From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Matthias Urlichs <matthias@urlichs.de>,
WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Host routes – ARP on wireguard interfaces?
Date: Mon, 03 Dec 2018 21:39:53 +0200 [thread overview]
Message-ID: <878t16jt6e.fsf@toke.dk> (raw)
In-Reply-To: <428b91e9-f3a1-c385-4663-79dcb74dc7f3@urlichs.de>
Matthias Urlichs <matthias@urlichs.de> writes:
> On 03.12.18 14:14, Toke Høiland-Jørgensen wrote:
>> I'm not sure I quite understand what it is you are trying to achieve;
>> why can't just you reconfigure the wireguard interface to route the IP
>> to the right peer?
>
> Because that (a) requires a new mechanism and (b) requires locking,
> because currently you can't atomically remove/add an address from/to a peer.
>
> For a "normal" interface I'd change the host route to whatever the
> nexthop to the real destination address is, and I'm *done*. That's one
> atomic "ip route replace" command (or its netlink equivalent). I've
> found a couple of HA management programs which can do that.
>
> For a wireguard interface I need to find the correct peer (by matching
> the real destination against all Allowed-IP entries), lock the peer
> against changes, read the Allowed-IP list, add the multihomed address,
> and write the list back. Before/after I do all of this I have to remove
> the multihomed address from whatever peer it was previously set to, so
> there's an indeterminate time during which the destination is either
> unreachable or random. The aforementioned HA managers have no idea what
> wireguard is, and their authors may or may not be interested in
> special-casing a still-somewhat-obscure network interface type.
I'm pretty sure you don't have to go through that whole dance. You can
just add the AllowedIP to the new peer, which Wireguard will interpret
as a 'move'.
That still leaves the 'new mechanism' complaint, of course. I'm not sure
it's quite trivial to have the kernel-side do what you want, though, so
it may not be something that is likely to show up. I have a similar
problem because I want to run routing protocols over wireguard; my plan
is to teach the Bird routing daemon about wg peers to resolve this...
-Toke
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
prev parent reply other threads:[~2018-12-03 19:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-03 12:02 Matthias Urlichs
2018-12-03 13:14 ` Toke Høiland-Jørgensen
2018-12-03 13:49 ` Matthias Urlichs
2018-12-03 19:39 ` Toke Høiland-Jørgensen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878t16jt6e.fsf@toke.dk \
--to=toke@toke.dk \
--cc=matthias@urlichs.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).