[patch] wg: add support for peer names using a file in userspace

[patch] wg: add support for peer names using a file in userspace

[Lonnie Abelbeck]

[-- Attachment #1: Type: text/plain, Size: 437 bytes --]

Enclosed is a patch: wg: add support for peer names using a file in userspace

Disabled by default, build with WITH_PEERDATA=yes to enable peer name support.

Config [Peer] sections can optionally be [Peer-custom_name] with "show" and "showconf"
displaying the "peer-custom_name" label.  Spaces are ignored.

The data file location is PEERDATAFILE, which defaults to /var/run/wg.peerdata

Comments are appreciated.

Lonnie


[-- Attachment #2: 0001-wg-add-support-for-peer-names.patch --]
[-- Type: application/octet-stream, Size: 9240 bytes --]

From 02eb8daf8c158700a94cec894434dce629962483 Mon Sep 17 00:00:00 2001
From: Lonnie Abelbeck <lonnie@abelbeck.com>
Date: Thu, 7 Dec 2017 09:07:34 -0600
Subject: [PATCH 1/1] wg: add support for peer names using a file in userspace

Disabled by default, build with WITH_PEERDATA=yes to enable peer name support.

Config [Peer] sections can optionally be [Peer-custom_name] with show and showconf

displaying the peer-custom_name label.  Spaces are ignored.

The data file location is PEERDATAFILE, which defaults to /var/run/wg.peerdata
---
 src/tools/Makefile   |   5 +++
 src/tools/config.c   |  33 +++++++++++++++-
 src/tools/peerdata.c | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++
 src/tools/peerdata.h |  20 ++++++++++
 src/tools/show.c     |   7 ++++
 src/tools/showconf.c |   6 +++
 6 files changed, 173 insertions(+), 2 deletions(-)
 create mode 100644 src/tools/peerdata.c
 create mode 100644 src/tools/peerdata.h

diff --git a/src/tools/Makefile b/src/tools/Makefile
index e277b2f..761ee2a 100644
--- a/src/tools/Makefile
+++ b/src/tools/Makefile
@@ -12,9 +12,11 @@ MANDIR ?= $(PREFIX)/share/man
 BASHCOMPDIR ?= $(PREFIX)/share/bash-completion/completions
 SYSTEMDUNITDIR ?= $(shell $(PKG_CONFIG) --variable=systemdsystemunitdir systemd 2>/dev/null || echo "$(PREFIX)/lib/systemd/system")
 RUNSTATEDIR ?= /var/run
+PEERDATAFILE ?= /var/run/wg.peerdata
 WITH_BASHCOMPLETION ?=
 WITH_WGQUICK ?=
 WITH_SYSTEMDUNITS ?=
+WITH_PEERDATA ?=
 
 ifeq ($(WITH_BASHCOMPLETION),)
 ifneq ($(strip $(wildcard $(BASHCOMPDIR))),)
@@ -40,6 +42,9 @@ CFLAGS += -std=gnu11 -D_GNU_SOURCE
 CFLAGS += -Wall -Wextra
 CFLAGS += -MMD -MP
 CFLAGS += -DRUNSTATEDIR="\"$(RUNSTATEDIR)\""
+ifeq ($(WITH_PEERDATA),yes)
+CFLAGS += -DPEERDATA -DPEERDATAFILE="\"$(PEERDATAFILE)\""
+endif
 ifeq ($(DEBUG_TOOLS),y)
 CFLAGS += -g
 endif
diff --git a/src/tools/config.c b/src/tools/config.c
index 1fddb64..6077a6b 100644
--- a/src/tools/config.c
+++ b/src/tools/config.c
@@ -19,6 +19,7 @@
 #include "containers.h"
 #include "ipc.h"
 #include "encoding.h"
+#include "peerdata.h"
 
 #define COMMENT_CHAR '#'
 
@@ -358,7 +359,13 @@ static bool process_line(struct config_ctx *ctx, const char *line)
 		ctx->is_device_section = true;
 		return true;
 	}
+#ifdef PEERDATA
+	static char peer_name[WG_PEERDATA_MAXLEN];
+	bool is_peername = !strncasecmp(line, "[Peer-", 6) && line[strlen(line) - 1] == ']';
+	if (!strcasecmp(line, "[Peer]") || is_peername) {
+#else
 	if (!strcasecmp(line, "[Peer]")) {
+#endif
 		struct wgpeer *new_peer = calloc(1, sizeof(struct wgpeer));
 
 		if (!new_peer) {
@@ -374,6 +381,15 @@ static bool process_line(struct config_ctx *ctx, const char *line)
 		ctx->is_peer_section = true;
 		ctx->is_device_section = false;
 		ctx->last_peer->flags |= WGPEER_REPLACE_ALLOWEDIPS;
+#ifdef PEERDATA
+		if (is_peername) {
+			strncpy(peer_name, line + 6, WG_PEERDATA_MAXLEN);	/* jump over "[Peer-" */
+			peer_name[WG_PEERDATA_MAXLEN - 1] = '\0';
+			peer_name[strlen(peer_name) - 1] = '\0';			/* overwrite last character ']' */
+		} else {
+			peer_name[0] = '\0';
+		}
+#endif
 		return true;
 	}
 
@@ -395,8 +411,17 @@ static bool process_line(struct config_ctx *ctx, const char *line)
 			ret = parse_endpoint(&ctx->last_peer->endpoint.addr, value);
 		else if (key_match("PublicKey")) {
 			ret = parse_key(ctx->last_peer->public_key, value);
-			if (ret)
+			if (ret) {
 				ctx->last_peer->flags |= WGPEER_HAS_PUBLIC_KEY;
+#ifdef PEERDATA
+				if (peer_name[0]) {
+					static char base64[WG_KEY_LEN_BASE64];
+					key_to_base64(base64, ctx->last_peer->public_key);
+					file_put_peerdata(base64, "name", peer_name);
+					peer_name[0] = '\0';
+				}
+#endif
+			}
 		} else if (key_match("AllowedIPs"))
 			ret = parse_allowedips(ctx->last_peer, &ctx->last_allowedip, value);
 		else if (key_match("PersistentKeepalive"))
@@ -455,8 +480,12 @@ bool config_read_init(struct config_ctx *ctx, bool append)
 		perror("calloc");
 		return false;
 	}
-	if (!append)
+	if (!append) {
 		ctx->device->flags |= WGDEVICE_REPLACE_PEERS | WGDEVICE_HAS_PRIVATE_KEY | WGDEVICE_HAS_FWMARK | WGDEVICE_HAS_LISTEN_PORT;
+#ifdef PEERDATA
+		file_init_peerdata();
+#endif
+	}
 	return true;
 }
 
diff --git a/src/tools/peerdata.c b/src/tools/peerdata.c
new file mode 100644
index 0000000..9bd7871
--- /dev/null
+++ b/src/tools/peerdata.c
@@ -0,0 +1,104 @@
+/* SPDX-License-Identifier: GPL-2.0
+ *
+ * Copyright (C) 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ */
+
+#ifdef PEERDATA
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include "peerdata.h"
+
+bool file_init_peerdata(void)
+{
+	FILE *f;
+	bool ret = true;
+
+	f = fopen(WG_PEERDATA_FILE, "r");
+	if (f) {
+		fclose(f);
+		if (remove(WG_PEERDATA_FILE)) {
+			perror("remove");
+			ret = false;
+		}
+	}
+	return ret;
+}
+
+bool file_put_peerdata(const char *pubkey, const char *type, const char *data)
+{
+	FILE *f;
+	char *buffer;
+	size_t buffer_len = strlen(pubkey) + strlen(type) + strlen(data) + 4;
+	bool ret = false;
+
+	f = fopen(WG_PEERDATA_FILE, "a");
+	if (!f) {
+		perror("fopen");
+		return false;
+	}
+
+	buffer = calloc(buffer_len, sizeof(char));
+	if (!buffer) {
+		perror("calloc");
+		fclose(f);
+		return false;
+	}
+
+	snprintf(buffer, buffer_len, "%s,%s,%s\n", pubkey, type, data);
+	if (fwrite(buffer, strlen(buffer), 1, f) != 1) {
+		if (errno) {
+			perror("fwrite");
+		}
+		goto out;
+	}
+	ret = true;
+
+out:
+	fclose(f);
+	free(buffer);
+	return ret;
+}
+
+char *file_get_peerdata(const char *pubkey, const char *type)
+{
+	static char data[WG_PEERDATA_MAXLEN];
+	char *data_rtn = NULL;
+	FILE *f;
+	char *buffer = NULL;
+	size_t buffer_len = 0;
+	char *line, *token;
+
+	f = fopen(WG_PEERDATA_FILE, "r");
+	if (!f) {
+		return NULL;
+	}
+
+	while (getline(&buffer, &buffer_len, f) >= 0) {
+		line = buffer;
+		if ((token = strsep(&line, ","))) {
+			if (!strcmp(token, pubkey)) {
+				if ((token = strsep(&line, ","))) {
+					if (!strcmp(token, type)) {
+						if ((token = strsep(&line, "\n"))) {
+							strncpy(data, token, WG_PEERDATA_MAXLEN);
+							data[WG_PEERDATA_MAXLEN - 1] = '\0';
+							data_rtn = data;
+							goto out;
+						}
+					}
+				}
+			}
+		}
+	}
+
+out:
+	fclose(f);
+	free(buffer);
+	return data_rtn;
+}
+
+#endif
diff --git a/src/tools/peerdata.h b/src/tools/peerdata.h
new file mode 100644
index 0000000..42380f0
--- /dev/null
+++ b/src/tools/peerdata.h
@@ -0,0 +1,20 @@
+/* SPDX-License-Identifier: GPL-2.0
+ *
+ * Copyright (C) 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ */
+
+#ifndef PEERDATA_H
+#define PEERDATA_H
+
+#ifdef PEERDATA
+#define WG_PEERDATA_FILE PEERDATAFILE
+#define WG_PEERDATA_MAXLEN 64
+
+#include <stdbool.h>
+
+bool file_init_peerdata(void);
+bool file_put_peerdata(const char *pubkey, const char *type, const char *data);
+char *file_get_peerdata(const char *pubkey, const char *type);
+#endif
+
+#endif
diff --git a/src/tools/show.c b/src/tools/show.c
index c5be788..bb37463 100644
--- a/src/tools/show.c
+++ b/src/tools/show.c
@@ -21,6 +21,7 @@
 #include "terminal.h"
 #include "encoding.h"
 #include "subcommands.h"
+#include "peerdata.h"
 
 static int peer_cmp(const void *first, const void *second)
 {
@@ -222,7 +223,13 @@ static void pretty_print(struct wgdevice *device)
 		terminal_printf("\n");
 	}
 	for_each_wgpeer(device, peer) {
+#ifdef PEERDATA
+		char *pubkey = key(peer->public_key);
+		char *peerdata = file_get_peerdata(pubkey, "name");
+		terminal_printf(TERMINAL_FG_YELLOW TERMINAL_BOLD "peer%s%s" TERMINAL_RESET ": " TERMINAL_FG_YELLOW "%s" TERMINAL_RESET "\n", (peerdata ? "-" : ""), (peerdata ? peerdata : ""), pubkey);
+#else
 		terminal_printf(TERMINAL_FG_YELLOW TERMINAL_BOLD "peer" TERMINAL_RESET ": " TERMINAL_FG_YELLOW "%s" TERMINAL_RESET "\n", key(peer->public_key));
+#endif
 		if (peer->flags & WGPEER_HAS_PRESHARED_KEY)
 			terminal_printf("  " TERMINAL_BOLD "preshared key" TERMINAL_RESET ": %s\n", masked_key(peer->preshared_key));
 		if (peer->endpoint.addr.sa_family == AF_INET || peer->endpoint.addr.sa_family == AF_INET6)
diff --git a/src/tools/showconf.c b/src/tools/showconf.c
index 2e3fbd4..443bccc 100644
--- a/src/tools/showconf.c
+++ b/src/tools/showconf.c
@@ -16,6 +16,7 @@
 #include "encoding.h"
 #include "ipc.h"
 #include "subcommands.h"
+#include "peerdata.h"
 
 int showconf_main(int argc, char *argv[])
 {
@@ -48,7 +49,12 @@ int showconf_main(int argc, char *argv[])
 	printf("\n");
 	for_each_wgpeer(device, peer) {
 		key_to_base64(base64, peer->public_key);
+#ifdef PEERDATA
+		char *peerdata = file_get_peerdata(base64, "name");
+		printf("[Peer%s%s]\nPublicKey = %s\n", (peerdata ? "-" : ""), (peerdata ? peerdata : ""), base64);
+#else
 		printf("[Peer]\nPublicKey = %s\n", base64);
+#endif
 		if (peer->flags & WGPEER_HAS_PRESHARED_KEY) {
 			key_to_base64(base64, peer->preshared_key);
 			printf("PresharedKey = %s\n", base64);
-- 
1.8.3.1


[-- Attachment #3: Type: text/plain, Size: 2 bytes --]

Re: [patch] wg: add support for peer names using a file in userspace

[Jason A. Donenfeld]

Hi Lonnie,

Thanks for sending this to the mailing list. Indeed it got lost in the
fold of disorganized email filters when you sent it to me directly
twice earlier; sorry about that.

I'm not certain this is the right approach -- having wg(8) rely on
fixed filesystem paths, and splitting peer configuration information
across three places (original config file, peer data file, kernel).

I think the way forward for this kind of feature would be what I
proposed in an earlier thread, of attaching it to the kernel object,
just like ifalias does or netfilter's comment target. However, the
question I'm still faced with is -- is this really necessary? I
understand that it's _cool_, and adding bells and whistles is fun and
exciting, but I wonder if there a complete system that would actually
benefit form having this that wouldn't already have a better place to
do it?

Jason

Re: [patch] wg: add support for peer names using a file in userspace

[Jason A. Donenfeld]

By the way, would you send future patches using git-send-email? It's
impossible to review inline on a mailing list if you do an attachment
like this. Having opened the file after downloading it, the
implementation and configuration syntax you propose are problematic,
but in light of the more broad issues I mentioned a minute ago, I'm
not sure it's productive to start dialing down into those.

Re: [patch] add support for peer names using a file in userspace

[Lonnie Abelbeck]

On Dec 7, 2017, at 10:23 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> Thanks for sending this to the mailing list. Indeed it got lost in the
> fold of disorganized email filters when you sent it to me directly
> twice earlier; sorry about that.

The latest patch is reworked, disabled by default and requires =
WITH_PEERDATA=3Dyes to be enabled.

> I'm not certain this is the right approach -- having wg(8) rely on
> fixed filesystem paths, and splitting peer configuration information
> across three places (original config file, peer data file, kernel).

I'm just trying to find a solution with traction.  My latest patch works =
perfectly fine on our Linux appliance, but alternate approaches could be =
a more general solution.

> I think the way forward for this kind of feature would be what I
> proposed in an earlier thread, of attaching it to the kernel object,
> just like ifalias does or netfilter's comment target. However, the
> question I'm still faced with is -- is this really necessary?

Yes, Jason, I think it is necessary.

Consider a GUI showing a list of peers that you can click on to edit, =
there needs some sort of human-memerable "name" associated with each =
peer.

Additionally, the "wg show" output is sorted by "handshake time" (a good =
thing), so remembering your peer config order does not help identifying =
the peers.

While I would be happy with a compile-time option to support peer-names =
via a userspace file (per my patch), a kernel object would be better.

Suggested configuration syntax:

1) Support either [Peer] or [Peer-some_custom_name] in "wg setconf" =
configurations.

2) Make "wg showconf" parrot back any [Peer-some_custom_name] context =
names.

3) Make "wg show" display either "peer: orQ..." or =
"peer-some_custom_name: orQ..."

4) Any spaces in the "some_custom_name" text are ignored and truncated =
to 64 characters.

Thanks for your consideration.

Lonnie

Re: [patch] add support for peer names using a file in userspace

[Jason A. Donenfeld]

Hi Lonnie,

On Fri, Dec 8, 2017 at 2:42 PM, Lonnie Abelbeck
<lists@lonnie.abelbeck.com> wrote:
> The latest patch is reworked, disabled by default and requires WITH_PEERDATA=yes to be enabled.

Compile time switches for something that doesn't add a dependency?
Sounds like a bad idea, leading to all sorts of coderot and bloat down
the road.

> Yes, Jason, I think it is necessary.
>
> Consider a GUI showing a list of peers that you can click on to edit, there needs some sort of human-memerable "name" associated with each peer.

In this case, why wouldn't the GUI management logic handle this? Why
does this kind of thing need to be in the tiny building block tool,
wg(8)? This is a great example of a complete system where it perhaps
doesn't make to put it in wg(8).

> Additionally, the "wg show" output is sorted by "handshake time" (a good thing), so remembering your peer config order does not help identifying the peers.

That's a good reason, actually.

> While I would be happy with a compile-time option to support peer-names via a userspace file (per my patch), a kernel object would be better.

Noted, okay.

> 1) Support either [Peer] or [Peer-some_custom_name] in "wg setconf" configurations.
>
> 2) Make "wg showconf" parrot back any [Peer-some_custom_name] context names.

Absolutely not. If something like this lands, it will be called
"Description=" or the like, as another attribute of a peer. There's no
reason to make the section parser more complicated, when this is
essentially just another key value.

> 3) Make "wg show" display either "peer: orQ..." or "peer-some_custom_name: orQ..."
>
> 4) Any spaces in the "some_custom_name" text are ignored and truncated to 64 characters.

Yikes. I'm inclined to make Description or the like follow whatever
other plaintext rules the netfilter comment stuff has, not something
restrictive like "no spaces".

Jason

Re: [patch] add support for peer names using a file in userspace

[Lonnie Abelbeck]

On Dec 8, 2017, at 12:45 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

>=20
>> 3) Make "wg show" display either "peer: orQ..." or =
"peer-some_custom_name: orQ..."
>>=20
>> 4) Any spaces in the "some_custom_name" text are ignored and =
truncated to 64 characters.
>=20
> Yikes. I'm inclined to make Description or the like follow whatever
> other plaintext rules the netfilter comment stuff has, not something
> restrictive like "no spaces".

I suggested "no spaces"  since currently all spaces are stripped in =
config_read_line()

https://git.zx2c4.com/WireGuard/tree/src/tools/config.c#n434

Lonnie

Re: [patch] add support for peer names using a file in userspace

[Jason A. Donenfeld]

[-- Attachment #1: Type: text/plain, Size: 355 bytes --]

On Dec 8, 2017 14:00, "Lonnie Abelbeck" <lists@lonnie.abelbeck.com> wrote:


On Dec 8, 2017, at 12:45 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

I suggested "no spaces"  since currently all spaces are stripped in
config_read_line()


Oh, okay. It's that way mostly out of my own laziness. I wouldn't object to
making that into a real parser though.

[-- Attachment #2: Type: text/html, Size: 809 bytes --]

Re: [patch] add support for peer names using a file in userspace

[Eric Light]

[-- Attachment #1: Type: text/plain, Size: 1229 bytes --]

For what it's worth, I agree with Lonnie that *something* is necessary.
That said, I don't feel it makes sense in the context of [Peer-
why_would_this_go_here_its_very_strange].
Having it as an attribute of the peer makes sense to me (e.g.
"Description=")... the name really IS an attribute of a peer.
The question is, is wg(8) the right place to put this?  I think so, but
only by virtue of the fact that I can't think of anywhere more
appropriate to put it.
Hope that feedback is worth at least two cents  :)

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es



On Sat, 9 Dec 2017, at 09:39, Jason A. Donenfeld wrote:
> 
> 
> On Dec 8, 2017 14:00, "Lonnie Abelbeck"
> <lists@lonnie.abelbeck.com> wrote:>> 
>> On Dec 8, 2017, at 12:45 PM, Jason A. Donenfeld
>> <Jason@zx2c4.com> wrote:>> 
>> I suggested "no spaces"  since currently all spaces are stripped in
>> config_read_line()> 
> Oh, okay. It's that way mostly out of my own laziness. I wouldn't
> object to making that into a real parser though.> _________________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard


[-- Attachment #2: Type: text/html, Size: 2459 bytes --]

Re: [patch] add support for peer names using a file in userspace

[Matthias Urlichs]

[-- Attachment #1: Type: text/plain, Size: 749 bytes --]

On 09.12.2017 02:09, Eric Light wrote:
> For what it's worth, I agree with Lonnie that *something* is necessary.
>
> That said, I don't feel it makes sense in the context of
> [Peer-why_would_this_go_here_its_very_strange].
>
Well … I don't care whether it's named [Peer-foo] or [Peer_bar] or [Peer
baz], though the third option is most appealing IMHO.

I do however care a lot about not having multiple [Peer] sections in the
config file. Automated tools like Ansible cannot deal with
identically-tagged sections. This makes auto-updating my wireguard
configuration unnecessarily difficult.

Thus, if "wg showconf" is intended to output something that can be
reused, then the kernel needs to know about the peer's name.

-- 
-- Matthias Urlichs


[-- Attachment #2: Type: text/html, Size: 1410 bytes --]

Re: [patch] add support for peer names using a file in userspace

[Damian Kaczkowski]

[-- Attachment #1: Type: text/plain, Size: 633 bytes --]

On 8 December 2017 at 19:45, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> Absolutely not. If something like this lands, it will be called
> "Description=" or the like, as another attribute of a peer. There's no
> reason to make the section parser more complicated, when this is
> essentially just another key value.


+1.
Description, Comment, or maybe Name would be handy.
I got > 200 peers. I am getting hard times checking for peer status.
It would be nice to be able to do something like this:

wg | grep -A6 -B6 my_Description_or_Comment

Or maybe even simpler:

wg show peer by_Name

To show current status of selected peer.

[-- Attachment #2: Type: text/html, Size: 5540 bytes --]