Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add namespace support to Wireguard module #71510

Merged
merged 1 commit into from
Nov 14, 2019
Merged

Add namespace support to Wireguard module #71510

merged 1 commit into from
Nov 14, 2019
+136 −11

Conversation

asymmetric
Copy link
Contributor

@asymmetric asymmetric commented Oct 21, 2019
edited
Loading

Motivation for this change

Adds support for creating a Wireguard interface in a network namesapce, or moving it post-creation.

inspired by this unmerged PR, which only allowed specifying a destination namespace to move the Wireguard interface to, whereas this PR also allows specifying where the interface should be created in the first place, so that both the usecases outlined here can be supported.

Things to note:

  • Does note create the network namespaces (must be created/removed separately in Pre/Post directives)
  • Special-cases the init string to mean "move the interface back to the init namespace"
  • Defaults for both new option mean: create interface in init namespace, and don't move it
  • No additional tests. Happy to write some, but wanted to receive feedback on the general approach first. Tests added.
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @fpletz @Mic92 @globin @zx2c4

Sorry, something went wrong.

@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Oct 21, 2019
@d-xo
Copy link
Contributor

d-xo commented Oct 21, 2019

Tested on nixos-unstable (cherry-picked onto 1c40ee6fc44f7eb474c69ea070a43247a1a2c83c).

I am successfully using this PR to spawn a wireguard device with the socket end in a "physical" namespace, and the interface end in the "init" namespace as described here.

endocrimes
endocrimes approved these changes Oct 23, 2019
View reviewed changes
Copy link
Member

@endocrimes endocrimes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works for me on nixos-unstable - thanks for this! - I was looking at adding it myself sometime this weekend.

@Mic92
Copy link
Member

Mic92 commented Oct 23, 2019

cc @zx2c4 regarding user-interface & documentation of this feature.

fpletz
fpletz reviewed Oct 23, 2019
View reviewed changes
Copy link
Member

@fpletz fpletz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haven't tested it yet but the implementation and the configuration interface looks straightforward and understandable to me.

@asymmetric asymmetric force-pushed the wg-ns branch 7 times, most recently from bd02f68 to 0cfcea6 Compare November 2, 2019 15:17
@asymmetric
Copy link
Contributor Author

Added a few tests around namespaces.

@asymmetric
wireguard: add creation and destination namespaces

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
412f6a9 
The two new options make it possible to create the interface in one namespace
and move it to a different one, as explained at https://www.wireguard.com/netns/.
@asymmetric
Copy link
Contributor Author

Renamed the options:

  • creationNamespace -> socketNamespace
  • destinationNamespace -> interfaceNamespace

The naming comes from @zx2c4 himself, and trades visual descriptiveness for technical accuracy.

@fpletz fpletz merged commit e848401 into NixOS:master Nov 14, 2019
@fpletz fpletz mentioned this pull request Nov 14, 2019
Closed
10 tasks
@asymmetric asymmetric deleted the wg-ns branch November 14, 2019 09:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fpletz fpletz

@endocrimes endocrimes

@0x4A6F 0x4A6F

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@asymmetric @d-xo @Mic92 @fpletz @endocrimes @0x4A6F