Development discussion of WireGuard
 help / color / mirror / Atom feed
From: Julian Orth <ju.orth@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: [PATCH v5 00/11] Allow changing the transit namespace
Date: Sat, 15 Dec 2018 17:56:02 +0100	[thread overview]
Message-ID: <20181215165613.5486-1-ju.orth@gmail.com> (raw)

Hi,

This is v5 of this series. This series makes the following changes:

* wg(1) can now access devices in another network namespace. The syntax
  is
    
    wg --netns <pid|file-path> <subcommand>

  For example

    wg --netns 5363 show wg0

* wg(1) can now change the network namespace of the UDP socket of a
  device. The syntax is

    wg set <device> transit-netns <pid|file-path>

  For example

    wg set wg0 transit-netns 5363

* When retrieving or modifying properties of the UDP socket (its
  incoming port or its network namespace), the netlink code now checks
  that the calling process has at least one of the following properties:

  * The calling process' network namespace is the same as the (new)
    network namespace of the socket.
  * The calling process has the CAP_NET_ADMIN capability in the (new)
    network namespace of the socket.

These changes allow a user to create a wg device in a user namespace and
to set the network namespace of the UDP socket to the init namespace.
This allows the user to communicate over a wg device even if the user
does not have root in the init namespace.

The code of this version is almost identical to the previous version
except that

* the first commit has been dropped and
* the code has been rebased on master.

Julian

Julian Orth (11):
  netlink: check for CAP_NET_ADMIN manually
  netlink: allow specifying the device namespace
  netlink: restrict access to the UDP socket
  device: rename creating_net to transit_net
  device: store a copy of the device net
  socket: allow modification of transit_net
  netlink: allow modification of transit net
  tools: add framework for shared options
  tools: allow specifying the device namespace
  tools: allow modification of transit net
  tests: add test for transit-net

 src/device.c            |  35 ++++++----
 src/device.h            |   6 +-
 src/netlink.c           | 150 ++++++++++++++++++++++++++++++++--------
 src/socket.c            |  18 ++---
 src/socket.h            |   6 +-
 src/tests/netns.sh      |  40 +++++++++++
 src/tools/config.c      |   8 +++
 src/tools/containers.h  |  22 +++++-
 src/tools/genkey.c      |   3 +-
 src/tools/ipc.c         |  26 +++++--
 src/tools/ipc.h         |   7 +-
 src/tools/man/wg.8      |   9 ++-
 src/tools/netns.c       |  62 +++++++++++++++++
 src/tools/netns.h       |  18 +++++
 src/tools/pubkey.c      |   3 +-
 src/tools/set.c         |   6 +-
 src/tools/setconf.c     |   4 +-
 src/tools/show.c        |  35 +++++++---
 src/tools/showconf.c    |   4 +-
 src/tools/subcommands.h |  14 ++--
 src/tools/wg.c          |  64 +++++++++++++++--
 src/uapi/wireguard.h    |  39 ++++++++++-
 22 files changed, 477 insertions(+), 102 deletions(-)
 create mode 100644 src/tools/netns.c
 create mode 100644 src/tools/netns.h

-- 
2.19.2

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

             reply	other threads:[~2018-12-15 16:57 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-15 16:56 Julian Orth [this message]
2018-12-15 16:56 ` [PATCH v5 01/11] netlink: check for CAP_NET_ADMIN manually Julian Orth
2018-12-15 16:56 ` [PATCH v5 02/11] netlink: allow specifying the device namespace Julian Orth
2018-12-15 16:56 ` [PATCH v5 03/11] netlink: restrict access to the UDP socket Julian Orth
2018-12-15 16:56 ` [PATCH v5 04/11] device: rename creating_net to transit_net Julian Orth
2018-12-15 16:56 ` [PATCH v5 05/11] device: store a copy of the device net Julian Orth
2018-12-15 16:56 ` [PATCH v5 06/11] socket: allow modification of transit_net Julian Orth
2018-12-15 16:56 ` [PATCH v5 07/11] netlink: allow modification of transit net Julian Orth
2018-12-17 14:52   ` Julian Orth
2018-12-15 16:56 ` [PATCH v5 08/11] tools: add framework for shared options Julian Orth
2018-12-15 16:56 ` [PATCH v5 09/11] tools: allow specifying the device namespace Julian Orth
2018-12-15 16:56 ` [PATCH v5 10/11] tools: allow modification of transit net Julian Orth
2018-12-15 16:56 ` [PATCH v5 11/11] tests: add test for transit-net Julian Orth

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181215165613.5486-1-ju.orth@gmail.com \
    --to=ju.orth@gmail.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).