/specs/wireguard.yaml */
/* YNL-GEN kernel header */
/* YNL-ARG --function-prefix wg */
/* To regenerate run: tools/net/ynl/ynl-regen.sh */
#ifndef _LINUX_WIREGUARD_GEN_H
#define _LINUX_WIREGUARD_GEN_H
#include <net/netlink.h>
#include <net/genetlink.h>
#include <uapi/linux/wireguard.h>
#include <linux/time_types.h>
/* Common nested types */
extern const struct nla_policy wireguard_wgallowedip_nl_policy[WGALLOWEDIP_A_FLAGS + 1];
extern const struct nla_policy wireguard_wgpeer_nl_policy[WGPEER_A_PROTOCOL_VERSION + 1];
/* Ops table for wireguard */
extern const struct genl_split_ops wireguard_nl_ops[2];
int wg_get_device_start(struct netlink_callback *cb);
int wg_get_device_done(struct netlink_callback *cb);
int wg_get_device_dumpit(struct sk_buff *skb, struct netlink_callback *cb);
int wg_set_device_doit(struct sk_buff *skb, struct genl_info *info);
#endif /* _LINUX_WIREGUARD_GEN_H */

68
drivers/net/wireguard/netlink.c
View File

@@ -9,6 +9,7 @@
#include "socket.h"
#include "queueing.h"
#include "messages.h"
#include "generated/netlink.h"
#include <uapi/linux/wireguard.h>
@@ -19,37 +20,6 @@
static struct genl_family genl_family;
static const struct nla_policy device_policy[WGDEVICE_A_MAX + 1] = {
[WGDEVICE_A_IFINDEX] = { .type = NLA_U32 },
[WGDEVICE_A_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ - 1 },
[WGDEVICE_A_PRIVATE_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN),
[WGDEVICE_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN),
[WGDEVICE_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, __WGDEVICE_F_ALL),
[WGDEVICE_A_LISTEN_PORT] = { .type = NLA_U16 },
[WGDEVICE_A_FWMARK] = { .type = NLA_U32 },
[WGDEVICE_A_PEERS] = { .type = NLA_NESTED }
};
static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = {
[WGPEER_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN),
[WGPEER_A_PRESHARED_KEY] = NLA_POLICY_EXACT_LEN(NOISE_SYMMETRIC_KEY_LEN),
[WGPEER_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, __WGPEER_F_ALL),
[WGPEER_A_ENDPOINT] = NLA_POLICY_MIN_LEN(sizeof(struct sockaddr)),
[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16 },
[WGPEER_A_LAST_HANDSHAKE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)),
[WGPEER_A_RX_BYTES] = { .type = NLA_U64 },
[WGPEER_A_TX_BYTES] = { .type = NLA_U64 },
[WGPEER_A_ALLOWEDIPS] = { .type = NLA_NESTED },
[WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 }
};
static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = {
[WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 },
[WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(sizeof(struct in_addr)),
[WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 },
[WGALLOWEDIP_A_FLAGS] = NLA_POLICY_MASK(NLA_U32, __WGALLOWEDIP_F_ALL),
};
static struct wg_device *lookup_interface(struct nlattr **attrs,
struct sk_buff *skb)
{
@@ -197,7 +167,7 @@ err:
return -EMSGSIZE;
}
static int wg_get_device_start(struct netlink_callback *cb)
int wg_get_device_start(struct netlink_callback *cb)
{
struct wg_device *wg;
@@ -208,7 +178,7 @@ static int wg_get_device_start(struct netlink_callback *cb)
return 0;
}
static int wg_get_device_dump(struct sk_buff *skb, struct netlink_callback *cb)
int wg_get_device_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
{
struct wg_peer *peer, *next_peer_cursor;
struct dump_ctx *ctx = DUMP_CTX(cb);
@@ -302,7 +272,7 @@ out:
*/
}
static int wg_get_device_done(struct netlink_callback *cb)
int wg_get_device_done(struct netlink_callback *cb)
{
struct dump_ctx *ctx = DUMP_CTX(cb);
@@ -467,7 +437,7 @@ static int set_peer(struct wg_device *wg, struct nlattr **attrs)
nla_for_each_nested(attr, attrs[WGPEER_A_ALLOWEDIPS], rem) {
ret = nla_parse_nested(allowedip, WGALLOWEDIP_A_MAX,
attr, allowedip_policy, NULL);
attr, NULL, NULL);
if (ret < 0)
goto out;
ret = set_allowedip(peer, allowedip);
@@ -500,7 +470,7 @@ out:
return ret;
}
static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
int wg_set_device_doit(struct sk_buff *skb, struct genl_info *info)
{
struct wg_device *wg = lookup_interface(info->attrs, skb);
u32 flags = 0;
@@ -593,7 +563,7 @@ skip_set_private_key:
nla_for_each_nested(attr, info->attrs[WGDEVICE_A_PEERS], rem) {
ret = nla_parse_nested(peer, WGPEER_A_MAX, attr,
peer_policy, NULL);
NULL, NULL);
if (ret < 0)
goto out;
ret = set_peer(wg, peer);
@@ -614,34 +584,20 @@ out_nodev:
return ret;
}
static const struct genl_ops genl_ops[] = {
{
.cmd = WG_CMD_GET_DEVICE,
.start = wg_get_device_start,
.dumpit = wg_get_device_dump,
.done = wg_get_device_done,
.flags = GENL_UNS_ADMIN_PERM
}, {
.cmd = WG_CMD_SET_DEVICE,
.doit = wg_set_device,
.flags = GENL_UNS_ADMIN_PERM
}
};
static struct genl_family genl_family __ro_after_init = {
.ops = genl_ops,
.n_ops = ARRAY_SIZE(genl_ops),
.resv_start_op = WG_CMD_SET_DEVICE + 1,
.split_ops = wireguard_nl_ops,
.n_split_ops = ARRAY_SIZE(wireguard_nl_ops),
.name = WG_GENL_NAME,
.version = WG_GENL_VERSION,
.maxattr = WGDEVICE_A_MAX,
.module = THIS_MODULE,
.policy = device_policy,
.netnsok = true
};
int __init wg_genetlink_init(void)
{
BUILD_BUG_ON(WG_KEY_LEN != NOISE_PUBLIC_KEY_LEN);
BUILD_BUG_ON(WG_KEY_LEN != NOISE_SYMMETRIC_KEY_LEN);
return genl_register_family(&genl_family);
}

193
include/uapi/linux/wireguard.h
View File

@@ -1,156 +1,31 @@
/* SPDX-License-Identifier: (GPL-2.0 WITH Linux-syscall-note) OR MIT */
/*
* Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
*
* Documentation
* =============
*
* The below enums and macros are for interfacing with WireGuard, using generic
* netlink, with family WG_GENL_NAME and version WG_GENL_VERSION. It defines two
* methods: get and set. Note that while they share many common attributes,
* these two functions actually accept a slightly different set of inputs and
* outputs.
*
* WG_CMD_GET_DEVICE
* -----------------
*
* May only be called via NLM_F_REQUEST | NLM_F_DUMP. The command should contain
* one but not both of:
*
* WGDEVICE_A_IFINDEX: NLA_U32
* WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1
*
* The kernel will then return several messages (NLM_F_MULTI) containing the
* following tree of nested items:
*
* WGDEVICE_A_IFINDEX: NLA_U32
* WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1
* WGDEVICE_A_PRIVATE_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
* WGDEVICE_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
* WGDEVICE_A_LISTEN_PORT: NLA_U16
* WGDEVICE_A_FWMARK: NLA_U32
* WGDEVICE_A_PEERS: NLA_NESTED
* 0: NLA_NESTED
* WGPEER_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
* WGPEER_A_PRESHARED_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
* WGPEER_A_ENDPOINT: NLA_MIN_LEN(struct sockaddr), struct sockaddr_in or struct sockaddr_in6
* WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL: NLA_U16
* WGPEER_A_LAST_HANDSHAKE_TIME: NLA_EXACT_LEN, struct __kernel_timespec
* WGPEER_A_RX_BYTES: NLA_U64
* WGPEER_A_TX_BYTES: NLA_U64
* WGPEER_A_ALLOWEDIPS: NLA_NESTED
* 0: NLA_NESTED
* WGALLOWEDIP_A_FAMILY: NLA_U16
* WGALLOWEDIP_A_IPADDR: NLA_MIN_LEN(struct in_addr), struct in_addr or struct in6_addr
* WGALLOWEDIP_A_CIDR_MASK: NLA_U8
* 0: NLA_NESTED
* ...
* 0: NLA_NESTED
* ...
* ...
* WGPEER_A_PROTOCOL_VERSION: NLA_U32
* 0: NLA_NESTED
* ...
* ...
*
* It is possible that all of the allowed IPs of a single peer will not
* fit within a single netlink message. In that case, the same peer will
* be written in the following message, except it will only contain
* WGPEER_A_PUBLIC_KEY and WGPEER_A_ALLOWEDIPS. This may occur several
* times in a row for the same peer. It is then up to the receiver to
* coalesce adjacent peers. Likewise, it is possible that all peers will
* not fit within a single message. So, subsequent peers will be sent
* in following messages, except those will only contain WGDEVICE_A_IFNAME
* and WGDEVICE_A_PEERS. It is then up to the receiver to coalesce these
* messages to form the complete list of peers.
*
* Since this is an NLA_F_DUMP command, the final message will always be
* NLMSG_DONE, even if an error occurs. However, this NLMSG_DONE message
* contains an integer error code. It is either zero or a negative error
* code corresponding to the errno.
*
* WG_CMD_SET_DEVICE
* -----------------
*
* May only be called via NLM_F_REQUEST. The command should contain the
* following tree of nested items, containing one but not both of
* WGDEVICE_A_IFINDEX and WGDEVICE_A_IFNAME:
*
* WGDEVICE_A_IFINDEX: NLA_U32
* WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1
* WGDEVICE_A_FLAGS: NLA_U32, 0 or WGDEVICE_F_REPLACE_PEERS if all current
* peers should be removed prior to adding the list below.
* WGDEVICE_A_PRIVATE_KEY: len WG_KEY_LEN, all zeros to remove
* WGDEVICE_A_LISTEN_PORT: NLA_U16, 0 to choose randomly
* WGDEVICE_A_FWMARK: NLA_U32, 0 to disable
* WGDEVICE_A_PEERS: NLA_NESTED
* 0: NLA_NESTED
* WGPEER_A_PUBLIC_KEY: len WG_KEY_LEN
* WGPEER_A_FLAGS: NLA_U32, 0 and/or WGPEER_F_REMOVE_ME if the
* specified peer should not exist at the end of the
* operation, rather than added/updated and/or
* WGPEER_F_REPLACE_ALLOWEDIPS if all current allowed
* IPs of this peer should be removed prior to adding
* the list below and/or WGPEER_F_UPDATE_ONLY if the
* peer should only be set if it already exists.
* WGPEER_A_PRESHARED_KEY: len WG_KEY_LEN, all zeros to remove
* WGPEER_A_ENDPOINT: struct sockaddr_in or struct sockaddr_in6
* WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL: NLA_U16, 0 to disable
* WGPEER_A_ALLOWEDIPS: NLA_NESTED
* 0: NLA_NESTED
* WGALLOWEDIP_A_FAMILY: NLA_U16
* WGALLOWEDIP_A_IPADDR: struct in_addr or struct in6_addr
* WGALLOWEDIP_A_CIDR_MASK: NLA_U8
* WGALLOWEDIP_A_FLAGS: NLA_U32, WGALLOWEDIP_F_REMOVE_ME if
* the specified IP should be removed;
* otherwise, this IP will be added if
* it is not already present.
* 0: NLA_NESTED
* ...
* 0: NLA_NESTED
* ...
* ...
* WGPEER_A_PROTOCOL_VERSION: NLA_U32, should not be set or used at
* all by most users of this API, as the
* most recent protocol will be used when
* this is unset. Otherwise, must be set
* to 1.
* 0: NLA_NESTED
* ...
* ...
*
* It is possible that the amount of configuration data exceeds that of
* the maximum message length accepted by the kernel. In that case, several
* messages should be sent one after another, with each successive one
* filling in information not contained in the prior. Note that if
* WGDEVICE_F_REPLACE_PEERS is specified in the first message, it probably
* should not be specified in fragments that come after, so that the list
* of peers is only cleared the first time but appended after. Likewise for
* peers, if WGPEER_F_REPLACE_ALLOWEDIPS is specified in the first message
* of a peer, it likely should not be specified in subsequent fragments.
*
* If an error occurs, NLMSG_ERROR will reply containing an errno.
*/
/* SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) */
/* Do not edit directly, auto-generated from: */
/* Documentation/netlink/specs/wireguard.yaml */
/* YNL-GEN uapi header */
/* To regenerate run: tools/net/ynl/ynl-regen.sh */
#ifndef _WG_UAPI_WIREGUARD_H
#define _WG_UAPI_WIREGUARD_H
#ifndef _UAPI_LINUX_WIREGUARD_H
#define _UAPI_LINUX_WIREGUARD_H
#define WG_GENL_NAME "wireguard"
#define WG_GENL_VERSION 1
#define WG_GENL_NAME "wireguard"
#define WG_GENL_VERSION 1
#define WG_KEY_LEN 32
enum wg_cmd {
WG_CMD_GET_DEVICE,
WG_CMD_SET_DEVICE,
__WG_CMD_MAX
};
#define WG_CMD_MAX (__WG_CMD_MAX - 1)
#define WG_KEY_LEN 32
enum wgdevice_flag {
WGDEVICE_F_REPLACE_PEERS = 1U << 0,
__WGDEVICE_F_ALL = WGDEVICE_F_REPLACE_PEERS
WGDEVICE_F_REPLACE_PEERS = 1,
};
enum wgpeer_flag {
WGPEER_F_REMOVE_ME = 1,
WGPEER_F_REPLACE_ALLOWEDIPS = 2,
WGPEER_F_UPDATE_ONLY = 4,
};
enum wgallowedip_flag {
WGALLOWEDIP_F_REMOVE_ME = 1,
};
enum wgdevice_attribute {
WGDEVICE_A_UNSPEC,
WGDEVICE_A_IFINDEX,
@@ -161,17 +36,11 @@ enum wgdevice_attribute {
WGDEVICE_A_LISTEN_PORT,
WGDEVICE_A_FWMARK,
WGDEVICE_A_PEERS,
__WGDEVICE_A_LAST
};
#define WGDEVICE_A_MAX (__WGDEVICE_A_LAST - 1)
enum wgpeer_flag {
WGPEER_F_REMOVE_ME = 1U << 0,
WGPEER_F_REPLACE_ALLOWEDIPS = 1U << 1,
WGPEER_F_UPDATE_ONLY = 1U << 2,
__WGPEER_F_ALL = WGPEER_F_REMOVE_ME | WGPEER_F_REPLACE_ALLOWEDIPS |
WGPEER_F_UPDATE_ONLY
};
enum wgpeer_attribute {
WGPEER_A_UNSPEC,
WGPEER_A_PUBLIC_KEY,
@@ -184,22 +53,28 @@ enum wgpeer_attribute {
WGPEER_A_TX_BYTES,
WGPEER_A_ALLOWEDIPS,
WGPEER_A_PROTOCOL_VERSION,
__WGPEER_A_LAST
};
#define WGPEER_A_MAX (__WGPEER_A_LAST - 1)
enum wgallowedip_flag {
WGALLOWEDIP_F_REMOVE_ME = 1U << 0,
__WGALLOWEDIP_F_ALL = WGALLOWEDIP_F_REMOVE_ME
};
enum wgallowedip_attribute {
WGALLOWEDIP_A_UNSPEC,
WGALLOWEDIP_A_FAMILY,
WGALLOWEDIP_A_IPADDR,
WGALLOWEDIP_A_CIDR_MASK,
WGALLOWEDIP_A_FLAGS,
__WGALLOWEDIP_A_LAST
};
#define WGALLOWEDIP_A_MAX (__WGALLOWEDIP_A_LAST - 1)
#endif /* _WG_UAPI_WIREGUARD_H */
enum wg_cmd {
WG_CMD_GET_DEVICE,
WG_CMD_SET_DEVICE,
__WG_CMD_MAX
};
#define WG_CMD_MAX (__WG_CMD_MAX - 1)
#endif /* _UAPI_LINUX_WIREGUARD_H */