[ANNOUNCE] wireguard-linux-compat v1.0.20200712 released

[ANNOUNCE] wireguard-linux-compat v1.0.20200712 released

[Jason A. Donenfeld]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

A new version, v1.0.20200712, of the backported WireGuard kernel module for
3.10 <= Linux <= 5.5.y has been tagged in the git repository.

== Changes ==

  This release brings parity with the commits Linus released a few hours
  ago into 5.8-rc5.
  
  * receive: account for napi_gro_receive never returning GRO_DROP
  
  The napi_gro_receive function no longer returns GRO_DROP ever, making
  handling GRO_DROP dead code. This commit removes that dead code.
  Further, it's not even clear that device drivers have any business in
  taking action after passing off received packets; that's arguably out of
  their hands.
  
  * compat: rhel 8.3 backported skb_reset_redirect
  
  This works with the latest RHEL 8.3 beta, which isn't yet released,
  and breaks CentOS 8 Stream as a result, but Red Hat is so slow to release
  their kernels to testing that we've got a real issue: we can't support
  Red Hat development efforts internally at the same time as supporting
  CentOS 8 Stream, making the stream project something of bust,
  unfortuantely.
  
  * compat: SUSE 15.1 is the final SUSE we need to support
  
  >=15.2 is in SUSE's kernel now. We'll be dropping 15.1 support in a
  few weeks after people have had time to upgrade.
  
  * device: implement header_ops->parse_protocol for AF_PACKET
  
  WireGuard uses skb->protocol to determine packet type, and bails out if
  it's not set or set to something it's not expecting. For AF_PACKET
  injection, we need to support its call chain of:
  
      packet_sendmsg -> packet_snd -> packet_parse_headers ->
        dev_parse_header_protocol -> parse_protocol
  
  Without a valid parse_protocol, this returns zero, and wireguard then
  rejects the skb. So, this wires up the ip_tunnel handler for layer 3
  packets for that case.
  
  * queueing: make use of ip_tunnel_parse_protocol
  
  Now that wg_examine_packet_protocol has been added for general
  consumption as ip_tunnel_parse_protocol, it's possible to remove
  wg_examine_packet_protocol and simply use the new
  ip_tunnel_parse_protocol function directly.
  
  * compat: backport ip_tunnel_parse_protocol and ip_tunnel_header_ops
  
  These are required for moving wg_examine_packet_protocol out of
  wireguard and into upstream.

This release contains commits from: Jason A. Donenfeld.

As always, the source is available at https://git.zx2c4.com/wireguard-linux-compat/
and information about the project is available at https://www.wireguard.com/ .

This version is available in compressed tarball form here:
  https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-1.0.20200712.tar.xz
  SHA2-256: e15b3d4eb2cf186920a6ed13685187d6b846e59eb383c291913628682965ac95

A PGP signature of that file decompressed is available here:
  https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-1.0.20200712.tar.asc
  Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
  Remember to unxz the tarball before verifying the signature.

If you're a package maintainer, please bump your package version. If you're a
user, the WireGuard team welcomes any and all feedback on this latest version.

Finally, WireGuard development thrives on donations. By popular demand, we
have a webpage for this: https://www.wireguard.com/donations/

Thank you,
Jason Donenfeld


-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEEq5lC5tSkz8NBJiCnSfxwEqXeA64FAl8L1i8QHGphc29uQHp4
MmM0LmNvbQAKCRBJ/HASpd4DrnFzD/43H09uMYK2PXPChfizkbiz84SvpWpPMqDn
3frC+9Ijp9icZB3Ksd9qauaQhREle6McSjpFPXVL7n6YlLhYPjE5RodGG/sW60QW
OOsCCWrKu1ict8WDDs0X7dIAtj/kKNwu7dUlJnWJRj3Mwe3Wk7s2/uBurf2X6rvC
IzTGvcDDZ/TNDujhJZFgVRmgMQPXGlH0RIp4LVxJSsAIKO1RhjVGGbaTe2deh8sY
YGcdBbtqOCb3K7X/fH2Lt4Ob2FbaqD+DRNDXdV7hPRo/QYtEMBsiiJsw+R9AqtEv
MCg2EBF7l5T4pTiShZKVJnGYQp69vG94QZBrlMNoVJldtqs9DrwehzXaLG4XWILN
Nn0ja2ZIjni+LpVJy7upYwZ9Fzdv6Q85HMVYJpcErhbbEC6uzln6WjXNGKNy7/oA
l9vLu3uFzAvvXBInZDbpg/YpTvd4cXZ1pFFAAGjwCW9B7C4NIu6na8NT9Q51q9EH
0q7l0Hj/CkL0frC0O1xDd5fYrI6SiZRdlHNVWdBCb7siUSw4yjA1L0x5VGkdKCHX
seZLwUin+gaHUQIvTwzbDuHE77K406P4Xp1x1UBFv6g63uZBY3XKukdZSMBOPrDH
eaEbos+pyyV1R49J+SbMMUHkGhIk70OAoFmq+aHdDqITrmhVH/VjSCM04/IdACqo
V4AllFQlQQ==
=rjkE
-----END PGP SIGNATURE-----

Re: [ANNOUNCE] wireguard-linux-compat v1.0.20200712 released

[Jason A. Donenfeld]

On Sun, Jul 12, 2020 at 9:34 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>   * compat: SUSE 15.1 is the final SUSE we need to support
>
>   >=15.2 is in SUSE's kernel now. We'll be dropping 15.1 support in a
>   few weeks after people have had time to upgrade.

As said above, SUSE backported WireGuard into their kernel for 15.2,
both on the OpenSUSE variant and on their enterprise distro. This is
terrific news.

I'm considering making this compat module release the last release
that supports the now-old 15.1 release. `zypper update` automatically
puts people on 15.2, as far as I can tell, and it seems like the
general path for SUSE is to update. Plus, people who tend to use
WireGuard tend to like to update.

I put this in the git repo a few minutes ago:
https://git.zx2c4.com/wireguard-linux-compat/commit/?id=2a1b895ec2f529a75a6bc63fd5b6baee2b1735b3

If anybody thinks that 15.1 support would be worth preserving for more
releases (how many?), this would be the time to speak up. I'm happy to
have my presumptions about SUSE user update habits proved wrong and to
change course accordingly.

Jason

Re: [ANNOUNCE] wireguard-linux-compat v1.0.20200712 released

[Luca Beltrame]

[-- Attachment #1: Type: text/plain, Size: 365 bytes --]

Il giorno Sun, 12 Jul 2020 22:06:06 -0600
"Jason A. Donenfeld" <Jason@zx2c4.com> ha scritto:

> If anybody thinks that 15.1 support would be worth preserving for more
> releases (how many?), this would be the time to speak up. I'm happy to

15.1 will be EOL in November. So probably worth supporting until then?


-- 
Luca Beltrame
GPG key ID: A29D259B

[-- Attachment #2: Firma digitale OpenPGP --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [ANNOUNCE] wireguard-linux-compat v1.0.20200712 released

[Samu Voutilainen]

[-- Attachment #1: Type: text/plain, Size: 1800 bytes --]

Hi,

For SLE, 15.1 will be supported until 6 months after 15.2 release (so until 
next January/February), with long term support probably going to at least year 
2023. Personally, I plan to upgrade to 15.2 pretty soon after the release.

For distribution upgrades, “zypper dist-upgrade” is required, or for SLE, 
”zypper migration”, i.e. it’s not part of the normal update flow. This might 
be a problem in enterprise setups, but I doubt there is many who would have 
unofficial Wireguard there. 

Jason A. Donenfeld kirjoitti maanantaina 13. heinäkuuta 2020 7.06.06 EEST:
> On Sun, Jul 12, 2020 at 9:34 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> >   * compat: SUSE 15.1 is the final SUSE we need to support
> >   
> >   >=15.2 is in SUSE's kernel now. We'll be dropping 15.1 support in a
> >   
> >   few weeks after people have had time to upgrade.
> 
> As said above, SUSE backported WireGuard into their kernel for 15.2,
> both on the OpenSUSE variant and on their enterprise distro. This is
> terrific news.
> 
> I'm considering making this compat module release the last release
> that supports the now-old 15.1 release. `zypper update` automatically
> puts people on 15.2, as far as I can tell, and it seems like the
> general path for SUSE is to update. Plus, people who tend to use
> WireGuard tend to like to update.
> 
> I put this in the git repo a few minutes ago:
> https://git.zx2c4.com/wireguard-linux-compat/commit/?id=2a1b895ec2f529a75a6b
> c63fd5b6baee2b1735b3
> 
> If anybody thinks that 15.1 support would be worth preserving for more
> releases (how many?), this would be the time to speak up. I'm happy to
> have my presumptions about SUSE user update habits proved wrong and to
> change course accordingly.
> 
> Jason


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 488 bytes --]