CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2020/06/21 05:25:54
Modified files:
sys/net : if_types.h
Log message:
add IFT_WIREGUARD.
i'm still not a fan of the peer semantics of wireguard interfaces
where each interface can have multiple peers and each peer has a
set of the allowed ips configurred, aka cryptokey routing. traditionally
we would use a tunnel (IFT_TUNNEL) style interface per peer, which
means there's a 1:1 mapping between a peer and an interface. in
turn that means you can apply policy with things like pf to the
interface and it implies policy on the peer.
so allowed ips inside a wg interface feels like a bandaid for a
self inflicted wound to some degree. however, deraadt@ points out
that the boat has sailed, and being compatible with the larger
ecosystem has benefits. admins can choose to setup an interface per
peer if they want too, so we get the best of both worlds.
i will admit an interface per peer sucks in a concentrator situation
though. that's why we still have pppac(4) as well as pppx(4). i
also don't have any better ideas for how to scale or even express
this kind of policy in a concentrator setting either.
apologies for the teary.
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
