| Age | Commit message (Collapse) | Author |
|---|
|
Reported-by: King DuckZ <dev00@gmx.it>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Reported-by: Christian Weiss <cwei@gmx.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Contributed-by: Martin Hauke <mardnh@gmx.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
This is a follow up to 2d4fa2a6e7903ec3340f1b075456cbd84ba6a744.
Upstream commit 2c64605b590edadb3fb46d1ec6badb49e940b479 has been backported
to 5.4.29 and 5.5.14.
Signed-off-by: Christian Hesse <mail@eworm.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
This backports upstream commit 2c64605b590edadb3fb46d1ec6badb49e940b479.
It makes no difference for us, but it's nice to keep this code in sync
with upstream as much as possible.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Reported-by: Vladimir Benes <vbenes@redhat.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Reported-by: chotaire <chotaire@chotaire.net>
Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
It turns out there's an easy way to get packets queued up while still
having an MTU of zero, and that's via persistent keep alive. This commit
makes sure that in whatever condition, we don't wind up dividing by
zero. Note that an MTU of zero for a wireguard interface is something
quasi-valid, so I don't think the correct fix is to limit it via
min_mtu. This can be reproduced easily with:
ip link add wg0 type wireguard
ip link add wg1 type wireguard
ip link set wg0 up mtu 0
ip link set wg1 up
wg set wg0 private-key <(wg genkey)
wg set wg1 listen-port 1 private-key <(wg genkey) peer $(wg show wg0 public-key)
wg set wg0 peer $(wg show wg1 public-key) persistent-keepalive 1 endpoint 127.0.0.1:1
However, while min_mtu=0 seems fine, it makes sense to restrict the
max_mtu. This commit also restricts the maximum MTU to the greatest
number for which rounding up to the padding multiple won't overflow a
signed integer. Packets this large were always rejected anyway
eventually, due to checks deeper in, but it seems more sound not to even
let the administrator configure something that won't work anyway.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
This is a small test to ensure that icmp_ndo_send is actually doing the
right with with regards to the source address. It tests this by
ensuring that the error comes back along the right path.
Also, backport the new ndo function for this.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
We only support the latest RHEL-7 and RHEL-8.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
RedHat backported some more changes, now released as kernel 4.18.0-168.el8.
To maintain compatibility with kernel -147, a new macro is introduced: ISRHEL82.
Compile-tested with the -168 and -147 kernels.
Signed-off-by: Ilie Halip <ilie.halip@gmail.com>
[zx2c4: we normally only support the latest RHEL, but having some beta
support for the time being sounds like a good plan, given that there
may be interest from RedHat in actually merging this into their
kernels.]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
This won't be ported to 5.6, of course, but it's still cleaner to get
this out of the way.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
RedHat backported to their kernel 4.18.0-147.el8 a couple features.
This patch enables compiling for this kernel.
Signed-off-by: Sergey Ivanov <seriv@cs.umd.edu>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Upstream changed the API, so we introduce this super insane compat hack
to make everything work again.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Reported-by: PaX Team <pageexec@freemail.hu>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
They forgot to backport hsiphash.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Android kernels backported d35a00b8e33dab7385f724e713ae71c8be0a49f4, so
now we need to do feature detection.
Link: https://android-review.googlesource.com/c/kernel/common/+/1103831
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Certain targets don't define CONFIG_*, which means this bc command was
previously failing.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Overriding LLTX like this is pretty ugly, but at least it means we don't
have to let OpenVZ infect the real source tree.
Requested-by: Benedikt Braunger <b.braunger@syseleven.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Coarse ktime is broken until [1] in 5.2 and kernels without the
backport, so we use fallback code there.
The fallback code has also been improved significantly. It now only uses
slower clocks on kernels < 3.17, at the expense of some accuracy we're
not overly concerned about.
[1] https://lore.kernel.org/lkml/tip-e3ff9c3678b4d80e22d2557b68726174578eaf52@git.kernel.org/
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Apparently cdd750bfb1f76fe9be8cfb53cbe77b2e811081ab changed things, so
we fall back onto this hack.
Reported-by: Alex Xu <alex@alxu.ca>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Reported-by: Bruno Wolff III <bruno@wolff.to>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
This allows the kernel to generate ipv6 fragments. Apply the same
to ipv4 for consistency.
Signed-off-by: Joe Holden <jwh@zorins.us>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Reference: https://lists.zx2c4.com/pipermail/wireguard/2019-April/004081.html
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
In d2c5c103b133 ("netfilter: nat: remove nf_nat_l3proto.h and
nf_nat_core.h").
Signed-off-by: Bruno Wolff III <bruno@wolff.to>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
On ancient kernels, ipv6_stub is sometimes null in cases where IPv6 has
been disabled with a command line flag or other failures.
Reported-by: Anatoli <me@anatoli.ws>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Reported-by: Alex Xu <alex@alxu.ca>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
The former was just a wrapper around the latter, and so upstream is now
removing it.
Also adjust the compat kludge to deal with this.
Reported-by: Alex Xu <alex@alxu.ca>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
