Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wireguard-tools: 0.0.20191127 -> 0.0.20191212 #75565

Merged
merged 1 commit into from Dec 14, 2019
Merged

wireguard-tools: 0.0.20191127 -> 0.0.20191212 #75565

merged 1 commit into from Dec 14, 2019

Conversation

d-xo
Copy link
Contributor

@d-xo d-xo commented Dec 12, 2019

Motivation for this change

new snapshot: https://lists.zx2c4.com/pipermail/wireguard/2019-December/004764.html

This snapshot includes support for (and prefers) nftables as part of wg-quck's CVE-2019-14899 mitigations. I stuck with the existing iptables integration for the nix package because that's what we use in nixos, but I'm wondering how that interacts with nix installed on other distributions (e.g Fedora defaults to nftables now)?

nix-review wip passes for all kernels exept linux-libre-latest.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @elseym @ericsagnes @Mic92 @zx2c4 @globin @Ma27

@zx2c4
Copy link
Contributor

zx2c4 commented Dec 12, 2019

The dependencies/wrapped programs should now be "nftables OR iptables".

@ofborg ofborg bot requested review from globin, Ma27, elseym and Mic92 December 12, 2019 15:15
ivan
ivan approved these changes Dec 14, 2019
View reviewed changes
Copy link
Member

@ivan ivan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on NixOS master and it appears to work fine

@Ma27
Copy link
Member

Ma27 commented Dec 14, 2019

@GrahamcOfBorg test wireguard

@zx2c4
Copy link
Contributor

zx2c4 commented Dec 14, 2019
edited

Please remember to update the iptables||nftables dependency.

@ivan did you approve this prematurely?

jonringer
jonringer approved these changes Dec 14, 2019
View reviewed changes
Copy link
Contributor

@jonringer jonringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

diff LGTM
wireguard-tools executables seem to work
nixos test passes

linuxPackages-libre version is broken on master with same error, I don't consider this a regression

[16 built (1 failed), 30 copied (2281.0 MiB), 1078.0 MiB DL]
error: build of '/nix/store/vdn11nyx66rnkwa5v55gjfysyzzaji6w-env.drv' failed
https://github.com/NixOS/nixpkgs/pull/75565
2 package are marked as broken and were skipped:
linuxPackages_hardkernel_4_14.wireguard linuxPackages_hardkernel_latest.wireguard

1 package failed to build:
linuxPackages_latest-libre.wireguard

14 package were built:
linuxPackages-libre.wireguard linuxPackages.wireguard linuxPackages_4_14.wireguard linuxPackages_4_4.wireguard linuxPackages_4_9.wireguard linuxPackages_5_3.wireguard linuxPackages_5_4.wireguard linuxPackages_hardened.wireguard linuxPackages_latest_hardened.wireguard linuxPackages_latest_xen_dom0.wireguard linuxPackages_testing_bcachefs.wireguard linuxPackages_testing_hardened.wireguard linuxPackages_xen_dom0.wireguard wireguard-tools

@Mic92
Copy link
Member

Mic92 commented Dec 14, 2019
edited

Regarding nftables: Nix only has fixed dependencies for packages, there is no either/or without moving the PATH wrapper outside of the package itself. However I don't consider that a practical problem for nftables user on NixOS. If they use the nftables module (https://nixos.org/nixos/options.html#networking.nftables.enable) than they will have nft in $PATH. For non-NixOS nix user the userland tools are not a good option anyway: Since the kernel modules have to be installed from their distribution package manager, they should install wireguard-tools using the same to match the version.

@Mic92 Mic92 merged commit 259139f into NixOS:master Dec 14, 2019
@d-xo d-xo deleted the wg-tools-20191212 branch January 8, 2020 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ivan ivan ivan approved these changes

@jonringer jonringer jonringer approved these changes

@globin globin Awaiting requested review from globin

@Ma27 Ma27 Awaiting requested review from Ma27

@elseym elseym Awaiting requested review from elseym

@Mic92 Mic92 Awaiting requested review from Mic92

Assignees
No one assigned
Labels
10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@d-xo @zx2c4 @Ma27 @Mic92 @ivan @jonringer