git.ipfire.org Git - thirdparty/wireguard-tools.git/commit

author	Jordan Rife <jordan@jrife.io>
	Sat, 17 May 2025 19:29:51 +0000 (12:29 -0700)
committer	Jason A. Donenfeld <Jason@zx2c4.com>
	Tue, 20 May 2025 20:03:58 +0000 (22:03 +0200)
commit	0788f90810efde88cfa07ed96e7eca77c7f2eedd
tree	4ad2ca7cf268a645ba0f7a9a76ab0ba712e6097a	tree \| snapshot
parent	13d190bc72ce1753fbf0d1d6828677d1bc743807	commit \| diff

ipc: linux: support incremental allowed ips updates

Extend the interface of `wg set` to leverage the WGALLOWEDIP_F_REMOVE_ME
flag, a direct way of removing a single allowed ip from a peer,
allowing for incremental updates to a peer's configuration. By default,
allowed-ips fully replaces a peer's allowed ips using
WGPEER_REPLACE_ALLOWEDIPS under the hood. When '+' or '-' is prepended
to any ip in the list, wg clears WGPEER_F_REPLACE_ALLOWEDIPS and sets
the WGALLOWEDIP_F_REMOVE_ME flag on any ip prefixed with '-'.

$ wg set wg0 peer <PUBKEY> allowed-ips +192.168.88.0/24,-192.168.0.1/32

This command means "add 192.168.88.0/24 to this peer's allowed ips if
not present, and remove 192.168.0.1/32 if present".

Use -isystem so that headers in uapi/ take precedence over system
headers; otherwise, the build will fail on systems running kernels
without the WGALLOWEDIP_F_REMOVE_ME flag.

Note that this patch is meant to be merged alongside the kernel patch
that introduces the flag.

Signed-off-by: Jordan Rife <jordan@jrife.io>
[Jason: removed linux ifdefs; this will eventually come to other platforms too. minor style nits.]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

src/Makefile		diff \| blob \| blame \| history
src/config.c		diff \| blob \| blame \| history
src/containers.h		diff \| blob \| blame \| history
src/ipc-linux.h		diff \| blob \| blame \| history
src/man/wg.8		diff \| blob \| blame \| history
src/set.c		diff \| blob \| blame \| history
src/uapi/linux/linux/wireguard.h		diff \| blob \| blame \| history