Hello community, here is the log from the commit of package wireguard for openSUSE:Factory checked in at 2019-12-12 23:19:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wireguard (Old) and /work/SRC/openSUSE:Factory/.wireguard.new.4691 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wireguard" Thu Dec 12 23:19:20 2019 rev:4 rq:756066 version:0.0.20191212 Changes: -------- --- /work/SRC/openSUSE:Factory/wireguard/wireguard.changes 2019-12-06 12:11:07.816061266 +0100 +++ /work/SRC/openSUSE:Factory/.wireguard.new.4691/wireguard.changes 2019-12-12 23:19:32.442206066 +0100 @@ -1,0 +2,23 @@ +Thu Dec 12 11:57:09 UTC 2019 - Martin Hauke <[email protected]> + +- Update to version 0.0.20191212 + * socket: convert to ipv6_dst_lookup_flow for 5.5 + * wg-quick: linux: add support for nft and prefer it + * wg-quick: linux: support older nft(8) + * global: fix up spelling + * main: remove unused include <linux/version.h> + +------------------------------------------------------------------- +Wed Dec 11 20:52:31 UTC 2019 - [email protected] + +- Update to 0.0.20191206 + * chacha20poly1305: double check the sgmiter logic with test + * wg-quick: linux: ignore save warnings for iptables-nft + * wg-quick: linux: suppress more warnings on weird kernels + * wg-quick: linux: some iptables don't like empty lines + * crypto: use new assembler macros for 5.5 + * chacha20poly1305: port to sgmitter for 5.5 + * netlink: prepare for removal of genl_family_attrbuf in 5.5 +- fix changelog for 0.0.20191205 + +------------------------------------------------------------------- @@ -4 +27 @@ -- Update to version 0.0.20191127 +- Update to version 0.0.20191205 Old: ---- WireGuard-0.0.20191205.tar.asc WireGuard-0.0.20191205.tar.xz New: ---- WireGuard-0.0.20191212.tar.asc WireGuard-0.0.20191212.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wireguard.spec ++++++ --- /var/tmp/diff_new_pack.0kwTfJ/_old 2019-12-12 23:19:33.018206014 +0100 +++ /var/tmp/diff_new_pack.0kwTfJ/_new 2019-12-12 23:19:33.022206013 +0100 @@ -18,7 +18,7 @@ Name: wireguard -Version: 0.0.20191205 +Version: 0.0.20191212 Release: 0 Summary: Fast, modern, secure kernel VPN tunnel License: GPL-2.0-only ++++++ WireGuard-0.0.20191205.tar.xz -> WireGuard-0.0.20191212.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/contrib/examples/nat-hole-punching/README new/WireGuard-0.0.20191212/contrib/examples/nat-hole-punching/README --- old/WireGuard-0.0.20191205/contrib/examples/nat-hole-punching/README 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/contrib/examples/nat-hole-punching/README 2019-12-12 12:24:51.000000000 +0100 @@ -9,8 +9,8 @@ Server is 1.2.3.4 and is on the public internet accepting UDP:49918. -Client A is NAT'd and doesnt't know its IP address. -Client B is NAT'd and doesnt't know its IP address. +Client A is NAT'd and doesn't know its IP address. +Client B is NAT'd and doesn't know its IP address. Server runs: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/Kconfig new/WireGuard-0.0.20191212/src/Kconfig --- old/WireGuard-0.0.20191205/src/Kconfig 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/Kconfig 2019-12-12 12:24:51.000000000 +0100 @@ -5,8 +5,7 @@ select NET_UDP_TUNNEL select DST_CACHE select CRYPTO - select CRYPTO_BLKCIPHER - select XOR_BLOCKS + select CRYPTO_ALGAPI select VFP select VFPv3 if CPU_V7 select NEON if CPU_V7 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/compat/compat-asm.h new/WireGuard-0.0.20191212/src/compat/compat-asm.h --- old/WireGuard-0.0.20191205/src/compat/compat-asm.h 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/compat/compat-asm.h 2019-12-12 12:24:51.000000000 +0100 @@ -40,4 +40,9 @@ #undef pull #endif +#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0) +#define SYM_FUNC_START ENTRY +#define SYM_FUNC_END ENDPROC +#endif + #endif /* _WG_COMPATASM_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/compat/compat.h new/WireGuard-0.0.20191212/src/compat/compat.h --- old/WireGuard-0.0.20191205/src/compat/compat.h 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/compat/compat.h 2019-12-12 12:24:51.000000000 +0100 @@ -326,7 +326,7 @@ } #endif -#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 2, 0) +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 2, 0) && !defined(ISRHEL8) #include <linux/random.h> #include <linux/slab.h> struct rng_is_initialized_callback { @@ -831,7 +831,7 @@ } #endif -#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 20, 0) +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 20, 0) && !defined(ISRHEL8) #define NLA_EXACT_LEN NLA_UNSPEC #endif #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 2, 0) @@ -843,6 +843,28 @@ #define cpu_have_named_feature(name) (elf_hwcap & (HWCAP_ ## name)) #endif +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 1, 0) +#include <linux/stddef.h> +#ifndef offsetofend +#define offsetofend(TYPE, MEMBER) (offsetof(TYPE, MEMBER) + sizeof(((TYPE *)0)->MEMBER)) +#endif +#endif + +#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0) +#define genl_dumpit_info(cb) ({ \ + struct { struct nlattr **attrs; } *a = (void *)((u8 *)cb->args + offsetofend(struct dump_ctx, next_allowedip)); \ + BUILD_BUG_ON(sizeof(cb->args) < offsetofend(struct dump_ctx, next_allowedip) + sizeof(*a)); \ + a->attrs = genl_family_attrbuf(&genl_family); \ + if (nlmsg_parse(cb->nlh, GENL_HDRLEN + genl_family.hdrsize, a->attrs, genl_family.maxattr, device_policy, NULL) < 0) \ + memset(a->attrs, 0, (genl_family.maxattr + 1) * sizeof(struct nlattr *)); \ + a; \ +}) +#endif + +#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0) +#define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, &dst, c) + (void *)0 ?: dst +#endif + #if defined(ISUBUNTU1604) #include <linux/siphash.h> #ifndef _WG_LINUX_SIPHASH_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/crypto/include/zinc/chacha20poly1305.h new/WireGuard-0.0.20191212/src/crypto/include/zinc/chacha20poly1305.h --- old/WireGuard-0.0.20191205/src/crypto/include/zinc/chacha20poly1305.h 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/crypto/include/zinc/chacha20poly1305.h 2019-12-12 12:24:51.000000000 +0100 @@ -22,9 +22,9 @@ const u64 nonce, const u8 key[CHACHA20POLY1305_KEY_SIZE]); -bool __must_check chacha20poly1305_encrypt_sg( - struct scatterlist *dst, struct scatterlist *src, const size_t src_len, - const u8 *ad, const size_t ad_len, const u64 nonce, +bool __must_check chacha20poly1305_encrypt_sg_inplace( + struct scatterlist *src, const size_t src_len, const u8 *ad, + const size_t ad_len, const u64 nonce, const u8 key[CHACHA20POLY1305_KEY_SIZE], simd_context_t *simd_context); bool __must_check @@ -32,9 +32,9 @@ const u8 *ad, const size_t ad_len, const u64 nonce, const u8 key[CHACHA20POLY1305_KEY_SIZE]); -bool __must_check chacha20poly1305_decrypt_sg( - struct scatterlist *dst, struct scatterlist *src, const size_t src_len, - const u8 *ad, const size_t ad_len, const u64 nonce, +bool __must_check chacha20poly1305_decrypt_sg_inplace( + struct scatterlist *src, size_t src_len, const u8 *ad, + const size_t ad_len, const u64 nonce, const u8 key[CHACHA20POLY1305_KEY_SIZE], simd_context_t *simd_context); void xchacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/crypto/zinc/blake2s/blake2s-x86_64.S new/WireGuard-0.0.20191212/src/crypto/zinc/blake2s/blake2s-x86_64.S --- old/WireGuard-0.0.20191205/src/crypto/zinc/blake2s/blake2s-x86_64.S 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/crypto/zinc/blake2s/blake2s-x86_64.S 2019-12-12 12:24:51.000000000 +0100 @@ -47,7 +47,7 @@ .text #ifdef CONFIG_AS_SSSE3 -ENTRY(blake2s_compress_ssse3) +SYM_FUNC_START(blake2s_compress_ssse3) testq %rdx,%rdx je .Lendofloop movdqu (%rdi),%xmm0 @@ -173,11 +173,11 @@ movdqu %xmm14,0x20(%rdi) .Lendofloop: ret -ENDPROC(blake2s_compress_ssse3) +SYM_FUNC_END(blake2s_compress_ssse3) #endif /* CONFIG_AS_SSSE3 */ #ifdef CONFIG_AS_AVX512 -ENTRY(blake2s_compress_avx512) +SYM_FUNC_START(blake2s_compress_avx512) vmovdqu (%rdi),%xmm0 vmovdqu 0x10(%rdi),%xmm1 vmovdqu 0x20(%rdi),%xmm4 @@ -254,5 +254,5 @@ vmovdqu %xmm4,0x20(%rdi) vzeroupper retq -ENDPROC(blake2s_compress_avx512) +SYM_FUNC_END(blake2s_compress_avx512) #endif /* CONFIG_AS_AVX512 */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/crypto/zinc/chacha20/chacha20-unrolled-arm.S new/WireGuard-0.0.20191212/src/crypto/zinc/chacha20/chacha20-unrolled-arm.S --- old/WireGuard-0.0.20191205/src/crypto/zinc/chacha20/chacha20-unrolled-arm.S 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/crypto/zinc/chacha20/chacha20-unrolled-arm.S 2019-12-12 12:24:51.000000000 +0100 @@ -394,7 +394,7 @@ * void chacha20_arm(u8 *out, const u8 *in, size_t len, const u32 key[8], * const u32 iv[4]); */ -ENTRY(chacha20_arm) +SYM_FUNC_START(chacha20_arm) cmp r2, #0 // len == 0? reteq lr @@ -428,12 +428,12 @@ add sp, #76 pop {r4-r11, pc} -ENDPROC(chacha20_arm) +SYM_FUNC_END(chacha20_arm) /* * void hchacha20_arm(const u32 state[16], u32 out[8]); */ -ENTRY(hchacha20_arm) +SYM_FUNC_START(hchacha20_arm) push {r1,r4-r11,lr} mov r14, r0 @@ -458,4 +458,4 @@ stm r4, {X0,X1,X2,X3,X12,X13,X14,X15} pop {r4-r11,pc} -ENDPROC(hchacha20_arm) +SYM_FUNC_END(hchacha20_arm) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/crypto/zinc/chacha20/chacha20-x86_64.pl new/WireGuard-0.0.20191212/src/crypto/zinc/chacha20/chacha20-x86_64.pl --- old/WireGuard-0.0.20191205/src/crypto/zinc/chacha20/chacha20-x86_64.pl 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/crypto/zinc/chacha20/chacha20-x86_64.pl 2019-12-12 12:24:51.000000000 +0100 @@ -124,7 +124,7 @@ my ($name, $align, $nargs) = @_; if($kernel) { $code .= ".align $align\n"; - $code .= "ENTRY($name)\n"; + $code .= "SYM_FUNC_START($name)\n"; $code .= ".L$name:\n"; } else { $code .= ".globl $name\n"; @@ -137,7 +137,7 @@ sub end_function() { my ($name) = @_; if($kernel) { - $code .= "ENDPROC($name)\n"; + $code .= "SYM_FUNC_END($name)\n"; } else { $code .= ".size $name,.-$name\n"; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/crypto/zinc/chacha20poly1305.c new/WireGuard-0.0.20191212/src/crypto/zinc/chacha20poly1305.c --- old/WireGuard-0.0.20191205/src/crypto/zinc/chacha20poly1305.c 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/crypto/zinc/chacha20poly1305.c 2019-12-12 12:24:51.000000000 +0100 @@ -18,16 +18,7 @@ #include <linux/init.h> #include <crypto/scatterwalk.h> // For blkcipher_walk. -static const u8 pad0[16] = { 0 }; - -static struct blkcipher_desc desc = { .tfm = &(struct crypto_blkcipher){ - .base = { .__crt_alg = &(struct crypto_alg){ - .cra_blocksize = 1, -#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS - .cra_alignmask = sizeof(u32) - 1 -#endif - } } -} }; +static const u8 pad0[CHACHA20_BLOCK_SIZE] = { 0 }; static inline void __chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len, @@ -82,22 +73,25 @@ } EXPORT_SYMBOL(chacha20poly1305_encrypt); -bool chacha20poly1305_encrypt_sg(struct scatterlist *dst, - struct scatterlist *src, const size_t src_len, - const u8 *ad, const size_t ad_len, - const u64 nonce, - const u8 key[CHACHA20POLY1305_KEY_SIZE], - simd_context_t *simd_context) +bool chacha20poly1305_encrypt_sg_inplace(struct scatterlist *src, + const size_t src_len, + const u8 *ad, const size_t ad_len, + const u64 nonce, + const u8 key[CHACHA20POLY1305_KEY_SIZE], + simd_context_t *simd_context) { struct poly1305_ctx poly1305_state; struct chacha20_ctx chacha20_state; - int ret = 0; - struct blkcipher_walk walk; + struct sg_mapping_iter miter; + size_t partial = 0; + ssize_t sl; union { + u8 chacha20_stream[CHACHA20_BLOCK_SIZE]; u8 block0[POLY1305_KEY_SIZE]; u8 mac[POLY1305_MAC_SIZE]; __le64 lens[2]; - } b = { { 0 } }; + } b __aligned(16) = { { 0 } }; + chacha20_init(&chacha20_state, key, nonce); chacha20(&chacha20_state, b.block0, b.block0, sizeof(b.block0), @@ -108,32 +102,43 @@ poly1305_update(&poly1305_state, pad0, (0x10 - ad_len) & 0xf, simd_context); - if (likely(src_len)) { - blkcipher_walk_init(&walk, dst, src, src_len); - ret = blkcipher_walk_virt_block(&desc, &walk, - CHACHA20_BLOCK_SIZE); - while (walk.nbytes >= CHACHA20_BLOCK_SIZE) { - size_t chunk_len = - rounddown(walk.nbytes, CHACHA20_BLOCK_SIZE); - - chacha20(&chacha20_state, walk.dst.virt.addr, - walk.src.virt.addr, chunk_len, simd_context); - poly1305_update(&poly1305_state, walk.dst.virt.addr, - chunk_len, simd_context); - simd_relax(simd_context); - ret = blkcipher_walk_done(&desc, &walk, - walk.nbytes % CHACHA20_BLOCK_SIZE); + sg_miter_start(&miter, src, sg_nents(src), SG_MITER_TO_SG | SG_MITER_ATOMIC); + for (sl = src_len; sl > 0 && sg_miter_next(&miter); sl -= miter.length) { + u8 *addr = miter.addr; + size_t length = min_t(size_t, sl, miter.length); + + if (unlikely(partial)) { + size_t l = min(length, CHACHA20_BLOCK_SIZE - partial); + + crypto_xor(addr, b.chacha20_stream + partial, l); + partial = (partial + l) & (CHACHA20_BLOCK_SIZE - 1); + + addr += l; + length -= l; } - if (walk.nbytes) { - chacha20(&chacha20_state, walk.dst.virt.addr, - walk.src.virt.addr, walk.nbytes, simd_context); - poly1305_update(&poly1305_state, walk.dst.virt.addr, - walk.nbytes, simd_context); - ret = blkcipher_walk_done(&desc, &walk, 0); + + if (likely(length >= CHACHA20_BLOCK_SIZE || length == sl)) { + size_t l = length; + + if (unlikely(length < sl)) + l &= ~(CHACHA20_BLOCK_SIZE - 1); + chacha20(&chacha20_state, addr, addr, l, simd_context); + addr += l; + length -= l; + } + + if (unlikely(length > 0)) { + chacha20(&chacha20_state, b.chacha20_stream, pad0, + CHACHA20_BLOCK_SIZE, simd_context); + crypto_xor(addr, b.chacha20_stream, length); + partial = length; } + + poly1305_update(&poly1305_state, miter.addr, + min_t(size_t, sl, miter.length), simd_context); + + simd_relax(simd_context); } - if (unlikely(ret)) - goto err; poly1305_update(&poly1305_state, pad0, (0x10 - src_len) & 0xf, simd_context); @@ -143,14 +148,22 @@ poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens), simd_context); - poly1305_final(&poly1305_state, b.mac, simd_context); - scatterwalk_map_and_copy(b.mac, dst, src_len, sizeof(b.mac), 1); -err: + if (likely(sl <= -POLY1305_MAC_SIZE)) + poly1305_final(&poly1305_state, miter.addr + miter.length + sl, + simd_context); + + sg_miter_stop(&miter); + + if (unlikely(sl > -POLY1305_MAC_SIZE)) { + poly1305_final(&poly1305_state, b.mac, simd_context); + scatterwalk_map_and_copy(b.mac, src, src_len, sizeof(b.mac), 1); + } + memzero_explicit(&chacha20_state, sizeof(chacha20_state)); memzero_explicit(&b, sizeof(b)); - return !ret; + return true; } -EXPORT_SYMBOL(chacha20poly1305_encrypt_sg); +EXPORT_SYMBOL(chacha20poly1305_encrypt_sg_inplace); static inline bool __chacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len, @@ -217,29 +230,32 @@ } EXPORT_SYMBOL(chacha20poly1305_decrypt); -bool chacha20poly1305_decrypt_sg(struct scatterlist *dst, - struct scatterlist *src, const size_t src_len, - const u8 *ad, const size_t ad_len, - const u64 nonce, - const u8 key[CHACHA20POLY1305_KEY_SIZE], - simd_context_t *simd_context) +bool chacha20poly1305_decrypt_sg_inplace(struct scatterlist *src, + size_t src_len, + const u8 *ad, const size_t ad_len, + const u64 nonce, + const u8 key[CHACHA20POLY1305_KEY_SIZE], + simd_context_t *simd_context) { struct poly1305_ctx poly1305_state; struct chacha20_ctx chacha20_state; - struct blkcipher_walk walk; - int ret = 0; - size_t dst_len; + struct sg_mapping_iter miter; + size_t partial = 0; + ssize_t sl; union { + u8 chacha20_stream[CHACHA20_BLOCK_SIZE]; u8 block0[POLY1305_KEY_SIZE]; struct { u8 read_mac[POLY1305_MAC_SIZE]; u8 computed_mac[POLY1305_MAC_SIZE]; }; __le64 lens[2]; - } b = { { 0 } }; + } b __aligned(16) = { { 0 } }; + bool ret = false; if (unlikely(src_len < POLY1305_MAC_SIZE)) - return false; + return ret; + src_len -= POLY1305_MAC_SIZE; chacha20_init(&chacha20_state, key, nonce); chacha20(&chacha20_state, b.block0, b.block0, sizeof(b.block0), @@ -250,52 +266,74 @@ poly1305_update(&poly1305_state, pad0, (0x10 - ad_len) & 0xf, simd_context); - dst_len = src_len - POLY1305_MAC_SIZE; - if (likely(dst_len)) { - blkcipher_walk_init(&walk, dst, src, dst_len); - ret = blkcipher_walk_virt_block(&desc, &walk, - CHACHA20_BLOCK_SIZE); - while (walk.nbytes >= CHACHA20_BLOCK_SIZE) { - size_t chunk_len = - rounddown(walk.nbytes, CHACHA20_BLOCK_SIZE); - - poly1305_update(&poly1305_state, walk.src.virt.addr, - chunk_len, simd_context); - chacha20(&chacha20_state, walk.dst.virt.addr, - walk.src.virt.addr, chunk_len, simd_context); - simd_relax(simd_context); - ret = blkcipher_walk_done(&desc, &walk, - walk.nbytes % CHACHA20_BLOCK_SIZE); + sg_miter_start(&miter, src, sg_nents(src), SG_MITER_TO_SG | SG_MITER_ATOMIC); + for (sl = src_len; sl > 0 && sg_miter_next(&miter); sl -= miter.length) { + u8 *addr = miter.addr; + size_t length = min_t(size_t, sl, miter.length); + + poly1305_update(&poly1305_state, addr, length, simd_context); + + if (unlikely(partial)) { + size_t l = min(length, CHACHA20_BLOCK_SIZE - partial); + + crypto_xor(addr, b.chacha20_stream + partial, l); + partial = (partial + l) & (CHACHA20_BLOCK_SIZE - 1); + + addr += l; + length -= l; + } + + if (likely(length >= CHACHA20_BLOCK_SIZE || length == sl)) { + size_t l = length; + + if (unlikely(length < sl)) + l &= ~(CHACHA20_BLOCK_SIZE - 1); + chacha20(&chacha20_state, addr, addr, l, simd_context); + addr += l; + length -= l; } - if (walk.nbytes) { - poly1305_update(&poly1305_state, walk.src.virt.addr, - walk.nbytes, simd_context); - chacha20(&chacha20_state, walk.dst.virt.addr, - walk.src.virt.addr, walk.nbytes, simd_context); - ret = blkcipher_walk_done(&desc, &walk, 0); + + if (unlikely(length > 0)) { + chacha20(&chacha20_state, b.chacha20_stream, pad0, + CHACHA20_BLOCK_SIZE, simd_context); + crypto_xor(addr, b.chacha20_stream, length); + partial = length; } + + simd_relax(simd_context); } - if (unlikely(ret)) - goto err; - poly1305_update(&poly1305_state, pad0, (0x10 - dst_len) & 0xf, + poly1305_update(&poly1305_state, pad0, (0x10 - src_len) & 0xf, simd_context); b.lens[0] = cpu_to_le64(ad_len); - b.lens[1] = cpu_to_le64(dst_len); + b.lens[1] = cpu_to_le64(src_len); poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens), simd_context); - poly1305_final(&poly1305_state, b.computed_mac, simd_context); + if (likely(sl <= -POLY1305_MAC_SIZE)) { + poly1305_final(&poly1305_state, b.computed_mac, simd_context); + ret = !crypto_memneq(b.computed_mac, + miter.addr + miter.length + sl, + POLY1305_MAC_SIZE); + } + + sg_miter_stop(&miter); + + if (unlikely(sl > -POLY1305_MAC_SIZE)) { + poly1305_final(&poly1305_state, b.computed_mac, simd_context); + scatterwalk_map_and_copy(b.read_mac, src, src_len, + sizeof(b.read_mac), 0); + ret = !crypto_memneq(b.read_mac, b.computed_mac, + POLY1305_MAC_SIZE); + + } - scatterwalk_map_and_copy(b.read_mac, src, dst_len, POLY1305_MAC_SIZE, 0); - ret = crypto_memneq(b.read_mac, b.computed_mac, POLY1305_MAC_SIZE); -err: memzero_explicit(&chacha20_state, sizeof(chacha20_state)); memzero_explicit(&b, sizeof(b)); - return !ret; + return ret; } -EXPORT_SYMBOL(chacha20poly1305_decrypt_sg); +EXPORT_SYMBOL(chacha20poly1305_decrypt_sg_inplace); void xchacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len, const u8 *ad, const size_t ad_len, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/crypto/zinc/curve25519/curve25519-arm.S new/WireGuard-0.0.20191212/src/crypto/zinc/curve25519/curve25519-arm.S --- old/WireGuard-0.0.20191205/src/crypto/zinc/curve25519/curve25519-arm.S 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/crypto/zinc/curve25519/curve25519-arm.S 2019-12-12 12:24:51.000000000 +0100 @@ -15,7 +15,7 @@ .arch armv7-a .align 4 -ENTRY(curve25519_neon) +SYM_FUNC_START(curve25519_neon) push {r4-r11, lr} mov ip, sp sub r3, sp, #704 @@ -2060,5 +2060,5 @@ movw r0, #0 mov sp, ip pop {r4-r11, pc} -ENDPROC(curve25519_neon) +SYM_FUNC_END(curve25519_neon) #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/crypto/zinc/poly1305/poly1305-x86_64.pl new/WireGuard-0.0.20191212/src/crypto/zinc/poly1305/poly1305-x86_64.pl --- old/WireGuard-0.0.20191205/src/crypto/zinc/poly1305/poly1305-x86_64.pl 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/crypto/zinc/poly1305/poly1305-x86_64.pl 2019-12-12 12:24:51.000000000 +0100 @@ -35,7 +35,7 @@ # Skylake-X system performance. Since we are likely to suppress # AVX512F capability flag [at least on Skylake-X], conversion serves # as kind of "investment protection". Note that next *lake processor, -# Cannolake, has AVX512IFMA code path to execute... +# Cannonlake, has AVX512IFMA code path to execute... # # Numbers are cycles per processed byte with poly1305_blocks alone, # measured with rdtsc at fixed clock frequency. @@ -109,7 +109,7 @@ my ($name, $align, $nargs) = @_; if($kernel) { $code .= ".align $align\n"; - $code .= "ENTRY($name)\n"; + $code .= "SYM_FUNC_START($name)\n"; $code .= ".L$name:\n"; } else { $code .= ".globl $name\n"; @@ -122,7 +122,7 @@ sub end_function() { my ($name) = @_; if($kernel) { - $code .= "ENDPROC($name)\n"; + $code .= "SYM_FUNC_END($name)\n"; } else { $code .= ".size $name,.-$name\n"; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/crypto/zinc/selftest/chacha20poly1305.c new/WireGuard-0.0.20191212/src/crypto/zinc/selftest/chacha20poly1305.c --- old/WireGuard-0.0.20191205/src/crypto/zinc/selftest/chacha20poly1305.c 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/crypto/zinc/selftest/chacha20poly1305.c 2019-12-12 12:24:51.000000000 +0100 @@ -8879,15 +8879,15 @@ static bool __init chacha20poly1305_selftest(void) { enum { MAXIMUM_TEST_BUFFER_LEN = 1UL << 12 }; - size_t i; - u8 *computed_output = NULL, *heap_src = NULL; + size_t i, j, k, total_len; + u8 *computed_output = NULL, *input = NULL; bool success = true, ret; simd_context_t simd_context; - struct scatterlist sg_src, sg_dst; + struct scatterlist sg_src[3]; - heap_src = kmalloc(MAXIMUM_TEST_BUFFER_LEN, GFP_KERNEL); computed_output = kmalloc(MAXIMUM_TEST_BUFFER_LEN, GFP_KERNEL); - if (!heap_src || !computed_output) { + input = kmalloc(MAXIMUM_TEST_BUFFER_LEN, GFP_KERNEL); + if (!computed_output || !input) { pr_err("chacha20poly1305 self-test malloc: FAIL\n"); success = false; goto out; @@ -8916,15 +8916,12 @@ for (i = 0; i < ARRAY_SIZE(chacha20poly1305_enc_vectors); ++i) { if (chacha20poly1305_enc_vectors[i].nlen != 8) continue; - memset(computed_output, 0, MAXIMUM_TEST_BUFFER_LEN); - memcpy(heap_src, chacha20poly1305_enc_vectors[i].input, + memcpy(computed_output, chacha20poly1305_enc_vectors[i].input, chacha20poly1305_enc_vectors[i].ilen); - sg_init_one(&sg_src, heap_src, - chacha20poly1305_enc_vectors[i].ilen); - sg_init_one(&sg_dst, computed_output, + sg_init_one(sg_src, computed_output, chacha20poly1305_enc_vectors[i].ilen + POLY1305_MAC_SIZE); - ret = chacha20poly1305_encrypt_sg(&sg_dst, &sg_src, + ret = chacha20poly1305_encrypt_sg_inplace(sg_src, chacha20poly1305_enc_vectors[i].ilen, chacha20poly1305_enc_vectors[i].assoc, chacha20poly1305_enc_vectors[i].alen, @@ -8963,15 +8960,11 @@ } simd_get(&simd_context); for (i = 0; i < ARRAY_SIZE(chacha20poly1305_dec_vectors); ++i) { - memset(computed_output, 0, MAXIMUM_TEST_BUFFER_LEN); - memcpy(heap_src, chacha20poly1305_dec_vectors[i].input, + memcpy(computed_output, chacha20poly1305_dec_vectors[i].input, chacha20poly1305_dec_vectors[i].ilen); - sg_init_one(&sg_src, heap_src, + sg_init_one(sg_src, computed_output, chacha20poly1305_dec_vectors[i].ilen); - sg_init_one(&sg_dst, computed_output, - chacha20poly1305_dec_vectors[i].ilen - - POLY1305_MAC_SIZE); - ret = chacha20poly1305_decrypt_sg(&sg_dst, &sg_src, + ret = chacha20poly1305_decrypt_sg_inplace(sg_src, chacha20poly1305_dec_vectors[i].ilen, chacha20poly1305_dec_vectors[i].assoc, chacha20poly1305_dec_vectors[i].alen, @@ -9027,8 +9020,57 @@ } } + simd_get(&simd_context); + for (total_len = POLY1305_MAC_SIZE; IS_ENABLED(DEBUG_CHACHA20POLY1305_SLOW_CHUNK_TEST) + && total_len <= 1 << 10; ++total_len) { + for (i = 0; i <= total_len; ++i) { + for (j = i; j <= total_len; ++j) { + sg_init_table(sg_src, 3); + sg_set_buf(&sg_src[0], input, i); + sg_set_buf(&sg_src[1], input + i, j - i); + sg_set_buf(&sg_src[2], input + j, total_len - j); + memset(computed_output, 0, total_len); + memset(input, 0, total_len); + + if (!chacha20poly1305_encrypt_sg_inplace(sg_src, + total_len - POLY1305_MAC_SIZE, NULL, 0, + 0, enc_key001, &simd_context)) + goto chunkfail; + chacha20poly1305_encrypt(computed_output, + computed_output, + total_len - POLY1305_MAC_SIZE, NULL, 0, 0, + enc_key001); + if (memcmp(computed_output, input, total_len)) + goto chunkfail;; + if (!chacha20poly1305_decrypt(computed_output, + input, total_len, NULL, 0, 0, enc_key001)) + goto chunkfail; + for (k = 0; k < total_len - POLY1305_MAC_SIZE; ++k) { + if (computed_output[k]) + goto chunkfail; + } + if (!chacha20poly1305_decrypt_sg_inplace(sg_src, + total_len, NULL, 0, 0, enc_key001, + &simd_context)) + goto chunkfail; + for (k = 0; k < total_len - POLY1305_MAC_SIZE; ++k) { + if (input[k]) + goto chunkfail; + } + continue; + + chunkfail: + pr_err("chacha20poly1305 chunked self-test %zu/%zu/%zu: FAIL\n", + total_len, i, j); + success = false; + } + + } + } + simd_put(&simd_context); + out: - kfree(heap_src); kfree(computed_output); + kfree(input); return success; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/dkms.conf new/WireGuard-0.0.20191212/src/dkms.conf --- old/WireGuard-0.0.20191205/src/dkms.conf 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/dkms.conf 2019-12-12 12:24:51.000000000 +0100 @@ -1,5 +1,5 @@ PACKAGE_NAME="wireguard" -PACKAGE_VERSION="0.0.20191205" +PACKAGE_VERSION="0.0.20191212" AUTOINSTALL=yes BUILT_MODULE_NAME="wireguard" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/main.c new/WireGuard-0.0.20191212/src/main.c --- old/WireGuard-0.0.20191205/src/main.c 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/main.c 2019-12-12 12:24:51.000000000 +0100 @@ -12,7 +12,6 @@ #include "uapi/wireguard.h" #include "crypto/zinc.h" -#include <linux/version.h> #include <linux/init.h> #include <linux/module.h> #include <linux/genetlink.h> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/netlink.c new/WireGuard-0.0.20191212/src/netlink.c --- old/WireGuard-0.0.20191205/src/netlink.c 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/netlink.c 2019-12-12 12:24:51.000000000 +0100 @@ -94,8 +94,8 @@ struct dump_ctx { struct wg_device *wg; struct wg_peer *next_peer; - struct allowedips_node *next_allowedip; u64 allowedips_seq; + struct allowedips_node *next_allowedip; }; #define DUMP_CTX(cb) ((struct dump_ctx *)(cb)->args) @@ -196,15 +196,9 @@ static int wg_get_device_start(struct netlink_callback *cb) { - struct nlattr **attrs = genl_family_attrbuf(&genl_family); struct wg_device *wg; - int ret; - ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + genl_family.hdrsize, attrs, - genl_family.maxattr, device_policy, NULL); - if (ret < 0) - return ret; - wg = lookup_interface(attrs, cb->skb); + wg = lookup_interface(genl_dumpit_info(cb)->attrs, cb->skb); if (IS_ERR(wg)) return PTR_ERR(wg); DUMP_CTX(cb)->wg = wg; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/receive.c new/WireGuard-0.0.20191212/src/receive.c --- old/WireGuard-0.0.20191205/src/receive.c 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/receive.c 2019-12-12 12:24:51.000000000 +0100 @@ -281,9 +281,9 @@ if (skb_to_sgvec(skb, sg, 0, skb->len) <= 0) return false; - if (!chacha20poly1305_decrypt_sg(sg, sg, skb->len, NULL, 0, - PACKET_CB(skb)->nonce, key->key, - simd_context)) + if (!chacha20poly1305_decrypt_sg_inplace(sg, skb->len, NULL, 0, + PACKET_CB(skb)->nonce, key->key, + simd_context)) return false; /* Another ugly situation of pushing and pulling the header so as to @@ -382,7 +382,7 @@ /* We've already verified the Poly1305 auth tag, which means this packet * was not modified in transit. We can therefore tell the networking * stack that all checksums of every layer of encapsulation have already - * been checked "by the hardware" and therefore is unneccessary to check + * been checked "by the hardware" and therefore is unnecessary to check * again in software. */ skb->ip_summed = CHECKSUM_UNNECESSARY; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/send.c new/WireGuard-0.0.20191212/src/send.c --- old/WireGuard-0.0.20191205/src/send.c 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/send.c 2019-12-12 12:24:51.000000000 +0100 @@ -207,9 +207,10 @@ if (skb_to_sgvec(skb, sg, sizeof(struct message_data), noise_encrypted_len(plaintext_len)) <= 0) return false; - return chacha20poly1305_encrypt_sg(sg, sg, plaintext_len, NULL, 0, - PACKET_CB(skb)->nonce, - keypair->sending.key, simd_context); + return chacha20poly1305_encrypt_sg_inplace(sg, plaintext_len, NULL, 0, + PACKET_CB(skb)->nonce, + keypair->sending.key, + simd_context); } void wg_packet_send_keepalive(struct wg_peer *peer) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/socket.c new/WireGuard-0.0.20191212/src/socket.c --- old/WireGuard-0.0.20191205/src/socket.c 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/socket.c 2019-12-12 12:24:51.000000000 +0100 @@ -142,9 +142,10 @@ if (cache) dst_cache_reset(cache); } - ret = ipv6_stub->ipv6_dst_lookup(sock_net(sock), sock, &dst, - &fl); - if (unlikely(ret)) { + dst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(sock), sock, &fl, + NULL); + if (unlikely(IS_ERR(dst))) { + ret = PTR_ERR(dst); net_dbg_ratelimited("%s: No route to %pISpfsc, error %d\n", wg->dev->name, &endpoint->addr, ret); goto err; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/tools/wg-quick/android.c new/WireGuard-0.0.20191212/src/tools/wg-quick/android.c --- old/WireGuard-0.0.20191205/src/tools/wg-quick/android.c 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/tools/wg-quick/android.c 2019-12-12 12:24:51.000000000 +0100 @@ -390,10 +390,10 @@ return size; } -static const char *string_array_getter(const void *array_data, size_t index, int32_t *outlength) +static const char *string_array_getter(const void *array_data, size_t index, int32_t *out_length) { const char **array = (const char **)array_data; - *outlength = array[index] ? strlen(array[index]) : -1; + *out_length = array[index] ? strlen(array[index]) : -1; return array[index]; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/tools/wg-quick/linux.bash new/WireGuard-0.0.20191212/src/tools/wg-quick/linux.bash --- old/WireGuard-0.0.20191205/src/tools/wg-quick/linux.bash 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/tools/wg-quick/linux.bash 2019-12-12 12:24:51.000000000 +0100 @@ -95,18 +95,18 @@ del_if() { local table [[ $HAVE_SET_DNS -eq 0 ]] || unset_dns - [[ $HAVE_SET_IPTABLES -eq 0 ]] || remove_iptables + [[ $HAVE_SET_FIREWALL -eq 0 ]] || remove_firewall if [[ -z $TABLE || $TABLE == auto ]] && get_fwmark table && [[ $(wg show "$INTERFACE" allowed-ips) =~ /0(\ |$'\n'|$) ]]; then - while [[ $(ip -4 rule show) == *"lookup $table"* ]]; do + while [[ $(ip -4 rule show 2>/dev/null) == *"lookup $table"* ]]; do cmd ip -4 rule delete table $table done - while [[ $(ip -4 rule show) == *"from all lookup main suppress_prefixlength 0"* ]]; do + while [[ $(ip -4 rule show 2>/dev/null) == *"from all lookup main suppress_prefixlength 0"* ]]; do cmd ip -4 rule delete table main suppress_prefixlength 0 done - while [[ $(ip -6 rule show) == *"lookup $table"* ]]; do + while [[ $(ip -6 rule show 2>/dev/null) == *"lookup $table"* ]]; do cmd ip -6 rule delete table $table done - while [[ $(ip -6 rule show) == *"from all lookup main suppress_prefixlength 0"* ]]; do + while [[ $(ip -6 rule show 2>/dev/null) == *"from all lookup main suppress_prefixlength 0"* ]]; do cmd ip -6 rule delete table main suppress_prefixlength 0 done fi @@ -181,22 +181,30 @@ return 0 } -remove_iptables() { - local line iptables found restore - for iptables in iptables ip6tables; do - restore="" found=0 - while read -r line; do - [[ $line == "*"* || $line == COMMIT || $line == "-A "*"-m comment --comment \"wg-quick(8) rule for $INTERFACE\""* ]] || continue - [[ $line == "-A"* ]] && found=1 - printf -v restore '%s\n%s' "$restore" "${line/#-A/-D}" - done < <($iptables-save) - [[ $found -ne 1 ]] || echo "$restore" | cmd $iptables-restore -n - done +remove_firewall() { + if type -p nft >/dev/null; then + local table nftcmd + while read -r table; do + [[ $table == *" wg-quick-$INTERFACE" ]] && printf -v nftcmd '%sdelete %s\n' "$nftcmd" "$table" + done < <(nft list tables 2>/dev/null) + [[ -z $nftcmd ]] || cmd nft -f <(echo -n "$nftcmd") + else + local line iptables found restore + for iptables in iptables ip6tables; do + restore="" found=0 + while read -r line; do + [[ $line == "*"* || $line == COMMIT || $line == "-A "*"-m comment --comment \"wg-quick(8) rule for $INTERFACE\""* ]] || continue + [[ $line == "-A"* ]] && found=1 + printf -v restore '%s%s\n' "$restore" "${line/#-A/-D}" + done < <($iptables-save 2>/dev/null) + [[ $found -ne 1 ]] || echo -n "$restore" | cmd $iptables-restore -n + done + fi } -HAVE_SET_IPTABLES=0 +HAVE_SET_FIREWALL=0 add_default() { - local table proto i iptables + local table i if ! get_fwmark table; then table=51820 while [[ -n $(ip -4 route show table $table 2>/dev/null) || -n $(ip -6 route show table $table 2>/dev/null) ]]; do @@ -204,21 +212,32 @@ done cmd wg set "$INTERFACE" fwmark $table fi - proto=-4 iptables=iptables - [[ $1 == *:* ]] && proto=-6 iptables=ip6tables + local proto=-4 iptables=iptables pf=ip + [[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6 cmd ip $proto route add "$1" dev "$INTERFACE" table $table cmd ip $proto rule add not fwmark $table table $table cmd ip $proto rule add table main suppress_prefixlength 0 - local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore="*raw" + local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd + printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable" + printf -v nftcmd '%sadd chain %s %s preraw { type filter hook prerouting priority -300; }\n' "$nftcmd" "$pf" "$nftable" + printf -v nftcmd '%sadd chain %s %s premangle { type filter hook prerouting priority -150; }\n' "$nftcmd" "$pf" "$nftable" + printf -v nftcmd '%sadd chain %s %s postmangle { type filter hook postrouting priority -150; }\n' "$nftcmd" "$pf" "$nftable" for i in "${ADDRESSES[@]}"; do [[ ( $proto == -4 && $i != *:* ) || ( $proto == -6 && $i == *:* ) ]] || continue - printf -v restore '%s\n-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP %s\n' "$restore" "$INTERFACE" "${i%/*}" "$marker" + printf -v restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP %s\n' "$restore" "$INTERFACE" "${i%/*}" "$marker" + printf -v nftcmd '%sadd rule %s %s preraw iifname != %s %s daddr %s fib saddr type != local drop\n' "$nftcmd" "$pf" "$nftable" "$INTERFACE" "$pf" "${i%/*}" done - printf -v restore '%s\nCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker" + printf -v restore '%sCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker" + printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table + printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta mark set ct mark \n' "$nftcmd" "$pf" "$nftable" [[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1 - echo "$restore" | cmd $iptables-restore -n - HAVE_SET_IPTABLES=1 + if type -p nft >/dev/null; then + cmd nft -f <(echo -n "$nftcmd") + else + echo -n "$restore" | cmd $iptables-restore -n + fi + HAVE_SET_FIREWALL=1 return 0 } @@ -323,7 +342,7 @@ [[ $SAVE_CONFIG -eq 0 ]] || save_config del_if unset_dns || true - remove_iptables || true + remove_firewall || true execute_hooks "${POST_DOWN[@]}" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/uapi/wireguard.h new/WireGuard-0.0.20191212/src/uapi/wireguard.h --- old/WireGuard-0.0.20191205/src/uapi/wireguard.h 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/uapi/wireguard.h 2019-12-12 12:24:51.000000000 +0100 @@ -18,13 +18,13 @@ * one but not both of: * * WGDEVICE_A_IFINDEX: NLA_U32 - * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMESIZ - 1 + * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1 * * The kernel will then return several messages (NLM_F_MULTI) containing the * following tree of nested items: * * WGDEVICE_A_IFINDEX: NLA_U32 - * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMESIZ - 1 + * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1 * WGDEVICE_A_PRIVATE_KEY: NLA_EXACT_LEN, len WG_KEY_LEN * WGDEVICE_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN * WGDEVICE_A_LISTEN_PORT: NLA_U16 @@ -77,7 +77,7 @@ * WGDEVICE_A_IFINDEX and WGDEVICE_A_IFNAME: * * WGDEVICE_A_IFINDEX: NLA_U32 - * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMESIZ - 1 + * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1 * WGDEVICE_A_FLAGS: NLA_U32, 0 or WGDEVICE_F_REPLACE_PEERS if all current * peers should be removed prior to adding the list below. * WGDEVICE_A_PRIVATE_KEY: len WG_KEY_LEN, all zeros to remove @@ -121,7 +121,7 @@ * filling in information not contained in the prior. Note that if * WGDEVICE_F_REPLACE_PEERS is specified in the first message, it probably * should not be specified in fragments that come after, so that the list - * of peers is only cleared the first time but appened after. Likewise for + * of peers is only cleared the first time but appended after. Likewise for * peers, if WGPEER_F_REPLACE_ALLOWEDIPS is specified in the first message * of a peer, it likely should not be specified in subsequent fragments. * diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191205/src/version.h new/WireGuard-0.0.20191212/src/version.h --- old/WireGuard-0.0.20191205/src/version.h 2019-12-05 11:49:46.000000000 +0100 +++ new/WireGuard-0.0.20191212/src/version.h 2019-12-12 12:24:51.000000000 +0100 @@ -1 +1 @@ -#define WIREGUARD_VERSION "0.0.20191205" +#define WIREGUARD_VERSION "0.0.20191212"
