├── .gitattributes ├── README.building.md ├── README.md ├── images ├── PortGroup.png ├── WireGuardRule.png └── qrencode.png ├── releases └── README.md └── src ├── bases ├── linux-1.10.0-12.tar.gz ├── linux-1.10.0-8.tar.gz ├── linux-1.11.0.tar.gz ├── linux-1.9.0-10.tar.gz ├── linux-2.4.tar.gz ├── linux-udr-3.0.13.tar.gz ├── udm-1.10.0-12 │ ├── buildroot-config.txt │ ├── kernel-config │ ├── prefix │ └── versions.txt ├── udm-1.10.0-8 │ ├── buildroot-config.txt │ ├── kernel-config │ ├── prefix │ └── versions.txt ├── udm-1.11.0 │ ├── buildroot-config.txt │ ├── kernel-config │ ├── patches │ │ └── wireguard-linux-compat │ │ │ ├── 0001-exclude-skb_put_data-for-kernel-v4.4.198.patch │ │ │ ├── 0002-exclude-skb_put_data-for-kernel-v4.4.60.patch │ │ │ ├── 021-ubnt-reuse-addr-and-port-for-udp-tunnel.patch │ │ │ ├── 041-ubnt-protection-from-routing-loops.patch │ │ │ └── 099-ubnt-add-get-last-receive-timeout.patch │ ├── prefix │ └── versions.txt ├── udm-1.9.0-10 │ ├── buildroot-config.txt │ ├── kernel-config │ ├── linux-patches │ │ └── linux-0001-dtc-lexer.patch │ ├── prefix │ └── versions.txt ├── udm-2.4 │ ├── buildroot-config.txt │ ├── kernel-config │ ├── linux-patches │ │ └── linux-0001-localversion.patch │ ├── patches │ │ └── wireguard-linux-compat │ │ │ ├── 0001-exclude-skb_put_data-for-kernel-v4.4.198.patch │ │ │ ├── 0002-exclude-skb_put_data-for-kernel-v4.4.60.patch │ │ │ ├── 021-ubnt-reuse-addr-and-port-for-udp-tunnel.patch │ │ │ ├── 041-ubnt-protection-from-routing-loops.patch │ │ │ └── 099-ubnt-add-get-last-receive-timeout.patch │ ├── prefix │ └── versions.txt ├── udm-base-2.4 │ ├── buildroot-config.txt │ ├── kernel-config │ ├── linux-patches │ │ └── linux-0001-localversion.patch │ ├── patches │ │ └── wireguard-linux-compat │ │ │ ├── 0001-exclude-skb_put_data-for-kernel-v4.4.198.patch │ │ │ ├── 0002-exclude-skb_put_data-for-kernel-v4.4.60.patch │ │ │ ├── 021-ubnt-reuse-addr-and-port-for-udp-tunnel.patch │ │ │ ├── 041-ubnt-protection-from-routing-loops.patch │ │ │ └── 099-ubnt-add-get-last-receive-timeout.patch │ ├── prefix │ └── versions.txt └── udr-3.0.13 │ ├── buildroot-config.txt │ ├── kernel-config │ ├── patches │ └── wireguard-linux-compat │ │ ├── 0001-exclude-skb_put_data-for-kernel-v4.4.198.patch │ │ ├── 0002-exclude-skb_put_data-for-kernel-v4.4.60.patch │ │ ├── 021-ubnt-reuse-addr-and-port-for-udp-tunnel.patch │ │ ├── 041-ubnt-protection-from-routing-loops.patch │ │ └── 099-ubnt-add-get-last-receive-timeout.patch │ ├── prefix │ └── versions.txt ├── boot └── setup-wireguard.service ├── build-wireguard.sh ├── packages ├── bison │ └── 0001-bison-glibc-change-work-around.patch ├── dtc │ └── 0001-dtc-extern-yylloc.patch ├── gcc │ └── 6.4.0 │ │ └── 944-mpc-relative-literal-loads-logic-in-aarch64_classify_symbol.patch ├── m4 │ ├── 0001-m4-glibc-change-work-around.patch │ └── 0002-m4-fix-sigstksz.patch ├── openresolv │ ├── Config.in │ ├── openresolv.hash │ └── openresolv.mk ├── wireguard-linux-compat │ ├── Config.in │ ├── wireguard-linux-compat.hash │ └── wireguard-linux-compat.mk └── wireguard-tools │ ├── Config.in │ ├── wireguard-tools.hash │ └── wireguard-tools.mk ├── patches ├── 0001-add-kernel-4-19.patch ├── 0002-wireguard-packages.patch └── 0003-openresolv-package.patch └── wireguard ├── etc └── wireguard │ └── wg0.conf.sample ├── setup_wireguard.sh └── usr └── bin └── wg-quick /.gitattributes: -------------------------------------------------------------------------------- 1 | *.tar.gz filter=lfs diff=lfs merge=lfs -text 2 | -------------------------------------------------------------------------------- /README.building.md: -------------------------------------------------------------------------------- 1 | ## Building the Kernel Module 2 | 3 | 1. Make sure you have Git LFS installed on your system, which you will need to download the kernel sources. This is sometimes an extra package you have to download from your distro's package manager. Once you install it, make sure to run the following to install LFS: 4 | 5 | ```sh 6 | git lfs install 7 | ``` 8 | 9 | 2. Clone the wireguard-kmod repository onto your computer and cd into it. 10 | 11 | ```sh 12 | git clone https://github.com/tusc/wireguard-kmod.git 13 | cd wireguard-kmod/src 14 | ``` 15 | 16 | 3. Check that the UDM kernel sources downloaded correctly by examining that their file sizes are ~100MB+ each. 17 | 18 | ```sh 19 | ls -lh bases/*.tar.gz 20 | ``` 21 | 22 | * If the size is a few bytes instead of 100MB, then the kernel sources did not download correctly. This is most probably due to Git LFS not being installed or the LFS quota being exceeded. 23 | * If you are having trouble with Git LFS, you can try to download the files manually through the [GitHub web interface](https://github.com/tusc/wireguard-kmod/tree/main/src) or one of these mirrors: 24 | * https://drive.google.com/drive/folders/11CXRjaGsTSTqfs8LdXQ8YoA7tVY_OuHU 25 | * https://drive.google.com/drive/folders/1wa8HLSOVnSs6OLLCoyR-YEWIgyUzmvwk 26 | 27 | 4. The build is divided into multiple kernel bases, where each kernel base is used for multiple firmware versions. Add any custom versions you want to build to the `versions.txt` file in the correct base folder (for example `udm-`). 28 | 29 | * Your firmware version can be found by running `uname -r` on the UDM and taking the end `-vX.Y.Z.xxxx-yyyyyyy` suffix, where X.Y.Z is your UDM version. Look at the other `versions.txt` files for what it should look like. 30 | 31 | 5. Run `build-wireguard.sh` in this directory to build the wireguard module and utilities for each version in the `versions.txt` files. 32 | 33 | ```sh 34 | ./build-wireguard.sh 35 | ``` 36 | 37 | * This will take anywhere from 20 minutes to a couple of hours depending on the CPU power of your system. 38 | 39 | 6. If successful, you should find: 40 | 41 | * The newly built kernel modules and utilities under the `wireguard` directory in the current folder 42 | * A newly built tarball named `wireguard-kmod-MM-DD-YY.tar.Z` in the releases folder one directory up (`../releases`) that you can install on your UDM following the regular instructions in the [main README](https://github.com/tusc/wireguard-kmod/blob/main/README.md). 43 | * You can transfer the tarball or modules to your UDM using `scp`. For example, assuming your UDM is at 192.168.1.254, the following command will transfer the tarball to the your UDM's `/mnt/data` directory. 44 | ```sh 45 | scp ../releases/wireguard-kmod-06-23-21.tar.Z root@192.168.1.254:/mnt/data 46 | ``` 47 | 48 | 7. If building multiple times, the build script will skip building previously built modules. If you want to force re-build everything, then delete the previously built modules and utilities from the `wireguard` folder first. 49 | 50 | ```sh 51 | rm -rf wireguard/*.ko wireguard/usr/* 52 | ``` 53 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WireGuard kernel module for UnifiOS (UDM, UDR, UXG) 2 | ## Project Notes 3 | 4 | **Author:** Carlos Talbot (Tusc00 on reddit, @tusc69 on ubnt forums) 5 | 6 | The tar file in this repository is a collection of binaries that can be loaded onto a UDM/UDM Pro to run WireGuard in kernel mode. WireGuard is a high performance vpn solution developed by Jason Donenfeld ( https://www.wireguard.com/ ). "WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld. 7 | 8 | Please see below for instructions on how to install the prebuilt kernel module and associated utils. 9 | ## Table of Contents 10 | 11 | * [Install](#install) 12 | * [Build from source](#build-from-source) 13 | * [Surviving Reboots](#surviving-reboots) 14 | * [Upgrades](#upgrades) 15 | * [Issues loading module](#issues-loading-module) 16 | * [Configuration](#configuration) 17 | * [Start tunnel](#start-tunnel) 18 | * [Stop tunnel](#stop-tunnel) 19 | * [FAQ](#faq) 20 | 21 | The Unifi UDM is built on a powerful quad core ARM64 CPU that can sustain up to 800Mb/sec throughput through an IPSec tunnel. There has been a large interest in a kernel port of WireGuard since performance is expected to be similar if not more. If you want to compile your own version, there will be a seperate build page posted soon. This was built from the GPL sources Ubiquiti sent me. I have a seperate github page for the Ubiquiti UDM GPL source code: https://github.com/tusc/UDM-source-code/blob/main/README.md 22 | 23 | ## Notice for UnifiOS 2.x and up 24 | 25 | Note that since UnifiOS 2.x, both the wireguard module and tools (wg, wg-quick) come pre-installed by Ubiquiti. You can simply use wg-quick directly without installing this project. However, the kernel module Ubquiti uses might be outdated. You can still install this project on UnifiOS 2.x and up to get the latest wireguard module if you prefer. 26 | 27 | ## Install 28 | 1. We first need to download the tar file onto the UDM. Connect to it via SSH and type the following command to download the tar file. You need to download the following tar file. NOTE: always check [this link](https://github.com/tusc/wireguard-kmod/releases) for the latest release. 29 | 30 | ```sh 31 | curl -LJo wireguard-kmod.tar.Z https://github.com/tusc/wireguard-kmod/releases/download/v03-01-23/wireguard-kmod-03-01-23.tar.Z 32 | ``` 33 | 34 | 2. From this directory type the following to extract the files: 35 | 36 | * For UnifiOS 2.x, extract the files into `/data/wireguard` 37 | 38 | ```sh 39 | tar -C /data -xvzf wireguard-kmod.tar.Z 40 | ``` 41 | * For UnifiOS 1.x, extract the files into `/mnt/data/wireguard` 42 | 43 | ```sh 44 | tar -C /mnt/data -xvzf wireguard-kmod.tar.Z 45 | ``` 46 | 47 | 48 | 2. Once the extraction is complete, cd into `/data/wireguard` for UnifiOS 2.x (or `/mnt/data/wireguard` for UnifiOS 1.x) and run the script **setup_wireguard.sh** as shown below 49 | ``` 50 | cd /data/wireguard 51 | chmod +x setup_wireguard.sh 52 | ./setup_wireguard.sh 53 | ``` 54 | This will setup the symbolic links for the various binaries to the /usr/bin path as well as create a symlink for the /etc/wireguard folder and finally load the kernel module. You'll want to run **dmesg** to verify the kernel module was loaded. You should see something like the following: 55 | 56 | ``` 57 | [13540.520120] wireguard: WireGuard 1.0.20210219 loaded. See www.wireguard.com for information. 58 | [13540.520126] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld . All Rights Reserved. 59 | ``` 60 | 61 | The script will first try to load the built-in wireguard module if it exists. If it doesn't exist, the external module provided by this package will be loaded instead. You can set `LOAD_BUILTIN=0` at the top of the `setup_wireguard.sh` script to always load the external module. Note that only recent UDM releases since 1.11.0 have the built-in module, and it is not always up-to-date. 62 | 63 | The tar file includes other useful utils such as htop, iftop and [qrencode.](#faq) 64 | 65 | ## Build from source 66 | To build this package please follow this [README](https://github.com/tusc/wireguard-kmod/blob/main/README.building.md) 67 | 68 | ## Surviving Reboots 69 | **Please Note: you will need to run setup_wireguard.sh whenever the UDM is rebooted as the symlinks have to be recreated.** 70 | 71 | * For the UnifiOS 1.x, Boostchicken has a package that can be installed to automatically run the wireguard script anytime the router is rebooted. Just follow the instructions [here](https://github.com/boostchicken/udm-utilities/tree/master/on-boot-script) and drop the **setup_wireguard.sh** script into the /mnt/data/on_boot.d directory when finished. 72 | * For the UnifiOS 2.x, you can either use boostchicken's boot package and throw **setup_wireguard.sh** into `/data/on_boot.d`, or you can natively create a systemd boot service to run the setup script at boot by running the following commands: 73 | ```sh 74 | curl -Lo /etc/systemd/system/setup-wireguard.service https://raw.githubusercontent.com/tusc/wireguard-kmod/main/src/boot/setup-wireguard.service 75 | systemctl daemon-reload 76 | systemctl enable setup-wireguard 77 | ``` 78 | * Note this only adds the setup script to start at boot. If you also want to bring up your wireguard interface at boot, you will need to add another boot script with your `wg-quick up` command. 79 | 80 | ## Upgrades 81 | You can safely download new versions and extract over prior releases. 82 | 83 | ## Issues loading module 84 | If you see the following then you are running a firmware that currently doesn't have a module built for it. 85 | ``` 86 | # ./setup_wireguard.sh 87 | loading wireguard... 88 | insmod: can't insert 'wireguard-4.1.37-v1.9.3.3438-50c9677.ko': No such file or directory 89 | insmod: can't insert 'iptable_raw-4.1.37-v1.9.3.3438-50c9677.ko': No such file or directory 90 | ``` 91 | Please reach out and send me a copy of the output from above. 92 | ## Configuration 93 | There's a sample WireGuard config file in /etc/wireguard you can use to create your own, provided you update the public and private keys. You'll want to copy the sample config and use VI to edit it. You can also just copy an existing config from another server you want to use. 94 | 95 | ``` 96 | cp /etc/wireguard/wg0.conf.sample /etc/wireguard/wg0.conf 97 | vi /etc/wireguard/wg0.conf 98 | ``` 99 | There are various tutorials out there for setting up a client/server config for WireGuard (e.g. https://www.stavros.io/posts/how-to-configure-wireguard/ ). A typical config might be to allow remote access to your internal LAN over the WAN from a mobile phone or romaing laptop. For the purpose of this example, the UDM is the server and the phone/laptop the client. For this you would need to setup a config file on the UDM similar to the following: 100 | 101 | ``` 102 | [Interface] 103 | Address = 192.168.2.1 104 | PrivateKey = 105 | ListenPort = 51820 106 | 107 | [Peer] 108 | PublicKey = 109 | AllowedIPs = 192.168.2.2/32 110 | ``` 111 | 112 | The corresponding config on the phone/laptop (client) would look like this: 113 | 114 | ``` 115 | Address = 192.168.2.2 116 | PrivateKey = 117 | ListenPort = 21841 118 | 119 | [Peer] 120 | PublicKey = 121 | Endpoint = :51820 122 | AllowedIPs = 192.168.2.0/24 123 | 124 | # This is for if you're behind a NAT and 125 | # want the connection to be kept alive. 126 | PersistentKeepalive = 25 127 | ``` 128 | 129 | You'll need to generate keys on both systems. This can be done with the following command: 130 | 131 | ``` 132 | wg genkey | tee privatekey | wg pubkey > publickey 133 | ``` 134 | 135 | Finally, don't forget to open a port on the firewall in order to allow remote access to the wireguard link. You'll want to create this rule on the UDM under the **WAN LOCAL** section of the firewall settings. The default port is 51820 which can be adjusted in the wireguard config file, just make sure to update the firewall rule accordingly. An example of a rule is available here: [WireGuard Rule.](https://github.com/tusc/wireguard-kmod/raw/main/images/WireGuardRule.png) 136 | Note: you'll need to create a port group which can be done during rule creation: [Port Group.](https://github.com/tusc/wireguard-kmod/raw/main/images/PortGroup.png) 137 | ## Start tunnel 138 | Once you have a properly configured conf file, you need to run this command from the cli: 139 | 140 | ``` 141 | # wg-quick up wg0 142 | ``` 143 | 144 | you should see output similar to the following: 145 | 146 | ``` 147 | [#] ip link add wg0 type wireguard 148 | [#] wg setconf wg0 /dev/fd/63 149 | [#] ip -4 address add 10.10.10.1/24 dev wg0 150 | [#] ip link set mtu 1420 up dev wg0 151 | ``` 152 | 153 | You can also execute the wg binary for status on the tunnel: 154 | 155 | ``` 156 | # wg 157 | interface: wg0 158 | public key: XXXXXXXXXXXXX 159 | private key: (hidden) 160 | listening port: 51820 161 | 162 | peer: XXXXXXXXXXXX 163 | endpoint: 192.168.1.191:40396 164 | allowed ips: 10.10.10.2/32 165 | latest handshake: 47 seconds ago 166 | transfer: 3.26 GiB received, 46.17 MiB sent 167 | ``` 168 | I'm currently testing throughput using iperf3 between a UDM Pro and an Ubuntu client over 10Gb. With the UDM as the iperf3 server I'm seeing up to 1.5Gb/sec. 169 | ## Stop tunnel 170 | Finally, in order to shutdown the tunnel you'll need to run this command: 171 | 172 | ``` 173 | # wg-quick down wg0 174 | ``` 175 | 176 | ## FAQ 177 | 178 |
179 | Setup script returns error "Unsupported Kernel version XXX" 180 | 181 | * The wireguard package does not contain a wireguard module built for your firmware or kernel version, nor is there a built-in module in your kernel. Please open an issue and report your version so we can try to update the module. 182 | 183 |
184 |
185 | wg-quick up returns error "unable to initialize table 'raw'" 186 | 187 | * Your kernel does not have the iptables raw module. The raw module is only required if you use `0.0.0.0/0` or `::/0` in your wireguard config's AllowedIPs. A workaround is to instead set AllowedIPs to `0.0.0.0/1,128.0.0.0/1` for IPv4 or `::/1,8000::/1` for IPv6. These subnets cover the same range but do not invoke wg-quick's use of the iptables raw module. 188 | 189 |
190 |
191 | The built-in gateway DNS does not reply to requests from the WireGuard tunnel 192 | 193 | * The built-in dnsmasq on UnifiOS is configured to only listen for requests from specific interfaces. The wireguard interface name (e.g.: wg0) needs to be added to the dnsmasq config so it can respond to requests from the tunnel. You can run the following to add wg0 to the dnsmasq interface list: 194 | 195 | ```sh 196 | echo "interface=wg0" > /run/dnsmasq.conf.d/custom_listen.conf 197 | killall -9 dnsmasq 198 | ``` 199 | 200 | * You can also those commands to PostUp in your wireguard config's Interface section to automatically run them when the tunnel comes up, e.g.: 201 | 202 | ```sh 203 | PostUp = echo "interface=%i" > /run/dnsmasq.conf.d/custom_listen.conf; killall -9 dnsmasq 204 | PreDown = rm -f /run/dnsmasq.conf.d/custom_listen.conf; killall -9 dnsmasq 205 | ``` 206 | 207 |
208 |
209 | Policy-based routing 210 | 211 | * If you want to route router-connected clients through the wireguard tunnel based on source subnet or source VLAN, you need to set up policy-based routing. This is not currently supported with the UI, but can be done in SSH. For a script that makes it easy to set-up policy-based routing rules on UnifiOS, see the [split-vpn](https://github.com/peacey/split-vpn) project. 212 | 213 |
214 |
215 | Multi WAN failover 216 | 217 | * If you have mutliple WANs or are using the UniFi Redundant WAN over LTE, you'll notice the WireGuard connection stays active with the failover link when the primary WAN comes back. A user has written a script to reset the WireGuard tunnel during a fail backup. You can find it at the link below. Just drop it in the startup directory /mnt/data/on_boot.d just like the setup script [above](#surviving-reboots). 218 | 219 | https://github.com/k-a-s-c-h/unifi/blob/main/on_boot.d/10-wireguard_failover.sh 220 | 221 |
222 |
223 | QR Code for clients 224 | 225 | * If you gererate the client keys on the UDM you can use qrencode which has been provided for easy configuration on your IOS or Android phone. Just pass the client configuration file to qrencode as shown below and import with your mobile WireGuard client: 226 | 227 | ``` 228 | qrencode -t ansiutf8 234 | -------------------------------------------------------------------------------- /images/PortGroup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tusc/wireguard-kmod/9eb3281f9f8e4ac0d1050a0e03ad70dd933ccb85/images/PortGroup.png -------------------------------------------------------------------------------- /images/WireGuardRule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tusc/wireguard-kmod/9eb3281f9f8e4ac0d1050a0e03ad70dd933ccb85/images/WireGuardRule.png -------------------------------------------------------------------------------- /images/qrencode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tusc/wireguard-kmod/9eb3281f9f8e4ac0d1050a0e03ad70dd933ccb85/images/qrencode.png -------------------------------------------------------------------------------- /releases/README.md: -------------------------------------------------------------------------------- 1 | # Latest release available [here](https://github.com/tusc/wireguard-kmod/releases) 2 | -------------------------------------------------------------------------------- /src/bases/linux-1.10.0-12.tar.gz: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:8f4d3de96bc355f4463ad4041a24776d518ff8bfb4745a5551d3177d82b9d459 3 | size 169543559 4 | -------------------------------------------------------------------------------- /src/bases/linux-1.10.0-8.tar.gz: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:f9da0e14b3370b467b847da998182a4db7b342706a24f8f7e5e34a3949412836 3 | size 173626160 4 | -------------------------------------------------------------------------------- /src/bases/linux-1.11.0.tar.gz: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:9f0e618a11a31d169a0994f05dcfa93969be07a89c4d6dc1cefc621b55b52ff0 3 | size 171552926 4 | -------------------------------------------------------------------------------- /src/bases/linux-1.9.0-10.tar.gz: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:74e10c144aad103cadf46a34d0045bc4a2d5f5946785836773757e39781897af 3 | size 134333095 4 | -------------------------------------------------------------------------------- /src/bases/linux-2.4.tar.gz: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:9d1a90640f3a302817466e42bf4232bc4965641db1d442438e59d5086d91349e 3 | size 174317867 4 | -------------------------------------------------------------------------------- /src/bases/linux-udr-3.0.13.tar.gz: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:b28c3737306ae0172d2b99fd5c9af881f0c14367e453481aaa0129a7883301fc 3 | size 468511673 4 | -------------------------------------------------------------------------------- /src/bases/udm-1.10.0-12/prefix: -------------------------------------------------------------------------------- 1 | 4.19.152-al-linux-v10.2.0 2 | -------------------------------------------------------------------------------- /src/bases/udm-1.10.0-12/versions.txt: -------------------------------------------------------------------------------- 1 | -v1.10.0-12.3672-bace201,-v1.10.0-13.3677-0ebe4e7,-v1.10.0-14.3682-1195971,-v1.10.0-15.3686-a2edd0c,-v1.10.0.3686-a2edd0c,-v1.10.4.3702-91ba352 2 | -------------------------------------------------------------------------------- /src/bases/udm-1.10.0-8/prefix: -------------------------------------------------------------------------------- 1 | 4.19.152-al-linux-v10.2.0 2 | -------------------------------------------------------------------------------- /src/bases/udm-1.10.0-8/versions.txt: -------------------------------------------------------------------------------- 1 | -v1.10.0-8.3636-d7f66e0,-v1.10.0-9.3648-8ab9f61,-v1.10.0-11.3661-7092871 2 | -------------------------------------------------------------------------------- /src/bases/udm-1.11.0/patches/wireguard-linux-compat/0001-exclude-skb_put_data-for-kernel-v4.4.198.patch: -------------------------------------------------------------------------------- 1 | --- a/src/compat/compat.h 2 | +++ b/src/compat/compat.h 3 | @@ -664,7 +664,8 @@ struct __compat_dummy_container { char dev; }; 4 | #define genl_dump_check_consistent(a, b) genl_dump_check_consistent(a, b, &genl_family) 5 | #endif 6 | 7 | -#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) && !defined(ISRHEL7) 8 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) && !defined(ISRHEL7) && \ 9 | + LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 198) 10 | static inline void *skb_put_data(struct sk_buff *skb, const void *data, unsigned int len) 11 | { 12 | void *tmp = skb_put(skb, len); 13 | 14 | 15 | -------------------------------------------------------------------------------- /src/bases/udm-1.11.0/patches/wireguard-linux-compat/0002-exclude-skb_put_data-for-kernel-v4.4.60.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/compat/compat.h b/src/compat/compat.h 2 | index 7acbfc6..845238c 100644 3 | --- a/src/compat/compat.h 4 | +++ b/src/compat/compat.h 5 | @@ -665,7 +665,8 @@ struct __compat_dummy_container { char dev; }; 6 | #endif 7 | 8 | #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) && !defined(ISRHEL7) && \ 9 | - LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 198) 10 | + LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 198) && \ 11 | + LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 60) 12 | static inline void *skb_put_data(struct sk_buff *skb, const void *data, unsigned int len) 13 | { 14 | void *tmp = skb_put(skb, len); 15 | -------------------------------------------------------------------------------- /src/bases/udm-1.11.0/patches/wireguard-linux-compat/021-ubnt-reuse-addr-and-port-for-udp-tunnel.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/compat/udp_tunnel/udp_tunnel_partial_compat.h b/src/compat/udp_tunnel/udp_tunnel_partial_compat.h 2 | index 0605896..ca810fd 100644 3 | --- a/src/compat/udp_tunnel/udp_tunnel_partial_compat.h 4 | +++ b/src/compat/udp_tunnel/udp_tunnel_partial_compat.h 5 | @@ -168,15 +168,15 @@ struct __compat_udp_port_cfg { 6 | struct in_addr peer_ip; 7 | #if IS_ENABLED(CONFIG_IPV6) 8 | struct in6_addr peer_ip6; 9 | #endif 10 | }; 11 | __be16 local_udp_port; 12 | __be16 peer_udp_port; 13 | - unsigned int use_udp_checksums:1, use_udp6_tx_checksums:1, use_udp6_rx_checksums:1, ipv6_v6only:1; 14 | + unsigned int use_udp_checksums:1, use_udp6_tx_checksums:1, use_udp6_rx_checksums:1, reuse_addr:1, reuse_port:1, ipv6_v6only:1; 15 | }; 16 | static inline int __maybe_unused __compat_udp_sock_create(struct net *net, struct __compat_udp_port_cfg *cfg, struct socket **sockp) 17 | { 18 | struct udp_port_cfg old_cfg = { 19 | .family = cfg->family, 20 | .local_ip = cfg->local_ip, 21 | #if IS_ENABLED(CONFIG_IPV6) 22 | @@ -186,15 +186,17 @@ static inline int __maybe_unused __compat_udp_sock_create(struct net *net, struc 23 | #if IS_ENABLED(CONFIG_IPV6) 24 | .peer_ip6 = cfg->peer_ip6, 25 | #endif 26 | .local_udp_port = cfg->local_udp_port, 27 | .peer_udp_port = cfg->peer_udp_port, 28 | .use_udp_checksums = cfg->use_udp_checksums, 29 | .use_udp6_tx_checksums = cfg->use_udp6_tx_checksums, 30 | - .use_udp6_rx_checksums = cfg->use_udp6_rx_checksums 31 | + .use_udp6_rx_checksums = cfg->use_udp6_rx_checksums, 32 | + .reuse_addr = cfg->reuse_addr, 33 | + .reuse_port = cfg->reuse_port 34 | }; 35 | if (cfg->family == AF_INET) 36 | return udp_sock_create4(net, &old_cfg, sockp); 37 | 38 | #if IS_ENABLED(CONFIG_IPV6) 39 | if (cfg->family == AF_INET6) { 40 | int ret; 41 | diff --git a/src/socket.c b/src/socket.c 42 | index e8eceeb..dcc4088 100644 43 | --- a/src/socket.c 44 | +++ b/src/socket.c 45 | @@ -355,23 +355,27 @@ int wg_socket_init(struct wg_device *wg, u16 port) 46 | .encap_rcv = wg_receive 47 | }; 48 | struct socket *new4 = NULL, *new6 = NULL; 49 | struct udp_port_cfg port4 = { 50 | .family = AF_INET, 51 | .local_ip.s_addr = htonl(INADDR_ANY), 52 | .local_udp_port = htons(port), 53 | - .use_udp_checksums = true 54 | + .use_udp_checksums = true, 55 | + .reuse_addr = true, 56 | + .reuse_port = true 57 | }; 58 | #if IS_ENABLED(CONFIG_IPV6) 59 | int retries = 0; 60 | struct udp_port_cfg port6 = { 61 | .family = AF_INET6, 62 | .local_ip6 = IN6ADDR_ANY_INIT, 63 | .use_udp6_tx_checksums = true, 64 | .use_udp6_rx_checksums = true, 65 | + .reuse_addr = true, 66 | + .reuse_port = true, 67 | .ipv6_v6only = true 68 | }; 69 | #endif 70 | 71 | rcu_read_lock(); 72 | net = rcu_dereference(wg->creating_net); 73 | net = net ? maybe_get_net(net) : NULL; 74 | -------------------------------------------------------------------------------- /src/bases/udm-1.11.0/patches/wireguard-linux-compat/041-ubnt-protection-from-routing-loops.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/device.c b/src/device.c 2 | index c673446..25aac06 100644 3 | --- a/src/device.c 4 | +++ b/src/device.c 5 | @@ -127,14 +127,26 @@ static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev) 6 | struct sk_buff_head packets; 7 | struct wg_peer *peer; 8 | struct sk_buff *next; 9 | sa_family_t family; 10 | u32 mtu; 11 | int ret; 12 | 13 | + if (unlikely(skb->mark & wg->fwmark)) { 14 | + ret = -ENETDOWN; 15 | + net_crit_ratelimited("%s: loop detected, dropping skb of length %u\n", dev->name, skb->len); 16 | + goto err; 17 | + } 18 | + 19 | + if (unlikely(skb_end_offset(skb) > 33000)) { 20 | + ret = -ENETDOWN; 21 | + net_crit_ratelimited("%s: possible loop detected, dropping skb of size %u\n", dev->name, skb_end_offset(skb)); 22 | + goto err; 23 | + } 24 | + 25 | if (unlikely(!wg_check_packet_protocol(skb))) { 26 | ret = -EPROTONOSUPPORT; 27 | net_dbg_ratelimited("%s: Invalid IP packet\n", dev->name); 28 | goto err; 29 | } 30 | 31 | peer = wg_allowedips_lookup_dst(&wg->peer_allowedips, skb); 32 | -------------------------------------------------------------------------------- /src/bases/udm-1.11.0/patches/wireguard-linux-compat/099-ubnt-add-get-last-receive-timeout.patch: -------------------------------------------------------------------------------- 1 | --- a/src/netlink.c 2 | +++ b/src/netlink.c 3 | @@ -34,15 +34,17 @@ static const struct nla_policy peer_poli 4 | [WGPEER_A_FLAGS] = { .type = NLA_U32 }, 5 | [WGPEER_A_ENDPOINT] = NLA_POLICY_MIN_LEN(sizeof(struct sockaddr)), 6 | [WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16 }, 7 | [WGPEER_A_LAST_HANDSHAKE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)), 8 | [WGPEER_A_RX_BYTES] = { .type = NLA_U64 }, 9 | [WGPEER_A_TX_BYTES] = { .type = NLA_U64 }, 10 | [WGPEER_A_ALLOWEDIPS] = { .type = NLA_NESTED }, 11 | - [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 } 12 | + [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 }, 13 | + [WGPEER_A_FORCED_HANDSHAKE_INTERVAL] = { .type = NLA_U16 }, 14 | + [WGPEER_A_LAST_RECEIVE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)), 15 | }; 16 | 17 | static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = { 18 | [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 }, 19 | [WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(sizeof(struct in_addr)), 20 | [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 } 21 | }; 22 | @@ -119,31 +121,39 @@ get_peer(struct wg_peer *peer, struct sk 23 | goto err; 24 | 25 | if (!allowedips_node) { 26 | const struct __kernel_timespec last_handshake = { 27 | .tv_sec = peer->walltime_last_handshake.tv_sec, 28 | .tv_nsec = peer->walltime_last_handshake.tv_nsec 29 | }; 30 | + const struct __kernel_timespec last_receive = { 31 | + .tv_sec = peer->walltime_last_receive.tv_sec, 32 | + .tv_nsec = peer->walltime_last_receive.tv_nsec 33 | + }; 34 | 35 | down_read(&peer->handshake.lock); 36 | fail = nla_put(skb, WGPEER_A_PRESHARED_KEY, 37 | NOISE_SYMMETRIC_KEY_LEN, 38 | peer->handshake.preshared_key); 39 | up_read(&peer->handshake.lock); 40 | if (fail) 41 | goto err; 42 | 43 | if (nla_put(skb, WGPEER_A_LAST_HANDSHAKE_TIME, 44 | sizeof(last_handshake), &last_handshake) || 45 | + nla_put(skb, WGPEER_A_LAST_RECEIVE_TIME, 46 | + sizeof(last_receive), &last_receive) || 47 | nla_put_u16(skb, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, 48 | peer->persistent_keepalive_interval) || 49 | nla_put_u64_64bit(skb, WGPEER_A_TX_BYTES, peer->tx_bytes, 50 | WGPEER_A_UNSPEC) || 51 | nla_put_u64_64bit(skb, WGPEER_A_RX_BYTES, peer->rx_bytes, 52 | WGPEER_A_UNSPEC) || 53 | + nla_put_u16(skb, WGPEER_A_FORCED_HANDSHAKE_INTERVAL, 54 | + peer->forced_handshake_interval) || 55 | nla_put_u32(skb, WGPEER_A_PROTOCOL_VERSION, 1)) 56 | goto err; 57 | 58 | read_lock_bh(&peer->endpoint_lock); 59 | if (peer->endpoint.addr.sa_family == AF_INET) 60 | fail = nla_put(skb, WGPEER_A_ENDPOINT, 61 | sizeof(peer->endpoint.addr4), 62 | @@ -474,14 +484,19 @@ static int set_peer(struct wg_device *wg 63 | netif_running(wg->dev); 64 | 65 | peer->persistent_keepalive_interval = persistent_keepalive_interval; 66 | if (send_keepalive) 67 | wg_packet_send_keepalive(peer); 68 | } 69 | 70 | + if (attrs[WGPEER_A_FORCED_HANDSHAKE_INTERVAL]) { 71 | + peer->forced_handshake_interval = nla_get_u16( 72 | + attrs[WGPEER_A_FORCED_HANDSHAKE_INTERVAL]); 73 | + } 74 | + 75 | if (netif_running(wg->dev)) 76 | wg_packet_send_staged_packets(peer); 77 | 78 | out: 79 | wg_peer_put(peer); 80 | if (attrs[WGPEER_A_PRESHARED_KEY]) 81 | memzero_explicit(nla_data(attrs[WGPEER_A_PRESHARED_KEY]), 82 | --- a/src/peer.h 83 | +++ b/src/peer.h 84 | @@ -60,14 +60,17 @@ struct wg_peer { 85 | struct timespec64 walltime_last_handshake; 86 | struct kref refcount; 87 | struct rcu_head rcu; 88 | struct list_head peer_list; 89 | struct list_head allowedips_list; 90 | struct napi_struct napi; 91 | u64 internal_id; 92 | + u16 forced_handshake_interval; 93 | + struct timer_list timer_forced_handshake; 94 | + struct timespec64 walltime_last_receive; 95 | }; 96 | 97 | struct wg_peer *wg_peer_create(struct wg_device *wg, 98 | const u8 public_key[NOISE_PUBLIC_KEY_LEN], 99 | const u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN]); 100 | 101 | struct wg_peer *__must_check wg_peer_get_maybe_zero(struct wg_peer *peer); 102 | --- a/src/timers.c 103 | +++ b/src/timers.c 104 | @@ -137,14 +137,31 @@ static void wg_expired_send_persistent_k 105 | struct wg_peer *peer = from_timer(peer, timer, 106 | timer_persistent_keepalive); 107 | 108 | if (likely(peer->persistent_keepalive_interval)) 109 | wg_packet_send_keepalive(peer); 110 | } 111 | 112 | +static void wg_expired_forced_handshake(struct timer_list *timer) 113 | +{ 114 | + struct wg_peer *peer = from_timer(peer, timer, timer_forced_handshake); 115 | + 116 | + if (!likely(peer->forced_handshake_interval)) 117 | + return; 118 | + 119 | + pr_debug("%s: Retrying handshake with peer %llu (%pISpfsc) because we stopped hearing back after forced handshake timeout %d seconds\n", 120 | + peer->device->dev->name, peer->internal_id, 121 | + &peer->endpoint.addr, peer->forced_handshake_interval); 122 | + /* We clear the endpoint address src address, in case this is the cause 123 | + * of trouble. 124 | + */ 125 | + wg_socket_clear_peer_endpoint_src(peer); 126 | + wg_packet_send_queued_handshake_initiation(peer, false); 127 | +} 128 | + 129 | /* Should be called after an authenticated data packet is sent. */ 130 | void wg_timers_data_sent(struct wg_peer *peer) 131 | { 132 | if (!timer_pending(&peer->timer_new_handshake)) 133 | mod_peer_timer(peer, &peer->timer_new_handshake, 134 | jiffies + (KEEPALIVE_TIMEOUT + REKEY_TIMEOUT) * HZ + 135 | prandom_u32_max(REKEY_TIMEOUT_JITTER_MAX_JIFFIES)); 136 | @@ -172,14 +189,19 @@ void wg_timers_any_authenticated_packet_ 137 | 138 | /* Should be called after any type of authenticated packet is received, whether 139 | * keepalive, data, or handshake. 140 | */ 141 | void wg_timers_any_authenticated_packet_received(struct wg_peer *peer) 142 | { 143 | del_timer(&peer->timer_new_handshake); 144 | + ktime_get_real_ts64(&peer->walltime_last_receive); 145 | + if (likely(peer->forced_handshake_interval)) { 146 | + mod_peer_timer(peer, &peer->timer_forced_handshake, 147 | + jiffies + peer->forced_handshake_interval * HZ); 148 | + } 149 | } 150 | 151 | /* Should be called after a handshake initiation message is sent. */ 152 | void wg_timers_handshake_initiated(struct wg_peer *peer) 153 | { 154 | mod_peer_timer(peer, &peer->timer_retransmit_handshake, 155 | jiffies + REKEY_TIMEOUT * HZ + 156 | @@ -222,22 +244,25 @@ void wg_timers_init(struct wg_peer *peer 157 | wg_expired_retransmit_handshake, 0); 158 | timer_setup(&peer->timer_send_keepalive, wg_expired_send_keepalive, 0); 159 | timer_setup(&peer->timer_new_handshake, wg_expired_new_handshake, 0); 160 | timer_setup(&peer->timer_zero_key_material, 161 | wg_expired_zero_key_material, 0); 162 | timer_setup(&peer->timer_persistent_keepalive, 163 | wg_expired_send_persistent_keepalive, 0); 164 | + timer_setup(&peer->timer_forced_handshake, 165 | + wg_expired_forced_handshake, 0); 166 | INIT_WORK(&peer->clear_peer_work, wg_queued_expired_zero_key_material); 167 | peer->timer_handshake_attempts = 0; 168 | peer->sent_lastminute_handshake = false; 169 | peer->timer_need_another_keepalive = false; 170 | } 171 | 172 | void wg_timers_stop(struct wg_peer *peer) 173 | { 174 | del_timer_sync(&peer->timer_retransmit_handshake); 175 | del_timer_sync(&peer->timer_send_keepalive); 176 | del_timer_sync(&peer->timer_new_handshake); 177 | + del_timer_sync(&peer->timer_forced_handshake); 178 | del_timer_sync(&peer->timer_zero_key_material); 179 | del_timer_sync(&peer->timer_persistent_keepalive); 180 | flush_work(&peer->clear_peer_work); 181 | } 182 | --- a/src/uapi/wireguard.h 183 | +++ b/src/uapi/wireguard.h 184 | @@ -45,14 +45,16 @@ 185 | * WGALLOWEDIP_A_CIDR_MASK: NLA_U8 186 | * 0: NLA_NESTED 187 | * ... 188 | * 0: NLA_NESTED 189 | * ... 190 | * ... 191 | * WGPEER_A_PROTOCOL_VERSION: NLA_U32 192 | + * WGPEER_A_FORCED_HANDSHAKE_INTERVAL: NLA_U16 193 | + * WGPEER_A_LAST_RECEIVE_TIME: NLA_EXACT_LEN, struct __kernel_timespec 194 | * 0: NLA_NESTED 195 | * ... 196 | * ... 197 | * 198 | * It is possible that all of the allowed IPs of a single peer will not 199 | * fit within a single netlink message. In that case, the same peer will 200 | * be written in the following message, except it will only contain 201 | @@ -107,14 +109,15 @@ 202 | * ... 203 | * ... 204 | * WGPEER_A_PROTOCOL_VERSION: NLA_U32, should not be set or used at 205 | * all by most users of this API, as the 206 | * most recent protocol will be used when 207 | * this is unset. Otherwise, must be set 208 | * to 1. 209 | + * WGPEER_A_FORCED_HANDSHAKE_INTERVAL: NLA_U16, 0 to disable 210 | * 0: NLA_NESTED 211 | * ... 212 | * ... 213 | * 214 | * It is possible that the amount of configuration data exceeds that of 215 | * the maximum message length accepted by the kernel. In that case, several 216 | * messages should be sent one after another, with each successive one 217 | @@ -176,14 +179,16 @@ enum wgpeer_attribute { 218 | WGPEER_A_ENDPOINT, 219 | WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, 220 | WGPEER_A_LAST_HANDSHAKE_TIME, 221 | WGPEER_A_RX_BYTES, 222 | WGPEER_A_TX_BYTES, 223 | WGPEER_A_ALLOWEDIPS, 224 | WGPEER_A_PROTOCOL_VERSION, 225 | + WGPEER_A_FORCED_HANDSHAKE_INTERVAL, 226 | + WGPEER_A_LAST_RECEIVE_TIME, 227 | __WGPEER_A_LAST 228 | }; 229 | #define WGPEER_A_MAX (__WGPEER_A_LAST - 1) 230 | 231 | enum wgallowedip_attribute { 232 | WGALLOWEDIP_A_UNSPEC, 233 | WGALLOWEDIP_A_FAMILY, 234 | -------------------------------------------------------------------------------- /src/bases/udm-1.11.0/prefix: -------------------------------------------------------------------------------- 1 | 4.19.152-al-linux-v10.2.0 2 | -------------------------------------------------------------------------------- /src/bases/udm-1.11.0/versions.txt: -------------------------------------------------------------------------------- 1 | -v1.11.0.3921-f2e3fac,-v1.11.1.3932-88c26f4,-v1.11.3.3937-2edb570,-v1.11.4.3940-e66d85f,-v1.12.13.4270-7288473,-v1.12.14.4274-d445100,-v1.12.15.4285-a130b42,-v1.12.19.4302-a153f32,-v1.12.21.4305-d48df5d,-v1.12.22.4309-4105ace,-v1.12.24.4315-136ee7c,-v1.12.28.4323-7cd1177,-v1.12.30.4325-060f0fe,-v1.12.33.4328-5979f88,-v1.12.38.4335-66b5e18 2 | -------------------------------------------------------------------------------- /src/bases/udm-1.9.0-10/linux-patches/linux-0001-dtc-lexer.patch: -------------------------------------------------------------------------------- 1 | --- a/scripts/dtc/dtc-lexer.l 2021-02-03 05:03:13.000000000 -0700 2 | +++ b/scripts/dtc/dtc-lexer.l 2021-06-21 15:08:33.265930996 -0600 3 | @@ -39,7 +39,7 @@ 4 | #include "srcpos.h" 5 | #include "dtc-parser.tab.h" 6 | 7 | -YYLTYPE yylloc; 8 | +extern YYLTYPE yylloc; 9 | 10 | /* CAUTION: this will stop working if we ever use yyless() or yyunput() */ 11 | #define YY_USER_ACTION \ 12 | 13 | --- a/scripts/dtc/dtc-lexer.lex.c_shipped 2021-06-21 16:04:48.890865860 -0600 14 | +++ b/scripts/dtc/dtc-lexer.lex.c_shipped 2021-06-21 16:05:13.163909071 -0600 15 | @@ -637,7 +637,7 @@ 16 | #include "srcpos.h" 17 | #include "dtc-parser.tab.h" 18 | 19 | -YYLTYPE yylloc; 20 | +extern YYLTYPE yylloc; 21 | 22 | /* CAUTION: this will stop working if we ever use yyless() or yyunput() */ 23 | #define YY_USER_ACTION \ 24 | -------------------------------------------------------------------------------- /src/bases/udm-1.9.0-10/prefix: -------------------------------------------------------------------------------- 1 | 4.1.37 2 | -------------------------------------------------------------------------------- /src/bases/udm-1.9.0-10/versions.txt: -------------------------------------------------------------------------------- 1 | -v0.5.0-2.3464-3238f5d,-v1.9.0-1.3475-4851b2b,-v1.9.1.3427-c2181d1,-v1.9.2.3432-3f1425e,-v1.9.3.3438-50c9676 2 | -------------------------------------------------------------------------------- /src/bases/udm-2.4/linux-patches/linux-0001-localversion.patch: -------------------------------------------------------------------------------- 1 | --- a/localversion 1970-01-01 01:00:00.000000000 +0100 2 | +++ b/localversion 2021-07-23 16:01:53.017501275 -0600 3 | @@ -0,0 +1 @@ 4 | +-ui-alpine 5 | -------------------------------------------------------------------------------- /src/bases/udm-2.4/patches/wireguard-linux-compat/0001-exclude-skb_put_data-for-kernel-v4.4.198.patch: -------------------------------------------------------------------------------- 1 | --- a/src/compat/compat.h 2 | +++ b/src/compat/compat.h 3 | @@ -664,7 +664,8 @@ struct __compat_dummy_container { char dev; }; 4 | #define genl_dump_check_consistent(a, b) genl_dump_check_consistent(a, b, &genl_family) 5 | #endif 6 | 7 | -#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) && !defined(ISRHEL7) 8 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) && !defined(ISRHEL7) && \ 9 | + LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 198) 10 | static inline void *skb_put_data(struct sk_buff *skb, const void *data, unsigned int len) 11 | { 12 | void *tmp = skb_put(skb, len); 13 | 14 | 15 | -------------------------------------------------------------------------------- /src/bases/udm-2.4/patches/wireguard-linux-compat/0002-exclude-skb_put_data-for-kernel-v4.4.60.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/compat/compat.h b/src/compat/compat.h 2 | index 7acbfc6..845238c 100644 3 | --- a/src/compat/compat.h 4 | +++ b/src/compat/compat.h 5 | @@ -665,7 +665,8 @@ struct __compat_dummy_container { char dev; }; 6 | #endif 7 | 8 | #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) && !defined(ISRHEL7) && \ 9 | - LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 198) 10 | + LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 198) && \ 11 | + LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 60) 12 | static inline void *skb_put_data(struct sk_buff *skb, const void *data, unsigned int len) 13 | { 14 | void *tmp = skb_put(skb, len); 15 | -------------------------------------------------------------------------------- /src/bases/udm-2.4/patches/wireguard-linux-compat/021-ubnt-reuse-addr-and-port-for-udp-tunnel.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/compat/udp_tunnel/udp_tunnel_partial_compat.h b/src/compat/udp_tunnel/udp_tunnel_partial_compat.h 2 | index 0605896..ca810fd 100644 3 | --- a/src/compat/udp_tunnel/udp_tunnel_partial_compat.h 4 | +++ b/src/compat/udp_tunnel/udp_tunnel_partial_compat.h 5 | @@ -168,15 +168,15 @@ struct __compat_udp_port_cfg { 6 | struct in_addr peer_ip; 7 | #if IS_ENABLED(CONFIG_IPV6) 8 | struct in6_addr peer_ip6; 9 | #endif 10 | }; 11 | __be16 local_udp_port; 12 | __be16 peer_udp_port; 13 | - unsigned int use_udp_checksums:1, use_udp6_tx_checksums:1, use_udp6_rx_checksums:1, ipv6_v6only:1; 14 | + unsigned int use_udp_checksums:1, use_udp6_tx_checksums:1, use_udp6_rx_checksums:1, reuse_addr:1, reuse_port:1, ipv6_v6only:1; 15 | }; 16 | static inline int __maybe_unused __compat_udp_sock_create(struct net *net, struct __compat_udp_port_cfg *cfg, struct socket **sockp) 17 | { 18 | struct udp_port_cfg old_cfg = { 19 | .family = cfg->family, 20 | .local_ip = cfg->local_ip, 21 | #if IS_ENABLED(CONFIG_IPV6) 22 | @@ -186,15 +186,17 @@ static inline int __maybe_unused __compat_udp_sock_create(struct net *net, struc 23 | #if IS_ENABLED(CONFIG_IPV6) 24 | .peer_ip6 = cfg->peer_ip6, 25 | #endif 26 | .local_udp_port = cfg->local_udp_port, 27 | .peer_udp_port = cfg->peer_udp_port, 28 | .use_udp_checksums = cfg->use_udp_checksums, 29 | .use_udp6_tx_checksums = cfg->use_udp6_tx_checksums, 30 | - .use_udp6_rx_checksums = cfg->use_udp6_rx_checksums 31 | + .use_udp6_rx_checksums = cfg->use_udp6_rx_checksums, 32 | + .reuse_addr = cfg->reuse_addr, 33 | + .reuse_port = cfg->reuse_port 34 | }; 35 | if (cfg->family == AF_INET) 36 | return udp_sock_create4(net, &old_cfg, sockp); 37 | 38 | #if IS_ENABLED(CONFIG_IPV6) 39 | if (cfg->family == AF_INET6) { 40 | int ret; 41 | diff --git a/src/socket.c b/src/socket.c 42 | index e8eceeb..dcc4088 100644 43 | --- a/src/socket.c 44 | +++ b/src/socket.c 45 | @@ -355,23 +355,27 @@ int wg_socket_init(struct wg_device *wg, u16 port) 46 | .encap_rcv = wg_receive 47 | }; 48 | struct socket *new4 = NULL, *new6 = NULL; 49 | struct udp_port_cfg port4 = { 50 | .family = AF_INET, 51 | .local_ip.s_addr = htonl(INADDR_ANY), 52 | .local_udp_port = htons(port), 53 | - .use_udp_checksums = true 54 | + .use_udp_checksums = true, 55 | + .reuse_addr = true, 56 | + .reuse_port = true 57 | }; 58 | #if IS_ENABLED(CONFIG_IPV6) 59 | int retries = 0; 60 | struct udp_port_cfg port6 = { 61 | .family = AF_INET6, 62 | .local_ip6 = IN6ADDR_ANY_INIT, 63 | .use_udp6_tx_checksums = true, 64 | .use_udp6_rx_checksums = true, 65 | + .reuse_addr = true, 66 | + .reuse_port = true, 67 | .ipv6_v6only = true 68 | }; 69 | #endif 70 | 71 | rcu_read_lock(); 72 | net = rcu_dereference(wg->creating_net); 73 | net = net ? maybe_get_net(net) : NULL; 74 | -------------------------------------------------------------------------------- /src/bases/udm-2.4/patches/wireguard-linux-compat/041-ubnt-protection-from-routing-loops.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/device.c b/src/device.c 2 | index c673446..25aac06 100644 3 | --- a/src/device.c 4 | +++ b/src/device.c 5 | @@ -127,14 +127,26 @@ static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev) 6 | struct sk_buff_head packets; 7 | struct wg_peer *peer; 8 | struct sk_buff *next; 9 | sa_family_t family; 10 | u32 mtu; 11 | int ret; 12 | 13 | + if (unlikely(skb->mark & wg->fwmark)) { 14 | + ret = -ENETDOWN; 15 | + net_crit_ratelimited("%s: loop detected, dropping skb of length %u\n", dev->name, skb->len); 16 | + goto err; 17 | + } 18 | + 19 | + if (unlikely(skb_end_offset(skb) > 33000)) { 20 | + ret = -ENETDOWN; 21 | + net_crit_ratelimited("%s: possible loop detected, dropping skb of size %u\n", dev->name, skb_end_offset(skb)); 22 | + goto err; 23 | + } 24 | + 25 | if (unlikely(!wg_check_packet_protocol(skb))) { 26 | ret = -EPROTONOSUPPORT; 27 | net_dbg_ratelimited("%s: Invalid IP packet\n", dev->name); 28 | goto err; 29 | } 30 | 31 | peer = wg_allowedips_lookup_dst(&wg->peer_allowedips, skb); 32 | -------------------------------------------------------------------------------- /src/bases/udm-2.4/patches/wireguard-linux-compat/099-ubnt-add-get-last-receive-timeout.patch: -------------------------------------------------------------------------------- 1 | --- a/src/netlink.c 2 | +++ b/src/netlink.c 3 | @@ -34,15 +34,17 @@ static const struct nla_policy peer_poli 4 | [WGPEER_A_FLAGS] = { .type = NLA_U32 }, 5 | [WGPEER_A_ENDPOINT] = NLA_POLICY_MIN_LEN(sizeof(struct sockaddr)), 6 | [WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16 }, 7 | [WGPEER_A_LAST_HANDSHAKE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)), 8 | [WGPEER_A_RX_BYTES] = { .type = NLA_U64 }, 9 | [WGPEER_A_TX_BYTES] = { .type = NLA_U64 }, 10 | [WGPEER_A_ALLOWEDIPS] = { .type = NLA_NESTED }, 11 | - [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 } 12 | + [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 }, 13 | + [WGPEER_A_FORCED_HANDSHAKE_INTERVAL] = { .type = NLA_U16 }, 14 | + [WGPEER_A_LAST_RECEIVE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)), 15 | }; 16 | 17 | static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = { 18 | [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 }, 19 | [WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(sizeof(struct in_addr)), 20 | [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 } 21 | }; 22 | @@ -119,31 +121,39 @@ get_peer(struct wg_peer *peer, struct sk 23 | goto err; 24 | 25 | if (!allowedips_node) { 26 | const struct __kernel_timespec last_handshake = { 27 | .tv_sec = peer->walltime_last_handshake.tv_sec, 28 | .tv_nsec = peer->walltime_last_handshake.tv_nsec 29 | }; 30 | + const struct __kernel_timespec last_receive = { 31 | + .tv_sec = peer->walltime_last_receive.tv_sec, 32 | + .tv_nsec = peer->walltime_last_receive.tv_nsec 33 | + }; 34 | 35 | down_read(&peer->handshake.lock); 36 | fail = nla_put(skb, WGPEER_A_PRESHARED_KEY, 37 | NOISE_SYMMETRIC_KEY_LEN, 38 | peer->handshake.preshared_key); 39 | up_read(&peer->handshake.lock); 40 | if (fail) 41 | goto err; 42 | 43 | if (nla_put(skb, WGPEER_A_LAST_HANDSHAKE_TIME, 44 | sizeof(last_handshake), &last_handshake) || 45 | + nla_put(skb, WGPEER_A_LAST_RECEIVE_TIME, 46 | + sizeof(last_receive), &last_receive) || 47 | nla_put_u16(skb, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, 48 | peer->persistent_keepalive_interval) || 49 | nla_put_u64_64bit(skb, WGPEER_A_TX_BYTES, peer->tx_bytes, 50 | WGPEER_A_UNSPEC) || 51 | nla_put_u64_64bit(skb, WGPEER_A_RX_BYTES, peer->rx_bytes, 52 | WGPEER_A_UNSPEC) || 53 | + nla_put_u16(skb, WGPEER_A_FORCED_HANDSHAKE_INTERVAL, 54 | + peer->forced_handshake_interval) || 55 | nla_put_u32(skb, WGPEER_A_PROTOCOL_VERSION, 1)) 56 | goto err; 57 | 58 | read_lock_bh(&peer->endpoint_lock); 59 | if (peer->endpoint.addr.sa_family == AF_INET) 60 | fail = nla_put(skb, WGPEER_A_ENDPOINT, 61 | sizeof(peer->endpoint.addr4), 62 | @@ -474,14 +484,19 @@ static int set_peer(struct wg_device *wg 63 | netif_running(wg->dev); 64 | 65 | peer->persistent_keepalive_interval = persistent_keepalive_interval; 66 | if (send_keepalive) 67 | wg_packet_send_keepalive(peer); 68 | } 69 | 70 | + if (attrs[WGPEER_A_FORCED_HANDSHAKE_INTERVAL]) { 71 | + peer->forced_handshake_interval = nla_get_u16( 72 | + attrs[WGPEER_A_FORCED_HANDSHAKE_INTERVAL]); 73 | + } 74 | + 75 | if (netif_running(wg->dev)) 76 | wg_packet_send_staged_packets(peer); 77 | 78 | out: 79 | wg_peer_put(peer); 80 | if (attrs[WGPEER_A_PRESHARED_KEY]) 81 | memzero_explicit(nla_data(attrs[WGPEER_A_PRESHARED_KEY]), 82 | --- a/src/peer.h 83 | +++ b/src/peer.h 84 | @@ -60,14 +60,17 @@ struct wg_peer { 85 | struct timespec64 walltime_last_handshake; 86 | struct kref refcount; 87 | struct rcu_head rcu; 88 | struct list_head peer_list; 89 | struct list_head allowedips_list; 90 | struct napi_struct napi; 91 | u64 internal_id; 92 | + u16 forced_handshake_interval; 93 | + struct timer_list timer_forced_handshake; 94 | + struct timespec64 walltime_last_receive; 95 | }; 96 | 97 | struct wg_peer *wg_peer_create(struct wg_device *wg, 98 | const u8 public_key[NOISE_PUBLIC_KEY_LEN], 99 | const u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN]); 100 | 101 | struct wg_peer *__must_check wg_peer_get_maybe_zero(struct wg_peer *peer); 102 | --- a/src/timers.c 103 | +++ b/src/timers.c 104 | @@ -137,14 +137,31 @@ static void wg_expired_send_persistent_k 105 | struct wg_peer *peer = from_timer(peer, timer, 106 | timer_persistent_keepalive); 107 | 108 | if (likely(peer->persistent_keepalive_interval)) 109 | wg_packet_send_keepalive(peer); 110 | } 111 | 112 | +static void wg_expired_forced_handshake(struct timer_list *timer) 113 | +{ 114 | + struct wg_peer *peer = from_timer(peer, timer, timer_forced_handshake); 115 | + 116 | + if (!likely(peer->forced_handshake_interval)) 117 | + return; 118 | + 119 | + pr_debug("%s: Retrying handshake with peer %llu (%pISpfsc) because we stopped hearing back after forced handshake timeout %d seconds\n", 120 | + peer->device->dev->name, peer->internal_id, 121 | + &peer->endpoint.addr, peer->forced_handshake_interval); 122 | + /* We clear the endpoint address src address, in case this is the cause 123 | + * of trouble. 124 | + */ 125 | + wg_socket_clear_peer_endpoint_src(peer); 126 | + wg_packet_send_queued_handshake_initiation(peer, false); 127 | +} 128 | + 129 | /* Should be called after an authenticated data packet is sent. */ 130 | void wg_timers_data_sent(struct wg_peer *peer) 131 | { 132 | if (!timer_pending(&peer->timer_new_handshake)) 133 | mod_peer_timer(peer, &peer->timer_new_handshake, 134 | jiffies + (KEEPALIVE_TIMEOUT + REKEY_TIMEOUT) * HZ + 135 | prandom_u32_max(REKEY_TIMEOUT_JITTER_MAX_JIFFIES)); 136 | @@ -172,14 +189,19 @@ void wg_timers_any_authenticated_packet_ 137 | 138 | /* Should be called after any type of authenticated packet is received, whether 139 | * keepalive, data, or handshake. 140 | */ 141 | void wg_timers_any_authenticated_packet_received(struct wg_peer *peer) 142 | { 143 | del_timer(&peer->timer_new_handshake); 144 | + ktime_get_real_ts64(&peer->walltime_last_receive); 145 | + if (likely(peer->forced_handshake_interval)) { 146 | + mod_peer_timer(peer, &peer->timer_forced_handshake, 147 | + jiffies + peer->forced_handshake_interval * HZ); 148 | + } 149 | } 150 | 151 | /* Should be called after a handshake initiation message is sent. */ 152 | void wg_timers_handshake_initiated(struct wg_peer *peer) 153 | { 154 | mod_peer_timer(peer, &peer->timer_retransmit_handshake, 155 | jiffies + REKEY_TIMEOUT * HZ + 156 | @@ -222,22 +244,25 @@ void wg_timers_init(struct wg_peer *peer 157 | wg_expired_retransmit_handshake, 0); 158 | timer_setup(&peer->timer_send_keepalive, wg_expired_send_keepalive, 0); 159 | timer_setup(&peer->timer_new_handshake, wg_expired_new_handshake, 0); 160 | timer_setup(&peer->timer_zero_key_material, 161 | wg_expired_zero_key_material, 0); 162 | timer_setup(&peer->timer_persistent_keepalive, 163 | wg_expired_send_persistent_keepalive, 0); 164 | + timer_setup(&peer->timer_forced_handshake, 165 | + wg_expired_forced_handshake, 0); 166 | INIT_WORK(&peer->clear_peer_work, wg_queued_expired_zero_key_material); 167 | peer->timer_handshake_attempts = 0; 168 | peer->sent_lastminute_handshake = false; 169 | peer->timer_need_another_keepalive = false; 170 | } 171 | 172 | void wg_timers_stop(struct wg_peer *peer) 173 | { 174 | del_timer_sync(&peer->timer_retransmit_handshake); 175 | del_timer_sync(&peer->timer_send_keepalive); 176 | del_timer_sync(&peer->timer_new_handshake); 177 | + del_timer_sync(&peer->timer_forced_handshake); 178 | del_timer_sync(&peer->timer_zero_key_material); 179 | del_timer_sync(&peer->timer_persistent_keepalive); 180 | flush_work(&peer->clear_peer_work); 181 | } 182 | --- a/src/uapi/wireguard.h 183 | +++ b/src/uapi/wireguard.h 184 | @@ -45,14 +45,16 @@ 185 | * WGALLOWEDIP_A_CIDR_MASK: NLA_U8 186 | * 0: NLA_NESTED 187 | * ... 188 | * 0: NLA_NESTED 189 | * ... 190 | * ... 191 | * WGPEER_A_PROTOCOL_VERSION: NLA_U32 192 | + * WGPEER_A_FORCED_HANDSHAKE_INTERVAL: NLA_U16 193 | + * WGPEER_A_LAST_RECEIVE_TIME: NLA_EXACT_LEN, struct __kernel_timespec 194 | * 0: NLA_NESTED 195 | * ... 196 | * ... 197 | * 198 | * It is possible that all of the allowed IPs of a single peer will not 199 | * fit within a single netlink message. In that case, the same peer will 200 | * be written in the following message, except it will only contain 201 | @@ -107,14 +109,15 @@ 202 | * ... 203 | * ... 204 | * WGPEER_A_PROTOCOL_VERSION: NLA_U32, should not be set or used at 205 | * all by most users of this API, as the 206 | * most recent protocol will be used when 207 | * this is unset. Otherwise, must be set 208 | * to 1. 209 | + * WGPEER_A_FORCED_HANDSHAKE_INTERVAL: NLA_U16, 0 to disable 210 | * 0: NLA_NESTED 211 | * ... 212 | * ... 213 | * 214 | * It is possible that the amount of configuration data exceeds that of 215 | * the maximum message length accepted by the kernel. In that case, several 216 | * messages should be sent one after another, with each successive one 217 | @@ -176,14 +179,16 @@ enum wgpeer_attribute { 218 | WGPEER_A_ENDPOINT, 219 | WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, 220 | WGPEER_A_LAST_HANDSHAKE_TIME, 221 | WGPEER_A_RX_BYTES, 222 | WGPEER_A_TX_BYTES, 223 | WGPEER_A_ALLOWEDIPS, 224 | WGPEER_A_PROTOCOL_VERSION, 225 | + WGPEER_A_FORCED_HANDSHAKE_INTERVAL, 226 | + WGPEER_A_LAST_RECEIVE_TIME, 227 | __WGPEER_A_LAST 228 | }; 229 | #define WGPEER_A_MAX (__WGPEER_A_LAST - 1) 230 | 231 | enum wgallowedip_attribute { 232 | WGALLOWEDIP_A_UNSPEC, 233 | WGALLOWEDIP_A_FAMILY, 234 | -------------------------------------------------------------------------------- /src/bases/udm-2.4/prefix: -------------------------------------------------------------------------------- 1 | 4.19.152-ui-alpine 2 | -------------------------------------------------------------------------------- /src/bases/udm-2.4/versions.txt: -------------------------------------------------------------------------------- 1 | , 2 | -------------------------------------------------------------------------------- /src/bases/udm-base-2.4/linux-patches/linux-0001-localversion.patch: -------------------------------------------------------------------------------- 1 | --- a/localversion 1970-01-01 01:00:00.000000000 +0100 2 | +++ b/localversion 2021-07-23 16:01:53.017501275 -0600 3 | @@ -0,0 +1 @@ 4 | +-ui-alpine-udm 5 | -------------------------------------------------------------------------------- /src/bases/udm-base-2.4/patches/wireguard-linux-compat/0001-exclude-skb_put_data-for-kernel-v4.4.198.patch: -------------------------------------------------------------------------------- 1 | --- a/src/compat/compat.h 2 | +++ b/src/compat/compat.h 3 | @@ -664,7 +664,8 @@ struct __compat_dummy_container { char dev; }; 4 | #define genl_dump_check_consistent(a, b) genl_dump_check_consistent(a, b, &genl_family) 5 | #endif 6 | 7 | -#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) && !defined(ISRHEL7) 8 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) && !defined(ISRHEL7) && \ 9 | + LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 198) 10 | static inline void *skb_put_data(struct sk_buff *skb, const void *data, unsigned int len) 11 | { 12 | void *tmp = skb_put(skb, len); 13 | 14 | 15 | -------------------------------------------------------------------------------- /src/bases/udm-base-2.4/patches/wireguard-linux-compat/0002-exclude-skb_put_data-for-kernel-v4.4.60.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/compat/compat.h b/src/compat/compat.h 2 | index 7acbfc6..845238c 100644 3 | --- a/src/compat/compat.h 4 | +++ b/src/compat/compat.h 5 | @@ -665,7 +665,8 @@ struct __compat_dummy_container { char dev; }; 6 | #endif 7 | 8 | #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) && !defined(ISRHEL7) && \ 9 | - LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 198) 10 | + LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 198) && \ 11 | + LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 60) 12 | static inline void *skb_put_data(struct sk_buff *skb, const void *data, unsigned int len) 13 | { 14 | void *tmp = skb_put(skb, len); 15 | -------------------------------------------------------------------------------- /src/bases/udm-base-2.4/patches/wireguard-linux-compat/021-ubnt-reuse-addr-and-port-for-udp-tunnel.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/compat/udp_tunnel/udp_tunnel_partial_compat.h b/src/compat/udp_tunnel/udp_tunnel_partial_compat.h 2 | index 0605896..ca810fd 100644 3 | --- a/src/compat/udp_tunnel/udp_tunnel_partial_compat.h 4 | +++ b/src/compat/udp_tunnel/udp_tunnel_partial_compat.h 5 | @@ -168,15 +168,15 @@ struct __compat_udp_port_cfg { 6 | struct in_addr peer_ip; 7 | #if IS_ENABLED(CONFIG_IPV6) 8 | struct in6_addr peer_ip6; 9 | #endif 10 | }; 11 | __be16 local_udp_port; 12 | __be16 peer_udp_port; 13 | - unsigned int use_udp_checksums:1, use_udp6_tx_checksums:1, use_udp6_rx_checksums:1, ipv6_v6only:1; 14 | + unsigned int use_udp_checksums:1, use_udp6_tx_checksums:1, use_udp6_rx_checksums:1, reuse_addr:1, reuse_port:1, ipv6_v6only:1; 15 | }; 16 | static inline int __maybe_unused __compat_udp_sock_create(struct net *net, struct __compat_udp_port_cfg *cfg, struct socket **sockp) 17 | { 18 | struct udp_port_cfg old_cfg = { 19 | .family = cfg->family, 20 | .local_ip = cfg->local_ip, 21 | #if IS_ENABLED(CONFIG_IPV6) 22 | @@ -186,15 +186,17 @@ static inline int __maybe_unused __compat_udp_sock_create(struct net *net, struc 23 | #if IS_ENABLED(CONFIG_IPV6) 24 | .peer_ip6 = cfg->peer_ip6, 25 | #endif 26 | .local_udp_port = cfg->local_udp_port, 27 | .peer_udp_port = cfg->peer_udp_port, 28 | .use_udp_checksums = cfg->use_udp_checksums, 29 | .use_udp6_tx_checksums = cfg->use_udp6_tx_checksums, 30 | - .use_udp6_rx_checksums = cfg->use_udp6_rx_checksums 31 | + .use_udp6_rx_checksums = cfg->use_udp6_rx_checksums, 32 | + .reuse_addr = cfg->reuse_addr, 33 | + .reuse_port = cfg->reuse_port 34 | }; 35 | if (cfg->family == AF_INET) 36 | return udp_sock_create4(net, &old_cfg, sockp); 37 | 38 | #if IS_ENABLED(CONFIG_IPV6) 39 | if (cfg->family == AF_INET6) { 40 | int ret; 41 | diff --git a/src/socket.c b/src/socket.c 42 | index e8eceeb..dcc4088 100644 43 | --- a/src/socket.c 44 | +++ b/src/socket.c 45 | @@ -355,23 +355,27 @@ int wg_socket_init(struct wg_device *wg, u16 port) 46 | .encap_rcv = wg_receive 47 | }; 48 | struct socket *new4 = NULL, *new6 = NULL; 49 | struct udp_port_cfg port4 = { 50 | .family = AF_INET, 51 | .local_ip.s_addr = htonl(INADDR_ANY), 52 | .local_udp_port = htons(port), 53 | - .use_udp_checksums = true 54 | + .use_udp_checksums = true, 55 | + .reuse_addr = true, 56 | + .reuse_port = true 57 | }; 58 | #if IS_ENABLED(CONFIG_IPV6) 59 | int retries = 0; 60 | struct udp_port_cfg port6 = { 61 | .family = AF_INET6, 62 | .local_ip6 = IN6ADDR_ANY_INIT, 63 | .use_udp6_tx_checksums = true, 64 | .use_udp6_rx_checksums = true, 65 | + .reuse_addr = true, 66 | + .reuse_port = true, 67 | .ipv6_v6only = true 68 | }; 69 | #endif 70 | 71 | rcu_read_lock(); 72 | net = rcu_dereference(wg->creating_net); 73 | net = net ? maybe_get_net(net) : NULL; 74 | -------------------------------------------------------------------------------- /src/bases/udm-base-2.4/patches/wireguard-linux-compat/041-ubnt-protection-from-routing-loops.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/device.c b/src/device.c 2 | index c673446..25aac06 100644 3 | --- a/src/device.c 4 | +++ b/src/device.c 5 | @@ -127,14 +127,26 @@ static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev) 6 | struct sk_buff_head packets; 7 | struct wg_peer *peer; 8 | struct sk_buff *next; 9 | sa_family_t family; 10 | u32 mtu; 11 | int ret; 12 | 13 | + if (unlikely(skb->mark & wg->fwmark)) { 14 | + ret = -ENETDOWN; 15 | + net_crit_ratelimited("%s: loop detected, dropping skb of length %u\n", dev->name, skb->len); 16 | + goto err; 17 | + } 18 | + 19 | + if (unlikely(skb_end_offset(skb) > 33000)) { 20 | + ret = -ENETDOWN; 21 | + net_crit_ratelimited("%s: possible loop detected, dropping skb of size %u\n", dev->name, skb_end_offset(skb)); 22 | + goto err; 23 | + } 24 | + 25 | if (unlikely(!wg_check_packet_protocol(skb))) { 26 | ret = -EPROTONOSUPPORT; 27 | net_dbg_ratelimited("%s: Invalid IP packet\n", dev->name); 28 | goto err; 29 | } 30 | 31 | peer = wg_allowedips_lookup_dst(&wg->peer_allowedips, skb); 32 | -------------------------------------------------------------------------------- /src/bases/udm-base-2.4/patches/wireguard-linux-compat/099-ubnt-add-get-last-receive-timeout.patch: -------------------------------------------------------------------------------- 1 | --- a/src/netlink.c 2 | +++ b/src/netlink.c 3 | @@ -34,15 +34,17 @@ static const struct nla_policy peer_poli 4 | [WGPEER_A_FLAGS] = { .type = NLA_U32 }, 5 | [WGPEER_A_ENDPOINT] = NLA_POLICY_MIN_LEN(sizeof(struct sockaddr)), 6 | [WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16 }, 7 | [WGPEER_A_LAST_HANDSHAKE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)), 8 | [WGPEER_A_RX_BYTES] = { .type = NLA_U64 }, 9 | [WGPEER_A_TX_BYTES] = { .type = NLA_U64 }, 10 | [WGPEER_A_ALLOWEDIPS] = { .type = NLA_NESTED }, 11 | - [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 } 12 | + [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 }, 13 | + [WGPEER_A_FORCED_HANDSHAKE_INTERVAL] = { .type = NLA_U16 }, 14 | + [WGPEER_A_LAST_RECEIVE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)), 15 | }; 16 | 17 | static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = { 18 | [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 }, 19 | [WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(sizeof(struct in_addr)), 20 | [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 } 21 | }; 22 | @@ -119,31 +121,39 @@ get_peer(struct wg_peer *peer, struct sk 23 | goto err; 24 | 25 | if (!allowedips_node) { 26 | const struct __kernel_timespec last_handshake = { 27 | .tv_sec = peer->walltime_last_handshake.tv_sec, 28 | .tv_nsec = peer->walltime_last_handshake.tv_nsec 29 | }; 30 | + const struct __kernel_timespec last_receive = { 31 | + .tv_sec = peer->walltime_last_receive.tv_sec, 32 | + .tv_nsec = peer->walltime_last_receive.tv_nsec 33 | + }; 34 | 35 | down_read(&peer->handshake.lock); 36 | fail = nla_put(skb, WGPEER_A_PRESHARED_KEY, 37 | NOISE_SYMMETRIC_KEY_LEN, 38 | peer->handshake.preshared_key); 39 | up_read(&peer->handshake.lock); 40 | if (fail) 41 | goto err; 42 | 43 | if (nla_put(skb, WGPEER_A_LAST_HANDSHAKE_TIME, 44 | sizeof(last_handshake), &last_handshake) || 45 | + nla_put(skb, WGPEER_A_LAST_RECEIVE_TIME, 46 | + sizeof(last_receive), &last_receive) || 47 | nla_put_u16(skb, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, 48 | peer->persistent_keepalive_interval) || 49 | nla_put_u64_64bit(skb, WGPEER_A_TX_BYTES, peer->tx_bytes, 50 | WGPEER_A_UNSPEC) || 51 | nla_put_u64_64bit(skb, WGPEER_A_RX_BYTES, peer->rx_bytes, 52 | WGPEER_A_UNSPEC) || 53 | + nla_put_u16(skb, WGPEER_A_FORCED_HANDSHAKE_INTERVAL, 54 | + peer->forced_handshake_interval) || 55 | nla_put_u32(skb, WGPEER_A_PROTOCOL_VERSION, 1)) 56 | goto err; 57 | 58 | read_lock_bh(&peer->endpoint_lock); 59 | if (peer->endpoint.addr.sa_family == AF_INET) 60 | fail = nla_put(skb, WGPEER_A_ENDPOINT, 61 | sizeof(peer->endpoint.addr4), 62 | @@ -474,14 +484,19 @@ static int set_peer(struct wg_device *wg 63 | netif_running(wg->dev); 64 | 65 | peer->persistent_keepalive_interval = persistent_keepalive_interval; 66 | if (send_keepalive) 67 | wg_packet_send_keepalive(peer); 68 | } 69 | 70 | + if (attrs[WGPEER_A_FORCED_HANDSHAKE_INTERVAL]) { 71 | + peer->forced_handshake_interval = nla_get_u16( 72 | + attrs[WGPEER_A_FORCED_HANDSHAKE_INTERVAL]); 73 | + } 74 | + 75 | if (netif_running(wg->dev)) 76 | wg_packet_send_staged_packets(peer); 77 | 78 | out: 79 | wg_peer_put(peer); 80 | if (attrs[WGPEER_A_PRESHARED_KEY]) 81 | memzero_explicit(nla_data(attrs[WGPEER_A_PRESHARED_KEY]), 82 | --- a/src/peer.h 83 | +++ b/src/peer.h 84 | @@ -60,14 +60,17 @@ struct wg_peer { 85 | struct timespec64 walltime_last_handshake; 86 | struct kref refcount; 87 | struct rcu_head rcu; 88 | struct list_head peer_list; 89 | struct list_head allowedips_list; 90 | struct napi_struct napi; 91 | u64 internal_id; 92 | + u16 forced_handshake_interval; 93 | + struct timer_list timer_forced_handshake; 94 | + struct timespec64 walltime_last_receive; 95 | }; 96 | 97 | struct wg_peer *wg_peer_create(struct wg_device *wg, 98 | const u8 public_key[NOISE_PUBLIC_KEY_LEN], 99 | const u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN]); 100 | 101 | struct wg_peer *__must_check wg_peer_get_maybe_zero(struct wg_peer *peer); 102 | --- a/src/timers.c 103 | +++ b/src/timers.c 104 | @@ -137,14 +137,31 @@ static void wg_expired_send_persistent_k 105 | struct wg_peer *peer = from_timer(peer, timer, 106 | timer_persistent_keepalive); 107 | 108 | if (likely(peer->persistent_keepalive_interval)) 109 | wg_packet_send_keepalive(peer); 110 | } 111 | 112 | +static void wg_expired_forced_handshake(struct timer_list *timer) 113 | +{ 114 | + struct wg_peer *peer = from_timer(peer, timer, timer_forced_handshake); 115 | + 116 | + if (!likely(peer->forced_handshake_interval)) 117 | + return; 118 | + 119 | + pr_debug("%s: Retrying handshake with peer %llu (%pISpfsc) because we stopped hearing back after forced handshake timeout %d seconds\n", 120 | + peer->device->dev->name, peer->internal_id, 121 | + &peer->endpoint.addr, peer->forced_handshake_interval); 122 | + /* We clear the endpoint address src address, in case this is the cause 123 | + * of trouble. 124 | + */ 125 | + wg_socket_clear_peer_endpoint_src(peer); 126 | + wg_packet_send_queued_handshake_initiation(peer, false); 127 | +} 128 | + 129 | /* Should be called after an authenticated data packet is sent. */ 130 | void wg_timers_data_sent(struct wg_peer *peer) 131 | { 132 | if (!timer_pending(&peer->timer_new_handshake)) 133 | mod_peer_timer(peer, &peer->timer_new_handshake, 134 | jiffies + (KEEPALIVE_TIMEOUT + REKEY_TIMEOUT) * HZ + 135 | prandom_u32_max(REKEY_TIMEOUT_JITTER_MAX_JIFFIES)); 136 | @@ -172,14 +189,19 @@ void wg_timers_any_authenticated_packet_ 137 | 138 | /* Should be called after any type of authenticated packet is received, whether 139 | * keepalive, data, or handshake. 140 | */ 141 | void wg_timers_any_authenticated_packet_received(struct wg_peer *peer) 142 | { 143 | del_timer(&peer->timer_new_handshake); 144 | + ktime_get_real_ts64(&peer->walltime_last_receive); 145 | + if (likely(peer->forced_handshake_interval)) { 146 | + mod_peer_timer(peer, &peer->timer_forced_handshake, 147 | + jiffies + peer->forced_handshake_interval * HZ); 148 | + } 149 | } 150 | 151 | /* Should be called after a handshake initiation message is sent. */ 152 | void wg_timers_handshake_initiated(struct wg_peer *peer) 153 | { 154 | mod_peer_timer(peer, &peer->timer_retransmit_handshake, 155 | jiffies + REKEY_TIMEOUT * HZ + 156 | @@ -222,22 +244,25 @@ void wg_timers_init(struct wg_peer *peer 157 | wg_expired_retransmit_handshake, 0); 158 | timer_setup(&peer->timer_send_keepalive, wg_expired_send_keepalive, 0); 159 | timer_setup(&peer->timer_new_handshake, wg_expired_new_handshake, 0); 160 | timer_setup(&peer->timer_zero_key_material, 161 | wg_expired_zero_key_material, 0); 162 | timer_setup(&peer->timer_persistent_keepalive, 163 | wg_expired_send_persistent_keepalive, 0); 164 | + timer_setup(&peer->timer_forced_handshake, 165 | + wg_expired_forced_handshake, 0); 166 | INIT_WORK(&peer->clear_peer_work, wg_queued_expired_zero_key_material); 167 | peer->timer_handshake_attempts = 0; 168 | peer->sent_lastminute_handshake = false; 169 | peer->timer_need_another_keepalive = false; 170 | } 171 | 172 | void wg_timers_stop(struct wg_peer *peer) 173 | { 174 | del_timer_sync(&peer->timer_retransmit_handshake); 175 | del_timer_sync(&peer->timer_send_keepalive); 176 | del_timer_sync(&peer->timer_new_handshake); 177 | + del_timer_sync(&peer->timer_forced_handshake); 178 | del_timer_sync(&peer->timer_zero_key_material); 179 | del_timer_sync(&peer->timer_persistent_keepalive); 180 | flush_work(&peer->clear_peer_work); 181 | } 182 | --- a/src/uapi/wireguard.h 183 | +++ b/src/uapi/wireguard.h 184 | @@ -45,14 +45,16 @@ 185 | * WGALLOWEDIP_A_CIDR_MASK: NLA_U8 186 | * 0: NLA_NESTED 187 | * ... 188 | * 0: NLA_NESTED 189 | * ... 190 | * ... 191 | * WGPEER_A_PROTOCOL_VERSION: NLA_U32 192 | + * WGPEER_A_FORCED_HANDSHAKE_INTERVAL: NLA_U16 193 | + * WGPEER_A_LAST_RECEIVE_TIME: NLA_EXACT_LEN, struct __kernel_timespec 194 | * 0: NLA_NESTED 195 | * ... 196 | * ... 197 | * 198 | * It is possible that all of the allowed IPs of a single peer will not 199 | * fit within a single netlink message. In that case, the same peer will 200 | * be written in the following message, except it will only contain 201 | @@ -107,14 +109,15 @@ 202 | * ... 203 | * ... 204 | * WGPEER_A_PROTOCOL_VERSION: NLA_U32, should not be set or used at 205 | * all by most users of this API, as the 206 | * most recent protocol will be used when 207 | * this is unset. Otherwise, must be set 208 | * to 1. 209 | + * WGPEER_A_FORCED_HANDSHAKE_INTERVAL: NLA_U16, 0 to disable 210 | * 0: NLA_NESTED 211 | * ... 212 | * ... 213 | * 214 | * It is possible that the amount of configuration data exceeds that of 215 | * the maximum message length accepted by the kernel. In that case, several 216 | * messages should be sent one after another, with each successive one 217 | @@ -176,14 +179,16 @@ enum wgpeer_attribute { 218 | WGPEER_A_ENDPOINT, 219 | WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, 220 | WGPEER_A_LAST_HANDSHAKE_TIME, 221 | WGPEER_A_RX_BYTES, 222 | WGPEER_A_TX_BYTES, 223 | WGPEER_A_ALLOWEDIPS, 224 | WGPEER_A_PROTOCOL_VERSION, 225 | + WGPEER_A_FORCED_HANDSHAKE_INTERVAL, 226 | + WGPEER_A_LAST_RECEIVE_TIME, 227 | __WGPEER_A_LAST 228 | }; 229 | #define WGPEER_A_MAX (__WGPEER_A_LAST - 1) 230 | 231 | enum wgallowedip_attribute { 232 | WGALLOWEDIP_A_UNSPEC, 233 | WGALLOWEDIP_A_FAMILY, 234 | -------------------------------------------------------------------------------- /src/bases/udm-base-2.4/prefix: -------------------------------------------------------------------------------- 1 | 4.19.152-ui-alpine-udm 2 | -------------------------------------------------------------------------------- /src/bases/udm-base-2.4/versions.txt: -------------------------------------------------------------------------------- 1 | , 2 | -------------------------------------------------------------------------------- /src/bases/udr-3.0.13/patches/wireguard-linux-compat/0001-exclude-skb_put_data-for-kernel-v4.4.198.patch: -------------------------------------------------------------------------------- 1 | --- a/src/compat/compat.h 2 | +++ b/src/compat/compat.h 3 | @@ -664,7 +664,8 @@ struct __compat_dummy_container { char dev; }; 4 | #define genl_dump_check_consistent(a, b) genl_dump_check_consistent(a, b, &genl_family) 5 | #endif 6 | 7 | -#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) && !defined(ISRHEL7) 8 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) && !defined(ISRHEL7) && \ 9 | + LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 198) 10 | static inline void *skb_put_data(struct sk_buff *skb, const void *data, unsigned int len) 11 | { 12 | void *tmp = skb_put(skb, len); 13 | 14 | 15 | -------------------------------------------------------------------------------- /src/bases/udr-3.0.13/patches/wireguard-linux-compat/0002-exclude-skb_put_data-for-kernel-v4.4.60.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/compat/compat.h b/src/compat/compat.h 2 | index 7acbfc6..845238c 100644 3 | --- a/src/compat/compat.h 4 | +++ b/src/compat/compat.h 5 | @@ -665,7 +665,8 @@ struct __compat_dummy_container { char dev; }; 6 | #endif 7 | 8 | #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) && !defined(ISRHEL7) && \ 9 | - LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 198) 10 | + LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 198) && \ 11 | + LINUX_VERSION_CODE != KERNEL_VERSION(4, 4, 60) 12 | static inline void *skb_put_data(struct sk_buff *skb, const void *data, unsigned int len) 13 | { 14 | void *tmp = skb_put(skb, len); 15 | -------------------------------------------------------------------------------- /src/bases/udr-3.0.13/patches/wireguard-linux-compat/021-ubnt-reuse-addr-and-port-for-udp-tunnel.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/compat/udp_tunnel/udp_tunnel_partial_compat.h b/src/compat/udp_tunnel/udp_tunnel_partial_compat.h 2 | index 0605896..ca810fd 100644 3 | --- a/src/compat/udp_tunnel/udp_tunnel_partial_compat.h 4 | +++ b/src/compat/udp_tunnel/udp_tunnel_partial_compat.h 5 | @@ -168,15 +168,15 @@ struct __compat_udp_port_cfg { 6 | struct in_addr peer_ip; 7 | #if IS_ENABLED(CONFIG_IPV6) 8 | struct in6_addr peer_ip6; 9 | #endif 10 | }; 11 | __be16 local_udp_port; 12 | __be16 peer_udp_port; 13 | - unsigned int use_udp_checksums:1, use_udp6_tx_checksums:1, use_udp6_rx_checksums:1, ipv6_v6only:1; 14 | + unsigned int use_udp_checksums:1, use_udp6_tx_checksums:1, use_udp6_rx_checksums:1, reuse_addr:1, reuse_port:1, ipv6_v6only:1; 15 | }; 16 | static inline int __maybe_unused __compat_udp_sock_create(struct net *net, struct __compat_udp_port_cfg *cfg, struct socket **sockp) 17 | { 18 | struct udp_port_cfg old_cfg = { 19 | .family = cfg->family, 20 | .local_ip = cfg->local_ip, 21 | #if IS_ENABLED(CONFIG_IPV6) 22 | @@ -186,15 +186,17 @@ static inline int __maybe_unused __compat_udp_sock_create(struct net *net, struc 23 | #if IS_ENABLED(CONFIG_IPV6) 24 | .peer_ip6 = cfg->peer_ip6, 25 | #endif 26 | .local_udp_port = cfg->local_udp_port, 27 | .peer_udp_port = cfg->peer_udp_port, 28 | .use_udp_checksums = cfg->use_udp_checksums, 29 | .use_udp6_tx_checksums = cfg->use_udp6_tx_checksums, 30 | - .use_udp6_rx_checksums = cfg->use_udp6_rx_checksums 31 | + .use_udp6_rx_checksums = cfg->use_udp6_rx_checksums, 32 | + .reuse_addr = cfg->reuse_addr, 33 | + .reuse_port = cfg->reuse_port 34 | }; 35 | if (cfg->family == AF_INET) 36 | return udp_sock_create4(net, &old_cfg, sockp); 37 | 38 | #if IS_ENABLED(CONFIG_IPV6) 39 | if (cfg->family == AF_INET6) { 40 | int ret; 41 | diff --git a/src/socket.c b/src/socket.c 42 | index e8eceeb..dcc4088 100644 43 | --- a/src/socket.c 44 | +++ b/src/socket.c 45 | @@ -355,23 +355,27 @@ int wg_socket_init(struct wg_device *wg, u16 port) 46 | .encap_rcv = wg_receive 47 | }; 48 | struct socket *new4 = NULL, *new6 = NULL; 49 | struct udp_port_cfg port4 = { 50 | .family = AF_INET, 51 | .local_ip.s_addr = htonl(INADDR_ANY), 52 | .local_udp_port = htons(port), 53 | - .use_udp_checksums = true 54 | + .use_udp_checksums = true, 55 | + .reuse_addr = true, 56 | + .reuse_port = true 57 | }; 58 | #if IS_ENABLED(CONFIG_IPV6) 59 | int retries = 0; 60 | struct udp_port_cfg port6 = { 61 | .family = AF_INET6, 62 | .local_ip6 = IN6ADDR_ANY_INIT, 63 | .use_udp6_tx_checksums = true, 64 | .use_udp6_rx_checksums = true, 65 | + .reuse_addr = true, 66 | + .reuse_port = true, 67 | .ipv6_v6only = true 68 | }; 69 | #endif 70 | 71 | rcu_read_lock(); 72 | net = rcu_dereference(wg->creating_net); 73 | net = net ? maybe_get_net(net) : NULL; 74 | -------------------------------------------------------------------------------- /src/bases/udr-3.0.13/patches/wireguard-linux-compat/041-ubnt-protection-from-routing-loops.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/device.c b/src/device.c 2 | index c673446..25aac06 100644 3 | --- a/src/device.c 4 | +++ b/src/device.c 5 | @@ -127,14 +127,26 @@ static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev) 6 | struct sk_buff_head packets; 7 | struct wg_peer *peer; 8 | struct sk_buff *next; 9 | sa_family_t family; 10 | u32 mtu; 11 | int ret; 12 | 13 | + if (unlikely(skb->mark & wg->fwmark)) { 14 | + ret = -ENETDOWN; 15 | + net_crit_ratelimited("%s: loop detected, dropping skb of length %u\n", dev->name, skb->len); 16 | + goto err; 17 | + } 18 | + 19 | + if (unlikely(skb_end_offset(skb) > 33000)) { 20 | + ret = -ENETDOWN; 21 | + net_crit_ratelimited("%s: possible loop detected, dropping skb of size %u\n", dev->name, skb_end_offset(skb)); 22 | + goto err; 23 | + } 24 | + 25 | if (unlikely(!wg_check_packet_protocol(skb))) { 26 | ret = -EPROTONOSUPPORT; 27 | net_dbg_ratelimited("%s: Invalid IP packet\n", dev->name); 28 | goto err; 29 | } 30 | 31 | peer = wg_allowedips_lookup_dst(&wg->peer_allowedips, skb); 32 | -------------------------------------------------------------------------------- /src/bases/udr-3.0.13/patches/wireguard-linux-compat/099-ubnt-add-get-last-receive-timeout.patch: -------------------------------------------------------------------------------- 1 | --- a/src/netlink.c 2 | +++ b/src/netlink.c 3 | @@ -34,15 +34,17 @@ static const struct nla_policy peer_poli 4 | [WGPEER_A_FLAGS] = { .type = NLA_U32 }, 5 | [WGPEER_A_ENDPOINT] = NLA_POLICY_MIN_LEN(sizeof(struct sockaddr)), 6 | [WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16 }, 7 | [WGPEER_A_LAST_HANDSHAKE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)), 8 | [WGPEER_A_RX_BYTES] = { .type = NLA_U64 }, 9 | [WGPEER_A_TX_BYTES] = { .type = NLA_U64 }, 10 | [WGPEER_A_ALLOWEDIPS] = { .type = NLA_NESTED }, 11 | - [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 } 12 | + [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 }, 13 | + [WGPEER_A_FORCED_HANDSHAKE_INTERVAL] = { .type = NLA_U16 }, 14 | + [WGPEER_A_LAST_RECEIVE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)), 15 | }; 16 | 17 | static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = { 18 | [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 }, 19 | [WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(sizeof(struct in_addr)), 20 | [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 } 21 | }; 22 | @@ -119,31 +121,39 @@ get_peer(struct wg_peer *peer, struct sk 23 | goto err; 24 | 25 | if (!allowedips_node) { 26 | const struct __kernel_timespec last_handshake = { 27 | .tv_sec = peer->walltime_last_handshake.tv_sec, 28 | .tv_nsec = peer->walltime_last_handshake.tv_nsec 29 | }; 30 | + const struct __kernel_timespec last_receive = { 31 | + .tv_sec = peer->walltime_last_receive.tv_sec, 32 | + .tv_nsec = peer->walltime_last_receive.tv_nsec 33 | + }; 34 | 35 | down_read(&peer->handshake.lock); 36 | fail = nla_put(skb, WGPEER_A_PRESHARED_KEY, 37 | NOISE_SYMMETRIC_KEY_LEN, 38 | peer->handshake.preshared_key); 39 | up_read(&peer->handshake.lock); 40 | if (fail) 41 | goto err; 42 | 43 | if (nla_put(skb, WGPEER_A_LAST_HANDSHAKE_TIME, 44 | sizeof(last_handshake), &last_handshake) || 45 | + nla_put(skb, WGPEER_A_LAST_RECEIVE_TIME, 46 | + sizeof(last_receive), &last_receive) || 47 | nla_put_u16(skb, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, 48 | peer->persistent_keepalive_interval) || 49 | nla_put_u64_64bit(skb, WGPEER_A_TX_BYTES, peer->tx_bytes, 50 | WGPEER_A_UNSPEC) || 51 | nla_put_u64_64bit(skb, WGPEER_A_RX_BYTES, peer->rx_bytes, 52 | WGPEER_A_UNSPEC) || 53 | + nla_put_u16(skb, WGPEER_A_FORCED_HANDSHAKE_INTERVAL, 54 | + peer->forced_handshake_interval) || 55 | nla_put_u32(skb, WGPEER_A_PROTOCOL_VERSION, 1)) 56 | goto err; 57 | 58 | read_lock_bh(&peer->endpoint_lock); 59 | if (peer->endpoint.addr.sa_family == AF_INET) 60 | fail = nla_put(skb, WGPEER_A_ENDPOINT, 61 | sizeof(peer->endpoint.addr4), 62 | @@ -474,14 +484,19 @@ static int set_peer(struct wg_device *wg 63 | netif_running(wg->dev); 64 | 65 | peer->persistent_keepalive_interval = persistent_keepalive_interval; 66 | if (send_keepalive) 67 | wg_packet_send_keepalive(peer); 68 | } 69 | 70 | + if (attrs[WGPEER_A_FORCED_HANDSHAKE_INTERVAL]) { 71 | + peer->forced_handshake_interval = nla_get_u16( 72 | + attrs[WGPEER_A_FORCED_HANDSHAKE_INTERVAL]); 73 | + } 74 | + 75 | if (netif_running(wg->dev)) 76 | wg_packet_send_staged_packets(peer); 77 | 78 | out: 79 | wg_peer_put(peer); 80 | if (attrs[WGPEER_A_PRESHARED_KEY]) 81 | memzero_explicit(nla_data(attrs[WGPEER_A_PRESHARED_KEY]), 82 | --- a/src/peer.h 83 | +++ b/src/peer.h 84 | @@ -60,14 +60,17 @@ struct wg_peer { 85 | struct timespec64 walltime_last_handshake; 86 | struct kref refcount; 87 | struct rcu_head rcu; 88 | struct list_head peer_list; 89 | struct list_head allowedips_list; 90 | struct napi_struct napi; 91 | u64 internal_id; 92 | + u16 forced_handshake_interval; 93 | + struct timer_list timer_forced_handshake; 94 | + struct timespec64 walltime_last_receive; 95 | }; 96 | 97 | struct wg_peer *wg_peer_create(struct wg_device *wg, 98 | const u8 public_key[NOISE_PUBLIC_KEY_LEN], 99 | const u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN]); 100 | 101 | struct wg_peer *__must_check wg_peer_get_maybe_zero(struct wg_peer *peer); 102 | --- a/src/timers.c 103 | +++ b/src/timers.c 104 | @@ -137,14 +137,31 @@ static void wg_expired_send_persistent_k 105 | struct wg_peer *peer = from_timer(peer, timer, 106 | timer_persistent_keepalive); 107 | 108 | if (likely(peer->persistent_keepalive_interval)) 109 | wg_packet_send_keepalive(peer); 110 | } 111 | 112 | +static void wg_expired_forced_handshake(struct timer_list *timer) 113 | +{ 114 | + struct wg_peer *peer = from_timer(peer, timer, timer_forced_handshake); 115 | + 116 | + if (!likely(peer->forced_handshake_interval)) 117 | + return; 118 | + 119 | + pr_debug("%s: Retrying handshake with peer %llu (%pISpfsc) because we stopped hearing back after forced handshake timeout %d seconds\n", 120 | + peer->device->dev->name, peer->internal_id, 121 | + &peer->endpoint.addr, peer->forced_handshake_interval); 122 | + /* We clear the endpoint address src address, in case this is the cause 123 | + * of trouble. 124 | + */ 125 | + wg_socket_clear_peer_endpoint_src(peer); 126 | + wg_packet_send_queued_handshake_initiation(peer, false); 127 | +} 128 | + 129 | /* Should be called after an authenticated data packet is sent. */ 130 | void wg_timers_data_sent(struct wg_peer *peer) 131 | { 132 | if (!timer_pending(&peer->timer_new_handshake)) 133 | mod_peer_timer(peer, &peer->timer_new_handshake, 134 | jiffies + (KEEPALIVE_TIMEOUT + REKEY_TIMEOUT) * HZ + 135 | prandom_u32_max(REKEY_TIMEOUT_JITTER_MAX_JIFFIES)); 136 | @@ -172,14 +189,19 @@ void wg_timers_any_authenticated_packet_ 137 | 138 | /* Should be called after any type of authenticated packet is received, whether 139 | * keepalive, data, or handshake. 140 | */ 141 | void wg_timers_any_authenticated_packet_received(struct wg_peer *peer) 142 | { 143 | del_timer(&peer->timer_new_handshake); 144 | + ktime_get_real_ts64(&peer->walltime_last_receive); 145 | + if (likely(peer->forced_handshake_interval)) { 146 | + mod_peer_timer(peer, &peer->timer_forced_handshake, 147 | + jiffies + peer->forced_handshake_interval * HZ); 148 | + } 149 | } 150 | 151 | /* Should be called after a handshake initiation message is sent. */ 152 | void wg_timers_handshake_initiated(struct wg_peer *peer) 153 | { 154 | mod_peer_timer(peer, &peer->timer_retransmit_handshake, 155 | jiffies + REKEY_TIMEOUT * HZ + 156 | @@ -222,22 +244,25 @@ void wg_timers_init(struct wg_peer *peer 157 | wg_expired_retransmit_handshake, 0); 158 | timer_setup(&peer->timer_send_keepalive, wg_expired_send_keepalive, 0); 159 | timer_setup(&peer->timer_new_handshake, wg_expired_new_handshake, 0); 160 | timer_setup(&peer->timer_zero_key_material, 161 | wg_expired_zero_key_material, 0); 162 | timer_setup(&peer->timer_persistent_keepalive, 163 | wg_expired_send_persistent_keepalive, 0); 164 | + timer_setup(&peer->timer_forced_handshake, 165 | + wg_expired_forced_handshake, 0); 166 | INIT_WORK(&peer->clear_peer_work, wg_queued_expired_zero_key_material); 167 | peer->timer_handshake_attempts = 0; 168 | peer->sent_lastminute_handshake = false; 169 | peer->timer_need_another_keepalive = false; 170 | } 171 | 172 | void wg_timers_stop(struct wg_peer *peer) 173 | { 174 | del_timer_sync(&peer->timer_retransmit_handshake); 175 | del_timer_sync(&peer->timer_send_keepalive); 176 | del_timer_sync(&peer->timer_new_handshake); 177 | + del_timer_sync(&peer->timer_forced_handshake); 178 | del_timer_sync(&peer->timer_zero_key_material); 179 | del_timer_sync(&peer->timer_persistent_keepalive); 180 | flush_work(&peer->clear_peer_work); 181 | } 182 | --- a/src/uapi/wireguard.h 183 | +++ b/src/uapi/wireguard.h 184 | @@ -45,14 +45,16 @@ 185 | * WGALLOWEDIP_A_CIDR_MASK: NLA_U8 186 | * 0: NLA_NESTED 187 | * ... 188 | * 0: NLA_NESTED 189 | * ... 190 | * ... 191 | * WGPEER_A_PROTOCOL_VERSION: NLA_U32 192 | + * WGPEER_A_FORCED_HANDSHAKE_INTERVAL: NLA_U16 193 | + * WGPEER_A_LAST_RECEIVE_TIME: NLA_EXACT_LEN, struct __kernel_timespec 194 | * 0: NLA_NESTED 195 | * ... 196 | * ... 197 | * 198 | * It is possible that all of the allowed IPs of a single peer will not 199 | * fit within a single netlink message. In that case, the same peer will 200 | * be written in the following message, except it will only contain 201 | @@ -107,14 +109,15 @@ 202 | * ... 203 | * ... 204 | * WGPEER_A_PROTOCOL_VERSION: NLA_U32, should not be set or used at 205 | * all by most users of this API, as the 206 | * most recent protocol will be used when 207 | * this is unset. Otherwise, must be set 208 | * to 1. 209 | + * WGPEER_A_FORCED_HANDSHAKE_INTERVAL: NLA_U16, 0 to disable 210 | * 0: NLA_NESTED 211 | * ... 212 | * ... 213 | * 214 | * It is possible that the amount of configuration data exceeds that of 215 | * the maximum message length accepted by the kernel. In that case, several 216 | * messages should be sent one after another, with each successive one 217 | @@ -176,14 +179,16 @@ enum wgpeer_attribute { 218 | WGPEER_A_ENDPOINT, 219 | WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, 220 | WGPEER_A_LAST_HANDSHAKE_TIME, 221 | WGPEER_A_RX_BYTES, 222 | WGPEER_A_TX_BYTES, 223 | WGPEER_A_ALLOWEDIPS, 224 | WGPEER_A_PROTOCOL_VERSION, 225 | + WGPEER_A_FORCED_HANDSHAKE_INTERVAL, 226 | + WGPEER_A_LAST_RECEIVE_TIME, 227 | __WGPEER_A_LAST 228 | }; 229 | #define WGPEER_A_MAX (__WGPEER_A_LAST - 1) 230 | 231 | enum wgallowedip_attribute { 232 | WGALLOWEDIP_A_UNSPEC, 233 | WGALLOWEDIP_A_FAMILY, 234 | -------------------------------------------------------------------------------- /src/bases/udr-3.0.13/prefix: -------------------------------------------------------------------------------- 1 | 4.4.198-ui-mtk 2 | -------------------------------------------------------------------------------- /src/bases/udr-3.0.13/versions.txt: -------------------------------------------------------------------------------- 1 | , 2 | -------------------------------------------------------------------------------- /src/boot/setup-wireguard.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Run wireguard setup script 3 | Wants=network.target 4 | After=network.target 5 | 6 | [Service] 7 | Type=oneshot 8 | ExecStartPre=sh -c 'DIR="$(find /mnt/data/wireguard /data/wireguard -maxdepth 1 -type d -name "wireguard" 2>/dev/null | head -n1)"; ln -sf "$DIR/setup_wireguard.sh" /etc' 9 | ExecStart=/etc/setup_wireguard.sh 10 | 11 | [Install] 12 | WantedBy=multi-user.target 13 | -------------------------------------------------------------------------------- /src/build-wireguard.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Build the wireguard kernel module and utilities for the UDM. 3 | set -e 4 | 5 | if [ ! -f "buildroot-2017.11.1/Config.in" ] 6 | then 7 | if [ ! -f buildroot-2017.11.1.tar.bz2 ] 8 | then 9 | wget https://buildroot.org/downloads/buildroot-2017.11.1.tar.bz2 10 | fi 11 | tar -xvjf buildroot-2017.11.1.tar.bz2 12 | 13 | # copy packages and patches and add wireguard to buildroot menu selection 14 | cp -pr packages/* buildroot-2017.11.1/package 15 | for patch in patches/*.patch; do 16 | patch -p0 < "$patch" 17 | done 18 | 19 | # run make clean after extraction 20 | (cd buildroot-2017.11.1 && make clean || true) 21 | fi 22 | 23 | mkdir -p wireguard/modules 24 | cd buildroot-2017.11.1 25 | 26 | if [ -f "base-version" ]; then 27 | last_base_used="$(cat base-version)" 28 | fi 29 | for base in ../bases/*/; 30 | do 31 | # Exit if required kernel package does not exist. 32 | kernel_pkg=$(grep LINUX_KERNEL_CUSTOM_TARBALL_LOCATION "${base}/buildroot-config.txt" | 33 | sed -En s/".*(linux-.*.tar.gz).*"/"\1"/p) 34 | if [ ! -f "../bases/${kernel_pkg}" ]; then 35 | echo "Error: Linux kernel package ${kernel_pkg} not found. You need to download it to this directory." 36 | exit 0 37 | fi 38 | 39 | # Use the configuration for the current base version. 40 | cp "${base}/buildroot-config.txt" ./.config 41 | cp "${base}/kernel-config" ./ 42 | rm -rf ./linux-patches ./patches 43 | if [ -d "${base}/linux-patches" ]; then 44 | cp -rf "${base}/linux-patches" ./ 45 | fi 46 | if [ -d "${base}/patches" ]; then 47 | cp -rf "${base}/patches" ./ 48 | fi 49 | rm -rf output/build/linux-* 50 | versions="$(cat ${base}/versions.txt)" 51 | prefix="$(cat ${base}/prefix)" 52 | (IFS=',' 53 | for ver in $versions; do 54 | # Skip building module if already built. 55 | if [ -f "../wireguard/modules/wireguard-${prefix}${ver}.ko" ]; then 56 | echo "Skipping already built wireguard module for version ${prefix}${ver}." 57 | continue 58 | fi 59 | # Cleanup if current base is different than last base used. 60 | if [ "${base}" != "${last_base_used}" ]; then 61 | rm -rf output/build/linux-* 62 | echo "${base}" > base-version 63 | last_base_used=${base} 64 | fi 65 | echo "Building kernel version ${prefix}${ver} using base ${base}." 66 | make wireguard-linux-compat-dirclean 67 | sed -i -e '/CONFIG_LOCALVERSION=/s/.*/CONFIG_LOCALVERSION="'$ver'"/' kernel-config 68 | make wireguard-linux-compat-rebuild -j6 69 | cp ./output/build/wireguard-linux-compat-1.0.20220627/src/wireguard.ko ../wireguard/modules/wireguard-${prefix}${ver}.ko 70 | # the netfiler raw module is required in the wg-quick script for iptables-restore 71 | cp ./output/build/linux-custom/net/ipv4/netfilter/iptable_raw.ko ../wireguard/modules/iptable_raw-${prefix}${ver}.ko 72 | cp ./output/build/linux-custom/net/ipv6/netfilter/ip6table_raw.ko ../wireguard/modules/ip6table_raw-${prefix}${ver}.ko 73 | done) 74 | done 75 | 76 | # Build utilities if not previously built. 77 | if [ ! -f "../wireguard/usr/sbin/iftop" ]; then 78 | echo "Building utilities." 79 | mkdir -p ../wireguard/etc/wireguard 80 | mkdir -p ../wireguard/usr/bin 81 | mkdir -p ../wireguard/usr/sbin 82 | mkdir -p ../wireguard/sbin 83 | 84 | # Use 1.9.0-10 buildroot config for utilities 85 | base="../bases/udm-1.9.0-10" 86 | cp "${base}/buildroot-config.txt" ./.config 87 | cp "${base}/kernel-config" ./ 88 | rm -rf ./linux-patches ./patches 89 | if [ -d "${base}/linux-patches" ]; then 90 | cp -rf "${base}/linux-patches" ./ 91 | fi 92 | if [ -d "${base}/patches" ]; then 93 | cp -rf "${base}/patches" ./ 94 | fi 95 | rm -rf output/build/linux-* 96 | 97 | make wireguard-tools-rebuild 98 | cp ./output/target/usr/bin/wg ../wireguard/usr/bin 99 | cp ./output/build/wireguard-tools-*/src/wg-quick/linux.bash ../wireguard/usr/bin/wg-quick 100 | 101 | make openresolv-rebuild 102 | cp ./output/target/sbin/resolvconf ../wireguard/sbin 103 | cp ./output/target/etc/resolvconf.conf ../wireguard/etc 104 | 105 | make bash-rebuild 106 | cp ./output/target/bin/bash ../wireguard/usr/bin 107 | 108 | make libqrencode-rebuild 109 | cp ./output/target/usr/bin/qrencode ../wireguard/usr/bin 110 | 111 | make htop-rebuild 112 | cp ./output/target/usr/bin/htop ../wireguard/usr/bin 113 | 114 | make iftop-rebuild 115 | cp ./output/target/usr/sbin/iftop ../wireguard/usr/sbin 116 | else 117 | echo "Skipping already built utilities." 118 | fi 119 | 120 | cd ..; tar -cvzf ../releases/wireguard-kmod-`date +%m-%d-%y`.tar.Z wireguard/ 121 | -------------------------------------------------------------------------------- /src/packages/bison/0001-bison-glibc-change-work-around.patch: -------------------------------------------------------------------------------- 1 | Subject: Workaround change in glibc 2 | 3 | Temporary workaround to compile with glibc 2.28, which 4 | deprecated some constants 5 | 6 | Based on the workaround made for the tools/m4 package 7 | 8 | --- a/lib/stdio-impl.h 9 | +++ b/lib/stdio-impl.h 10 | @@ -18,6 +18,12 @@ 11 | the same implementation of stdio extension API, except that some fields 12 | have different naming conventions, or their access requires some casts. */ 13 | 14 | +/* Glibc 2.28 made _IO_IN_BACKUP private. For now, work around this 15 | + problem by defining it ourselves. FIXME: Do not rely on glibc 16 | + internals. */ 17 | +#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN 18 | +# define _IO_IN_BACKUP 0x100 19 | +#endif 20 | 21 | /* BSD stdio derived implementations. */ 22 | 23 | --- a/lib/fseterr.c 24 | +++ b/lib/fseterr.c 25 | @@ -29,7 +29,7 @@ 26 | /* Most systems provide FILE as a struct and the necessary bitmask in 27 | , because they need it for implementing getc() and putc() as 28 | fast macros. */ 29 | -#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 30 | +#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 31 | fp->_flags |= _IO_ERR_SEEN; 32 | #elif defined __sferror || defined __DragonFly__ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin */ 33 | fp_->_flags |= __SERR; 34 | -------------------------------------------------------------------------------- /src/packages/dtc/0001-dtc-extern-yylloc.patch: -------------------------------------------------------------------------------- 1 | --- a/dtc-lexer.l 2021-06-18 02:19:10.886603041 -0600 2 | +++ b/dtc-lexer.l 2021-06-18 02:19:20.176473988 -0600 3 | @@ -38,7 +38,6 @@ 4 | #include "srcpos.h" 5 | #include "dtc-parser.tab.h" 6 | 7 | -YYLTYPE yylloc; 8 | extern bool treesource_error; 9 | 10 | /* CAUTION: this will stop working if we ever use yyless() or yyunput() */ 11 | -------------------------------------------------------------------------------- /src/packages/gcc/6.4.0/944-mpc-relative-literal-loads-logic-in-aarch64_classify_symbol.patch: -------------------------------------------------------------------------------- 1 | diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c 2 | index 83dbd57..fa61289 100644 3 | --- a/gcc/config/aarch64/aarch64.c 4 | +++ b/gcc/config/aarch64/aarch64.c 5 | @@ -9324,7 +9324,7 @@ aarch64_classify_symbol (rtx x, rtx offset) 6 | /* This is alright even in PIC code as the constant 7 | pool reference is always PC relative and within 8 | the same translation unit. */ 9 | - if (nopcrelative_literal_loads 10 | + if (aarch64_nopcrelative_literal_loads 11 | && CONSTANT_POOL_ADDRESS_P (x)) 12 | return SYMBOL_SMALL_ABSOLUTE; 13 | else 14 | diff --git a/gcc/testsuite/gcc.target/aarch64/pr79041.c b/gcc/testsuite/gcc.target/aarch64/pr79041.c 15 | new file mode 100644 16 | index 0000000..a23b1ae 17 | --- /dev/null 18 | +++ b/gcc/testsuite/gcc.target/aarch64/pr79041.c 19 | @@ -0,0 +1,26 @@ 20 | +/* PR target/79041. Check that we don't generate the LO12 relocations 21 | + for -mpc-relative-literal-loads. */ 22 | +/* { dg-do compile } */ 23 | +/* { dg-options "-O2 -mcmodel=large -mpc-relative-literal-loads" } */ 24 | + 25 | +extern int strcmp (const char *, const char *); 26 | +extern char *strcpy (char *, const char *); 27 | + 28 | +static struct 29 | +{ 30 | + char *b; 31 | + char *c; 32 | +} d[] = { 33 | + {"0", "000000000000000"}, {"1", "111111111111111"}, 34 | +}; 35 | + 36 | +void 37 | +e (const char *b, char *c) 38 | +{ 39 | + int i; 40 | + for (i = 0; i < 1; ++i) 41 | + if (!strcmp (d[i].b, b)) 42 | + strcpy (c, d[i].c); 43 | +} 44 | + 45 | +/* { dg-final { scan-assembler-not ":lo12:" } } */ 46 | -------------------------------------------------------------------------------- /src/packages/m4/0001-m4-glibc-change-work-around.patch: -------------------------------------------------------------------------------- 1 | 2 | Index: m4-1.4.18/lib/fflush.c 3 | =================================================================== 4 | --- m4-1.4.18.orig/lib/fflush.c 5 | +++ m4-1.4.18/lib/fflush.c 6 | @@ -33,7 +33,7 @@ 7 | #undef fflush 8 | 9 | 10 | -#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 11 | +#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 12 | 13 | /* Clear the stream's ungetc buffer, preserving the value of ftello (fp). */ 14 | static void 15 | @@ -72,7 +72,7 @@ clear_ungetc_buffer (FILE *fp) 16 | 17 | #endif 18 | 19 | -#if ! (defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */) 20 | +#if ! (defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */) 21 | 22 | # if (defined __sferror || defined __DragonFly__ || defined __ANDROID__) && defined __SNPT 23 | /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */ 24 | @@ -148,7 +148,7 @@ rpl_fflush (FILE *stream) 25 | if (stream == NULL || ! freading (stream)) 26 | return fflush (stream); 27 | 28 | -#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 29 | +#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 30 | 31 | clear_ungetc_buffer_preserving_position (stream); 32 | 33 | Index: m4-1.4.18/lib/fpending.c 34 | =================================================================== 35 | --- m4-1.4.18.orig/lib/fpending.c 36 | +++ m4-1.4.18/lib/fpending.c 37 | @@ -32,7 +32,7 @@ __fpending (FILE *fp) 38 | /* Most systems provide FILE as a struct and the necessary bitmask in 39 | , because they need it for implementing getc() and putc() as 40 | fast macros. */ 41 | -#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 42 | +#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 43 | return fp->_IO_write_ptr - fp->_IO_write_base; 44 | #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__ 45 | /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */ 46 | Index: m4-1.4.18/lib/fpurge.c 47 | =================================================================== 48 | --- m4-1.4.18.orig/lib/fpurge.c 49 | +++ m4-1.4.18/lib/fpurge.c 50 | @@ -62,7 +62,7 @@ fpurge (FILE *fp) 51 | /* Most systems provide FILE as a struct and the necessary bitmask in 52 | , because they need it for implementing getc() and putc() as 53 | fast macros. */ 54 | -# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 55 | +# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 56 | fp->_IO_read_end = fp->_IO_read_ptr; 57 | fp->_IO_write_ptr = fp->_IO_write_base; 58 | /* Avoid memory leak when there is an active ungetc buffer. */ 59 | Index: m4-1.4.18/lib/freadahead.c 60 | =================================================================== 61 | --- m4-1.4.18.orig/lib/freadahead.c 62 | +++ m4-1.4.18/lib/freadahead.c 63 | @@ -25,7 +25,7 @@ 64 | size_t 65 | freadahead (FILE *fp) 66 | { 67 | -#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 68 | +#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 69 | if (fp->_IO_write_ptr > fp->_IO_write_base) 70 | return 0; 71 | return (fp->_IO_read_end - fp->_IO_read_ptr) 72 | Index: m4-1.4.18/lib/freading.c 73 | =================================================================== 74 | --- m4-1.4.18.orig/lib/freading.c 75 | +++ m4-1.4.18/lib/freading.c 76 | @@ -31,7 +31,7 @@ freading (FILE *fp) 77 | /* Most systems provide FILE as a struct and the necessary bitmask in 78 | , because they need it for implementing getc() and putc() as 79 | fast macros. */ 80 | -# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 81 | +# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 82 | return ((fp->_flags & _IO_NO_WRITES) != 0 83 | || ((fp->_flags & (_IO_NO_READS | _IO_CURRENTLY_PUTTING)) == 0 84 | && fp->_IO_read_base != NULL)); 85 | Index: m4-1.4.18/lib/fseeko.c 86 | =================================================================== 87 | --- m4-1.4.18.orig/lib/fseeko.c 88 | +++ m4-1.4.18/lib/fseeko.c 89 | @@ -47,7 +47,7 @@ fseeko (FILE *fp, off_t offset, int when 90 | #endif 91 | 92 | /* These tests are based on fpurge.c. */ 93 | -#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 94 | +#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 95 | if (fp->_IO_read_end == fp->_IO_read_ptr 96 | && fp->_IO_write_ptr == fp->_IO_write_base 97 | && fp->_IO_save_base == NULL) 98 | @@ -123,7 +123,7 @@ fseeko (FILE *fp, off_t offset, int when 99 | return -1; 100 | } 101 | 102 | -#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 103 | +#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */ 104 | fp->_flags &= ~_IO_EOF_SEEN; 105 | fp->_offset = pos; 106 | #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__ 107 | Index: m4-1.4.18/lib/stdio-impl.h 108 | =================================================================== 109 | --- m4-1.4.18.orig/lib/stdio-impl.h 110 | +++ m4-1.4.18/lib/stdio-impl.h 111 | @@ -18,6 +18,12 @@ 112 | the same implementation of stdio extension API, except that some fields 113 | have different naming conventions, or their access requires some casts. */ 114 | 115 | +/* Glibc 2.28 made _IO_IN_BACKUP private. For now, work around this 116 | + problem by defining it ourselves. FIXME: Do not rely on glibc 117 | + internals. */ 118 | +#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN 119 | +# define _IO_IN_BACKUP 0x100 120 | +#endif 121 | 122 | /* BSD stdio derived implementations. */ 123 | 124 | -------------------------------------------------------------------------------- /src/packages/m4/0002-m4-fix-sigstksz.patch: -------------------------------------------------------------------------------- 1 | From f9e2b20a12a230efa30f1d479563ae07d276a94b Mon Sep 17 00:00:00 2001 2 | From: Paul Eggert 3 | Date: Wed, 30 Sep 2020 13:50:36 -0700 4 | Subject: [PATCH] c-stack: stop using SIGSTKSZ 5 | MIME-Version: 1.0 6 | Content-Type: text/plain; charset=utf8 7 | Content-Transfer-Encoding: 8bit 8 | 9 | It's been proposed to stop making SIGSTKSZ an integer constant: 10 | https://sourceware.org/pipermail/libc-alpha/2020-September/118028.html 11 | Also, using SIGSTKSZ in #if did not conform to current POSIX. 12 | Also, avoiding SIGSTKSZ makes the code simpler and easier to grok. 13 | * lib/c-stack.c (SIGSTKSZ): Remove. 14 | (alternate_signal_stack): Now a 64 KiB array, for simplicity. 15 | All uses changed. 16 | 17 | (Note for Ubuntu: The patch originates from gnulib, not m4, and has been 18 | heavily edited to fit the older version used in our current version of m4) 19 | 20 | --- a/lib/c-stack.c 21 | +++ b/lib/c-stack.c 22 | @@ -50,15 +50,16 @@ 23 | #if ! HAVE_STACK_T && ! defined stack_t 24 | typedef struct sigaltstack stack_t; 25 | #endif 26 | -#ifndef SIGSTKSZ 27 | -# define SIGSTKSZ 16384 28 | -#elif HAVE_LIBSIGSEGV && SIGSTKSZ < 16384 29 | -/* libsigsegv 2.6 through 2.8 have a bug where some architectures use 30 | - more than the Linux default of an 8k alternate stack when deciding 31 | - if a fault was caused by stack overflow. */ 32 | -# undef SIGSTKSZ 33 | -# define SIGSTKSZ 16384 34 | -#endif 35 | +/* Storage for the alternate signal stack. 36 | + 64 KiB is not too large for Gnulib-using apps, and is large enough 37 | + for all known platforms. Smaller sizes may run into trouble. 38 | + For example, libsigsegv 2.6 through 2.8 have a bug where some 39 | + architectures use more than the Linux default of an 8 KiB alternate 40 | + stack when deciding if a fault was caused by stack overflow. */ 41 | +static max_align_t alternate_signal_stack[(64 * 1024 42 | + + sizeof (max_align_t) - 1) 43 | + / sizeof (max_align_t)]; 44 | + 45 | 46 | #include 47 | #include 48 | @@ -128,18 +129,6 @@ 49 | #if (HAVE_SIGALTSTACK && HAVE_DECL_SIGALTSTACK \ 50 | && HAVE_STACK_OVERFLOW_HANDLING) || HAVE_LIBSIGSEGV 51 | 52 | -/* Storage for the alternate signal stack. */ 53 | -static union 54 | -{ 55 | - char buffer[SIGSTKSZ]; 56 | - 57 | - /* These other members are for proper alignment. There's no 58 | - standard way to guarantee stack alignment, but this seems enough 59 | - in practice. */ 60 | - long double ld; 61 | - long l; 62 | - void *p; 63 | -} alternate_signal_stack; 64 | 65 | static void 66 | null_action (int signo __attribute__ ((unused))) 67 | @@ -205,8 +194,8 @@ 68 | 69 | /* Always install the overflow handler. */ 70 | if (stackoverflow_install_handler (overflow_handler, 71 | - alternate_signal_stack.buffer, 72 | - sizeof alternate_signal_stack.buffer)) 73 | + alternate_signal_stack, 74 | + sizeof alternate_signal_stack)) 75 | { 76 | errno = ENOTSUP; 77 | return -1; 78 | @@ -279,14 +268,14 @@ 79 | stack_t st; 80 | struct sigaction act; 81 | st.ss_flags = 0; 82 | + st.ss_sp = alternate_signal_stack; 83 | + st.ss_size = sizeof alternate_signal_stack; 84 | # if SIGALTSTACK_SS_REVERSED 85 | /* Irix mistakenly treats ss_sp as the upper bound, rather than 86 | lower bound, of the alternate stack. */ 87 | - st.ss_sp = alternate_signal_stack.buffer + SIGSTKSZ - sizeof (void *); 88 | - st.ss_size = sizeof alternate_signal_stack.buffer - sizeof (void *); 89 | -# else 90 | - st.ss_sp = alternate_signal_stack.buffer; 91 | - st.ss_size = sizeof alternate_signal_stack.buffer; 92 | + st.ss_size -= sizeof (void *); 93 | + char *ss_sp = st.ss_sp; 94 | + st.ss_sp = ss_sp + st.ss_size; 95 | # endif 96 | r = sigaltstack (&st, NULL); 97 | if (r != 0) 98 | --- a/lib/c-stack.h 99 | +++ b/lib/c-stack.h 100 | @@ -34,7 +34,7 @@ 101 | A null ACTION acts like an action that does nothing. 102 | 103 | ACTION must be async-signal-safe. ACTION together with its callees 104 | - must not require more than SIGSTKSZ bytes of stack space. Also, 105 | + must not require more than 64 KiB of stack space. Also, 106 | ACTION should not call longjmp, because this implementation does 107 | not guarantee that it is safe to return to the original stack. 108 | 109 | -------------------------------------------------------------------------------- /src/packages/openresolv/Config.in: -------------------------------------------------------------------------------- 1 | config BR2_PACKAGE_OPENRESOLV 2 | bool "openresolv" 3 | help 4 | openresolv is a resolvconf implementation which 5 | manages resolv.conf. This tool provides a dns management 6 | framework to track currently available nameservers. 7 | 8 | https://roy.marples.name/projects/openresolv 9 | -------------------------------------------------------------------------------- /src/packages/openresolv/openresolv.hash: -------------------------------------------------------------------------------- 1 | # Locally calculated 2 | sha256 96b573e26d145f208d3758c2cd6fbf824b01005fc4cb7cedbdae29b3a3c8cb02 openresolv-3.12.0.tar.gz 3 | sha256 384740bf5e19e7628d20f4dcc22925062fdc6020e9a6f074e567d4d797be57a0 LICENSE 4 | -------------------------------------------------------------------------------- /src/packages/openresolv/openresolv.mk: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # openresolv 4 | # 5 | ################################################################################ 6 | 7 | OPENRESOLV_VERSION = 3.12.0 8 | OPENRESOLV_SITE = $(call github,rsmarples,openresolv,openresolv-$(OPENRESOLV_VERSION)) 9 | OPENRESOLV_LICENSE = BSD-2-Clause 10 | OPENRESOLV_LICENSE_FILES = LICENSE 11 | OPENRESOLV_CPE_ID_VENDOR = openresolv_project 12 | 13 | define OPENRESOLV_CONFIGURE_CMDS 14 | cd $(@D) && $(TARGET_CONFIGURE_OPTS) ./configure --sysconfdir=/etc 15 | endef 16 | 17 | define OPENRESOLV_BUILD_CMDS 18 | $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) 19 | endef 20 | 21 | define OPENRESOLV_INSTALL_TARGET_CMDS 22 | $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) DESTDIR="$(TARGET_DIR)" install 23 | endef 24 | 25 | $(eval $(generic-package)) 26 | -------------------------------------------------------------------------------- /src/packages/wireguard-linux-compat/Config.in: -------------------------------------------------------------------------------- 1 | config BR2_PACKAGE_WIREGUARD_LINUX_COMPAT 2 | bool "wireguard linux-compat" 3 | depends on BR2_LINUX_KERNEL 4 | # kernel module requires 3.10+ 5 | depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_10 6 | # kernel module in upstream linux since 5.6 7 | depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_6 8 | help 9 | WireGuard is an extremely simple yet fast and modern VPN 10 | that utilizes state-of-the-art cryptography. It aims to be 11 | faster, simpler, leaner, and more useful than IPSec, while 12 | avoiding the massive headache. It intends to be considerably 13 | more performant than OpenVPN. WireGuard is designed as a 14 | general purpose VPN for running on embedded interfaces and 15 | super computers alike, fit for many different 16 | circumstances. 17 | 18 | Support for WireGuard is included in Linux 5.6+. This 19 | package provides a backport of the kernel support for older 20 | kernels. 21 | 22 | https://www.wireguard.com 23 | 24 | comment "wireguard-linux-compat needs a toolchain w/ headers >= 3.10" 25 | depends on BR2_LINUX_KERNEL 26 | depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_10 27 | -------------------------------------------------------------------------------- /src/packages/wireguard-linux-compat/wireguard-linux-compat.hash: -------------------------------------------------------------------------------- 1 | # Locally calculated 2 | sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING 3 | sha256 362d412693c8fe82de00283435818d5c5def7f15e2433a07a9fe99d0518f63c0 wireguard-linux-compat-1.0.20220627.tar.xz 4 | -------------------------------------------------------------------------------- /src/packages/wireguard-linux-compat/wireguard-linux-compat.mk: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # wireguard 4 | # 5 | ################################################################################ 6 | 7 | WIREGUARD_LINUX_COMPAT_VERSION = 1.0.20220627 8 | WIREGUARD_LINUX_COMPAT_SITE = https://git.zx2c4.com/wireguard-linux-compat/snapshot 9 | WIREGUARD_LINUX_COMPAT_SOURCE = wireguard-linux-compat-$(WIREGUARD_LINUX_COMPAT_VERSION).tar.xz 10 | WIREGUARD_LINUX_COMPAT_LICENSE = GPL-2.0 11 | WIREGUARD_LINUX_COMPAT_LICENSE_FILES = COPYING 12 | WIREGUARD_LINUX_COMPAT_MODULE_SUBDIRS = src 13 | 14 | define WIREGUARD_LINUX_COMPAT_LINUX_CONFIG_FIXUPS 15 | $(call KCONFIG_ENABLE_OPT,CONFIG_INET) 16 | $(call KCONFIG_ENABLE_OPT,CONFIG_NET) 17 | $(call KCONFIG_ENABLE_OPT,CONFIG_NET_FOU) 18 | $(call KCONFIG_ENABLE_OPT,CONFIG_CRYPTO) 19 | $(call KCONFIG_ENABLE_OPT,CONFIG_CRYPTO_MANAGER) 20 | endef 21 | 22 | $(eval $(kernel-module)) 23 | $(eval $(generic-package)) 24 | -------------------------------------------------------------------------------- /src/packages/wireguard-tools/Config.in: -------------------------------------------------------------------------------- 1 | config BR2_PACKAGE_WIREGUARD_TOOLS 2 | bool "wireguard tools" 3 | # kernel module requires 3.10+, userspace makes no sense without it 4 | depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_10 5 | help 6 | WireGuard is an extremely simple yet fast and modern VPN 7 | that utilizes state-of-the-art cryptography. It aims to be 8 | faster, simpler, leaner, and more useful than IPSec, while 9 | avoiding the massive headache. It intends to be considerably 10 | more performant than OpenVPN. WireGuard is designed as a 11 | general purpose VPN for running on embedded interfaces and 12 | super computers alike, fit for many different 13 | circumstances. 14 | 15 | This package provides the userspace tooling to configure 16 | WireGuard tunnels. 17 | 18 | https://www.wireguard.com 19 | 20 | comment "wireguard-tools needs a toolchain w/ headers >= 3.10" 21 | depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_10 22 | -------------------------------------------------------------------------------- /src/packages/wireguard-tools/wireguard-tools.hash: -------------------------------------------------------------------------------- 1 | # Locally calculated 2 | sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING 3 | sha256 97ff31489217bb265b7ae850d3d0f335ab07d2652ba1feec88b734bc96bd05ac wireguard-tools-1.0.20210914.tar.xz 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /src/packages/wireguard-tools/wireguard-tools.mk: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # wireguard-tools 4 | # 5 | ################################################################################ 6 | 7 | WIREGUARD_TOOLS_VERSION = 1.0.20210914 8 | WIREGUARD_TOOLS_SITE = https://git.zx2c4.com/wireguard-tools/snapshot 9 | WIREGUARD_TOOLS_SOURCE = wireguard-tools-$(WIREGUARD_TOOLS_VERSION).tar.xz 10 | WIREGUARD_TOOLS_LICENSE = GPL-2.0 11 | WIREGUARD_TOOLS_LICENSE_FILES = COPYING 12 | 13 | ifeq ($(BR2_INIT_SYSTEMD),y) 14 | WIREGUARD_TOOLS_MAKE_OPTS += WITH_SYSTEMDUNITS=yes 15 | WIREGUARD_TOOLS_DEPENDENCIES += host-pkgconf 16 | else 17 | WIREGUARD_TOOLS_MAKE_OPTS += WITH_SYSTEMDUNITS=no 18 | endif 19 | 20 | ifeq ($(BR2_PACKAGE_BASH),y) 21 | WIREGUARD_TOOLS_MAKE_OPTS += WITH_BASHCOMPLETION=yes WITH_WGQUICK=yes 22 | else 23 | WIREGUARD_TOOLS_MAKE_OPTS += WITH_BASHCOMPLETION=no WITH_WGQUICK=no 24 | endif 25 | 26 | define WIREGUARD_TOOLS_BUILD_CMDS 27 | $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) $(WIREGUARD_TOOLS_MAKE_OPTS) \ 28 | -C $(@D)/src 29 | endef 30 | 31 | define WIREGUARD_TOOLS_INSTALL_TARGET_CMDS 32 | $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) $(WIREGUARD_TOOLS_MAKE_OPTS) \ 33 | -C $(@D)/src install DESTDIR=$(TARGET_DIR) 34 | endef 35 | 36 | $(eval $(generic-package)) 37 | -------------------------------------------------------------------------------- /src/patches/0001-add-kernel-4-19.patch: -------------------------------------------------------------------------------- 1 | diff --git buildroot-2017.11.1.orig/package/linux-headers/Config.in.host buildroot-2017.11.1/package/linux-headers/Config.in.host 2 | index 4d9652b..6fb948e 100644 3 | --- buildroot-2017.11.1.orig/package/linux-headers/Config.in.host 4 | +++ buildroot-2017.11.1/package/linux-headers/Config.in.host 5 | @@ -74,6 +74,11 @@ config BR2_KERNEL_HEADERS_4_13 6 | bool "Linux 4.13.x kernel headers" 7 | select BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13 8 | 9 | +config BR2_KERNEL_HEADERS_4_19 10 | + bool "Linux 4.19.x kernel headers" 11 | + depends on !BR2_csky 12 | + select BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_19 13 | + 14 | config BR2_KERNEL_HEADERS_VERSION 15 | bool "Manually specified Linux version" 16 | 17 | @@ -96,6 +101,10 @@ choice 18 | This is used to hide/show some packages that have strict 19 | requirements on the version of kernel headers. 20 | 21 | +config BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19 22 | + bool "4.19.x" 23 | + select BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_19 24 | + 25 | config BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_13 26 | bool "4.13.x" 27 | select BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13 28 | @@ -250,4 +259,5 @@ config BR2_DEFAULT_KERNEL_HEADERS 29 | default "4.11.12" if BR2_KERNEL_HEADERS_4_11 30 | default "4.12.14" if BR2_KERNEL_HEADERS_4_12 31 | default "4.13.16" if BR2_KERNEL_HEADERS_4_13 32 | + default "4.19.152" if BR2_KERNEL_HEADERS_4_19 33 | default BR2_DEFAULT_KERNEL_VERSION if BR2_KERNEL_HEADERS_VERSION 34 | diff --git buildroot-2017.11.1.orig/toolchain/toolchain-common.in buildroot-2017.11.1/toolchain/toolchain-common.in 35 | index d87d4d7..3c15fec 100644 36 | --- buildroot-2017.11.1.orig/toolchain/toolchain-common.in 37 | +++ buildroot-2017.11.1/toolchain/toolchain-common.in 38 | @@ -253,10 +253,15 @@ config BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13 39 | bool 40 | select BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_12 41 | 42 | +config BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_19 43 | + bool 44 | + select BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13 45 | + 46 | # This order guarantees that the highest version is set, as kconfig 47 | # stops affecting a value on the first matching default. 48 | config BR2_TOOLCHAIN_HEADERS_AT_LEAST 49 | string 50 | + default "4.19" if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_19 51 | default "4.13" if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13 52 | default "4.12" if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_12 53 | default "4.11" if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_11 54 | diff --git buildroot-2017.11.1.orig/toolchain/toolchain-external/toolchain-external-custom/Config.in.options buildroot-2017.11.1/toolchain/toolchain-external/toolchain-external-custom/Config.in.options 55 | index a285340..72efc19 100644 56 | --- buildroot-2017.11.1.orig/toolchain/toolchain-external/toolchain-external-custom/Config.in.options 57 | +++ buildroot-2017.11.1/toolchain/toolchain-external/toolchain-external-custom/Config.in.options 58 | @@ -93,6 +93,10 @@ choice 59 | m = ( LINUX_VERSION_CODE >> 8 ) & 0xFF 60 | p = ( LINUX_VERSION_CODE >> 0 ) & 0xFF 61 | 62 | +config BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_19 63 | + bool "4.19.x" 64 | + select BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_19 65 | + 66 | config BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_13 67 | bool "4.13.x" 68 | select BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13 69 | -------------------------------------------------------------------------------- /src/patches/0002-wireguard-packages.patch: -------------------------------------------------------------------------------- 1 | --- src/buildroot-2017.11.1/package/Config.in 2017-12-31 03:03:52.000000000 -0600 2 | +++ buildroot-2017.11.1/package/Config.in 2021-04-05 21:56:26.770366644 -0500 3 | @@ -1806,7 +1806,8 @@ 4 | source "package/wavemon/Config.in" 5 | source "package/wget/Config.in" 6 | source "package/whois/Config.in" 7 | - source "package/wireguard/Config.in" 8 | + source "package/wireguard-linux-compat/Config.in" 9 | + source "package/wireguard-tools/Config.in" 10 | source "package/wireless-regdb/Config.in" 11 | source "package/wireless_tools/Config.in" 12 | source "package/wireshark/Config.in" 13 | -------------------------------------------------------------------------------- /src/patches/0003-openresolv-package.patch: -------------------------------------------------------------------------------- 1 | --- src/buildroot-2017.11.1/package/Config.in 2021-06-23 10:28:35.748051977 -0500 2 | +++ buildroot-2017.11.1/package/Config.in 2021-06-23 10:29:08.964249418 -0500 3 | @@ -1733,6 +1733,7 @@ 4 | source "package/open-plc-utils/Config.in" 5 | source "package/openntpd/Config.in" 6 | source "package/openobex/Config.in" 7 | + source "package/openresolv/Config.in" 8 | source "package/openssh/Config.in" 9 | source "package/openswan/Config.in" 10 | source "package/openvpn/Config.in" 11 | -------------------------------------------------------------------------------- /src/wireguard/etc/wireguard/wg0.conf.sample: -------------------------------------------------------------------------------- 1 | # Sample file. Please update private/public keys 2 | [Interface] 3 | Address = 10.10.10.1/24 4 | ListenPort = 51820 5 | PrivateKey = XXXXXXXXXXXXXXXX 6 | [Peer] 7 | PublicKey = XXXXXXXXXXXXXXXX 8 | AllowedIPs = 10.10.10.2/32 9 | -------------------------------------------------------------------------------- /src/wireguard/setup_wireguard.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Tusc00 on reddit, @tusc69 on ubnt forums 3 | # 4 | # v4-7-21 Initial release. Updated script to auto load kernel module based on installed firmware version. 5 | # v4-8-21 Build now includes iptables_raw module. This is required for wg-quick when changing routes. Switched to MUSL static library 6 | # for building wireguard tools and bash given the number of CVEs with glib 2.26. Preliminary support for the UXG. 7 | # v4-10-21 Updated release to include utils such as htop, iftop and qrencode. The last one allows easy import of wireguard configs 8 | # into your IOS/Android WireGuard client using QR codes. 9 | # v6-23-21 Added support for resolvconf 10 | 11 | # Set this to 1 to try to load the built-in wireguard module first. External module will still be loaded if built-in one doesn't exist. 12 | # Set to 0 to only load external module. 13 | LOAD_BUILTIN=1 14 | 15 | DATA_DIR="." 16 | if [ -d "/mnt/data" ]; then 17 | DATA_DIR="/mnt/data" 18 | elif [ -d "/data" ]; then 19 | DATA_DIR="/data" 20 | fi 21 | WIREGUARD="${DATA_DIR}/wireguard" 22 | 23 | ln -sf $WIREGUARD/usr/bin/wg-quick /usr/bin 24 | ln -sf $WIREGUARD/usr/bin/wg /usr/bin 25 | ln -s $WIREGUARD/usr/bin/bash /bin 2>/dev/null 26 | ln -s $WIREGUARD/usr/bin/qrencode /usr/bin 2>/dev/null 27 | ln -s $WIREGUARD/usr/bin/htop /usr/bin 2>/dev/null 28 | ln -s $WIREGUARD/usr/sbin/iftop /usr/sbin 2>/dev/null 29 | ln -s $WIREGUARD/sbin/resolvconf /sbin 2>/dev/null 30 | 31 | # create symlink to wireguard config folder 32 | if [ ! -d "/etc/wireguard" ] 33 | then 34 | ln -sf $WIREGUARD/etc/wireguard /etc/wireguard 35 | fi 36 | 37 | # create symlink to resolvconf config file 38 | if [ ! -f "/etc/resolvconf.conf" ] 39 | then 40 | ln -s $WIREGUARD/etc/resolvconf.conf /etc/ 41 | fi 42 | 43 | # required by wg-quick 44 | if [ ! -d "/dev/fd" ] 45 | then 46 | ln -s /proc/self/fd /dev/fd 47 | fi 48 | 49 | #load dependent modules 50 | modprobe udp_tunnel 51 | modprobe ip6_udp_tunnel 52 | 53 | lsmod|egrep ^wireguard > /dev/null 2>&1 54 | if [ $? -eq 1 ] 55 | then 56 | ver=`uname -r` 57 | echo "loading wireguard..." 58 | if [ "$LOAD_BUILTIN" = "1" -a -e /lib/modules/$ver/extra/wireguard.ko ]; then 59 | modprobe wireguard 60 | elif [ -e $WIREGUARD/modules/wireguard-$ver.ko ]; then 61 | insmod $WIREGUARD/modules/wireguard-$ver.ko 62 | # iptable_raw required for wg-quick's use of iptables-restore 63 | insmod $WIREGUARD/modules/iptable_raw-$ver.ko 64 | insmod $WIREGUARD/modules/ip6table_raw-$ver.ko 65 | else 66 | echo "Unsupported Kernel version $ver" 67 | fi 68 | fi 69 | -------------------------------------------------------------------------------- /src/wireguard/usr/bin/wg-quick: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # SPDX-License-Identifier: GPL-2.0 3 | # 4 | # Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. 5 | # 6 | 7 | set -e -o pipefail 8 | shopt -s extglob 9 | export LC_ALL=C 10 | 11 | SELF="$(readlink -f "${BASH_SOURCE[0]}")" 12 | export PATH="${SELF%/*}:$PATH" 13 | 14 | WG_CONFIG="" 15 | INTERFACE="" 16 | ADDRESSES=( ) 17 | MTU="" 18 | DNS=( ) 19 | DNS_SEARCH=( ) 20 | TABLE="" 21 | PRE_UP=( ) 22 | POST_UP=( ) 23 | PRE_DOWN=( ) 24 | POST_DOWN=( ) 25 | SAVE_CONFIG=0 26 | CONFIG_FILE="" 27 | PROGRAM="${0##*/}" 28 | ARGS=( "$@" ) 29 | 30 | cmd() { 31 | echo "[#] $*" >&2 32 | "$@" 33 | } 34 | 35 | die() { 36 | echo "$PROGRAM: $*" >&2 37 | exit 1 38 | } 39 | 40 | parse_options() { 41 | local interface_section=0 line key value stripped v 42 | CONFIG_FILE="$1" 43 | [[ $CONFIG_FILE =~ ^[a-zA-Z0-9_=+.-]{1,15}$ ]] && CONFIG_FILE="/etc/wireguard/$CONFIG_FILE.conf" 44 | [[ -e $CONFIG_FILE ]] || die "\`$CONFIG_FILE' does not exist" 45 | [[ $CONFIG_FILE =~ (^|/)([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]] || die "The config file must be a valid interface name, followed by .conf" 46 | CONFIG_FILE="$(readlink -f "$CONFIG_FILE")" 47 | ((($(stat -c '0%#a' "$CONFIG_FILE") & $(stat -c '0%#a' "${CONFIG_FILE%/*}") & 0007) == 0)) || echo "Warning: \`$CONFIG_FILE' is world accessible" >&2 48 | INTERFACE="${BASH_REMATCH[2]}" 49 | shopt -s nocasematch 50 | while read -r line || [[ -n $line ]]; do 51 | stripped="${line%%\#*}" 52 | key="${stripped%%=*}"; key="${key##*([[:space:]])}"; key="${key%%*([[:space:]])}" 53 | value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:space:]])}" 54 | [[ $key == "["* ]] && interface_section=0 55 | [[ $key == "[Interface]" ]] && interface_section=1 56 | if [[ $interface_section -eq 1 ]]; then 57 | case "$key" in 58 | Address) ADDRESSES+=( ${value//,/ } ); continue ;; 59 | MTU) MTU="$value"; continue ;; 60 | DNS) for v in ${value//,/ }; do 61 | [[ $v =~ (^[0-9.]+$)|(^.*:.*$) ]] && DNS+=( $v ) || DNS_SEARCH+=( $v ) 62 | done; continue ;; 63 | Table) TABLE="$value"; continue ;; 64 | PreUp) PRE_UP+=( "$value" ); continue ;; 65 | PreDown) PRE_DOWN+=( "$value" ); continue ;; 66 | PostUp) POST_UP+=( "$value" ); continue ;; 67 | PostDown) POST_DOWN+=( "$value" ); continue ;; 68 | SaveConfig) read_bool SAVE_CONFIG "$value"; continue ;; 69 | esac 70 | fi 71 | WG_CONFIG+="$line"$'\n' 72 | done < "$CONFIG_FILE" 73 | shopt -u nocasematch 74 | } 75 | 76 | read_bool() { 77 | case "$2" in 78 | true) printf -v "$1" 1 ;; 79 | false) printf -v "$1" 0 ;; 80 | *) die "\`$2' is neither true nor false" 81 | esac 82 | } 83 | 84 | auto_su() { 85 | [[ $UID == 0 ]] || exec sudo -p "$PROGRAM must be run as root. Please enter the password for %u to continue: " -- "$BASH" -- "$SELF" "${ARGS[@]}" 86 | } 87 | 88 | add_if() { 89 | local ret 90 | if ! cmd ip link add "$INTERFACE" type wireguard; then 91 | ret=$? 92 | [[ -e /sys/module/wireguard ]] || ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" >/dev/null && exit $ret 93 | echo "[!] Missing WireGuard kernel module. Falling back to slow userspace implementation." >&2 94 | cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" "$INTERFACE" 95 | fi 96 | } 97 | 98 | del_if() { 99 | local table 100 | [[ $HAVE_SET_DNS -eq 0 ]] || unset_dns 101 | [[ $HAVE_SET_FIREWALL -eq 0 ]] || remove_firewall 102 | if [[ -z $TABLE || $TABLE == auto ]] && get_fwmark table && [[ $(wg show "$INTERFACE" allowed-ips) =~ /0(\ |$'\n'|$) ]]; then 103 | while [[ $(ip -4 rule show 2>/dev/null) == *"lookup $table"* ]]; do 104 | cmd ip -4 rule delete table $table 105 | done 106 | while [[ $(ip -4 rule show 2>/dev/null) == *"from all lookup main suppress_prefixlength 0"* ]]; do 107 | cmd ip -4 rule delete table main suppress_prefixlength 0 108 | done 109 | while [[ $(ip -6 rule show 2>/dev/null) == *"lookup $table"* ]]; do 110 | cmd ip -6 rule delete table $table 111 | done 112 | while [[ $(ip -6 rule show 2>/dev/null) == *"from all lookup main suppress_prefixlength 0"* ]]; do 113 | cmd ip -6 rule delete table main suppress_prefixlength 0 114 | done 115 | fi 116 | cmd ip link delete dev "$INTERFACE" 117 | } 118 | 119 | add_addr() { 120 | local proto=-4 121 | [[ $1 == *:* ]] && proto=-6 122 | cmd ip $proto address add "$1" dev "$INTERFACE" 123 | } 124 | 125 | set_mtu_up() { 126 | local mtu=0 endpoint output 127 | if [[ -n $MTU ]]; then 128 | cmd ip link set mtu "$MTU" up dev "$INTERFACE" 129 | return 130 | fi 131 | while read -r _ endpoint; do 132 | [[ $endpoint =~ ^\[?([a-z0-9:.]+)\]?:[0-9]+$ ]] || continue 133 | output="$(ip route get "${BASH_REMATCH[1]}" || true)" 134 | [[ ( $output =~ mtu\ ([0-9]+) || ( $output =~ dev\ ([^ ]+) && $(ip link show dev "${BASH_REMATCH[1]}") =~ mtu\ ([0-9]+) ) ) && ${BASH_REMATCH[1]} -gt $mtu ]] && mtu="${BASH_REMATCH[1]}" 135 | done < <(wg show "$INTERFACE" endpoints) 136 | if [[ $mtu -eq 0 ]]; then 137 | read -r output < <(ip route show default || true) || true 138 | [[ ( $output =~ mtu\ ([0-9]+) || ( $output =~ dev\ ([^ ]+) && $(ip link show dev "${BASH_REMATCH[1]}") =~ mtu\ ([0-9]+) ) ) && ${BASH_REMATCH[1]} -gt $mtu ]] && mtu="${BASH_REMATCH[1]}" 139 | fi 140 | [[ $mtu -gt 0 ]] || mtu=1500 141 | cmd ip link set mtu $(( mtu - 80 )) up dev "$INTERFACE" 142 | } 143 | 144 | resolvconf_iface_prefix() { 145 | [[ -f /etc/resolvconf/interface-order ]] || return 0 146 | local iface 147 | while read -r iface; do 148 | [[ $iface =~ ^([A-Za-z0-9-]+)\*$ ]] || continue 149 | echo "${BASH_REMATCH[1]}." && return 0 150 | done < /etc/resolvconf/interface-order 151 | } 152 | 153 | HAVE_SET_DNS=0 154 | set_dns() { 155 | [[ ${#DNS[@]} -gt 0 ]] || return 0 156 | { printf 'nameserver %s\n' "${DNS[@]}" 157 | [[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}" 158 | } | cmd resolvconf -a "$(resolvconf_iface_prefix)$INTERFACE" -m 0 -x 159 | HAVE_SET_DNS=1 160 | } 161 | 162 | unset_dns() { 163 | [[ ${#DNS[@]} -gt 0 ]] || return 0 164 | cmd resolvconf -d "$(resolvconf_iface_prefix)$INTERFACE" -f 165 | } 166 | 167 | add_route() { 168 | local proto=-4 169 | [[ $1 == *:* ]] && proto=-6 170 | [[ $TABLE != off ]] || return 0 171 | 172 | if [[ -n $TABLE && $TABLE != auto ]]; then 173 | cmd ip $proto route add "$1" dev "$INTERFACE" table "$TABLE" 174 | elif [[ $1 == */0 ]]; then 175 | add_default "$1" 176 | else 177 | [[ -n $(ip $proto route show dev "$INTERFACE" match "$1" 2>/dev/null) ]] || cmd ip $proto route add "$1" dev "$INTERFACE" 178 | fi 179 | } 180 | 181 | get_fwmark() { 182 | local fwmark 183 | fwmark="$(wg show "$INTERFACE" fwmark)" || return 1 184 | [[ -n $fwmark && $fwmark != off ]] || return 1 185 | printf -v "$1" "%d" "$fwmark" 186 | return 0 187 | } 188 | 189 | remove_firewall() { 190 | if type -p nft >/dev/null; then 191 | local table nftcmd 192 | while read -r table; do 193 | [[ $table == *" wg-quick-$INTERFACE" ]] && printf -v nftcmd '%sdelete %s\n' "$nftcmd" "$table" 194 | done < <(nft list tables 2>/dev/null) 195 | [[ -z $nftcmd ]] || cmd nft -f <(echo -n "$nftcmd") 196 | fi 197 | if type -p iptables >/dev/null; then 198 | local line iptables found restore 199 | for iptables in iptables ip6tables; do 200 | restore="" found=0 201 | while read -r line; do 202 | [[ $line == "*"* || $line == COMMIT || $line == "-A "*"-m comment --comment \"wg-quick(8) rule for $INTERFACE\""* ]] || continue 203 | [[ $line == "-A"* ]] && found=1 204 | printf -v restore '%s%s\n' "$restore" "${line/#-A/-D}" 205 | done < <($iptables-save 2>/dev/null) 206 | [[ $found -ne 1 ]] || echo -n "$restore" | cmd $iptables-restore -n 207 | done 208 | fi 209 | } 210 | 211 | HAVE_SET_FIREWALL=0 212 | add_default() { 213 | local table line 214 | if ! get_fwmark table; then 215 | table=51820 216 | while [[ -n $(ip -4 route show table $table 2>/dev/null) || -n $(ip -6 route show table $table 2>/dev/null) ]]; do 217 | ((table++)) 218 | done 219 | cmd wg set "$INTERFACE" fwmark $table 220 | fi 221 | local proto=-4 iptables=iptables pf=ip 222 | [[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6 223 | cmd ip $proto route add "$1" dev "$INTERFACE" table $table 224 | cmd ip $proto rule add not fwmark $table table $table 225 | cmd ip $proto rule add table main suppress_prefixlength 0 226 | 227 | local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd 228 | printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable" 229 | printf -v nftcmd '%sadd chain %s %s preraw { type filter hook prerouting priority -300; }\n' "$nftcmd" "$pf" "$nftable" 230 | printf -v nftcmd '%sadd chain %s %s premangle { type filter hook prerouting priority -150; }\n' "$nftcmd" "$pf" "$nftable" 231 | printf -v nftcmd '%sadd chain %s %s postmangle { type filter hook postrouting priority -150; }\n' "$nftcmd" "$pf" "$nftable" 232 | while read -r line; do 233 | [[ $line =~ .*inet6?\ ([0-9a-f:.]+)/[0-9]+.* ]] || continue 234 | printf -v restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP %s\n' "$restore" "$INTERFACE" "${BASH_REMATCH[1]}" "$marker" 235 | printf -v nftcmd '%sadd rule %s %s preraw iifname != "%s" %s daddr %s fib saddr type != local drop\n' "$nftcmd" "$pf" "$nftable" "$INTERFACE" "$pf" "${BASH_REMATCH[1]}" 236 | done < <(ip -o $proto addr show dev "$INTERFACE" 2>/dev/null) 237 | printf -v restore '%sCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker" 238 | printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table 239 | printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta mark set ct mark \n' "$nftcmd" "$pf" "$nftable" 240 | [[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1 241 | if type -p nft >/dev/null; then 242 | cmd nft -f <(echo -n "$nftcmd") 243 | else 244 | echo -n "$restore" | cmd $iptables-restore -n 245 | fi 246 | HAVE_SET_FIREWALL=1 247 | return 0 248 | } 249 | 250 | set_config() { 251 | cmd wg setconf "$INTERFACE" <(echo "$WG_CONFIG") 252 | } 253 | 254 | save_config() { 255 | local old_umask new_config current_config address cmd 256 | [[ $(ip -all -brief address show dev "$INTERFACE") =~ ^$INTERFACE\ +\ [A-Z]+\ +(.+)$ ]] || true 257 | new_config=$'[Interface]\n' 258 | for address in ${BASH_REMATCH[1]}; do 259 | new_config+="Address = $address"$'\n' 260 | done 261 | while read -r address; do 262 | [[ $address =~ ^nameserver\ ([a-zA-Z0-9_=+:%.-]+)$ ]] && new_config+="DNS = ${BASH_REMATCH[1]}"$'\n' 263 | done < <(resolvconf -l "$(resolvconf_iface_prefix)$INTERFACE" 2>/dev/null || cat "/etc/resolvconf/run/interface/$(resolvconf_iface_prefix)$INTERFACE" 2>/dev/null) 264 | [[ -n $MTU && $(ip link show dev "$INTERFACE") =~ mtu\ ([0-9]+) ]] && new_config+="MTU = ${BASH_REMATCH[1]}"$'\n' 265 | [[ -n $TABLE ]] && new_config+="Table = $TABLE"$'\n' 266 | [[ $SAVE_CONFIG -eq 0 ]] || new_config+=$'SaveConfig = true\n' 267 | for cmd in "${PRE_UP[@]}"; do 268 | new_config+="PreUp = $cmd"$'\n' 269 | done 270 | for cmd in "${POST_UP[@]}"; do 271 | new_config+="PostUp = $cmd"$'\n' 272 | done 273 | for cmd in "${PRE_DOWN[@]}"; do 274 | new_config+="PreDown = $cmd"$'\n' 275 | done 276 | for cmd in "${POST_DOWN[@]}"; do 277 | new_config+="PostDown = $cmd"$'\n' 278 | done 279 | old_umask="$(umask)" 280 | umask 077 281 | current_config="$(cmd wg showconf "$INTERFACE")" 282 | trap 'rm -f "$CONFIG_FILE.tmp"; exit' INT TERM EXIT 283 | echo "${current_config/\[Interface\]$'\n'/$new_config}" > "$CONFIG_FILE.tmp" || die "Could not write configuration file" 284 | sync "$CONFIG_FILE.tmp" 285 | mv "$CONFIG_FILE.tmp" "$CONFIG_FILE" || die "Could not move configuration file" 286 | trap - INT TERM EXIT 287 | umask "$old_umask" 288 | } 289 | 290 | execute_hooks() { 291 | local hook 292 | for hook in "$@"; do 293 | hook="${hook//%i/$INTERFACE}" 294 | echo "[#] $hook" >&2 295 | (eval "$hook") 296 | done 297 | } 298 | 299 | cmd_usage() { 300 | cat >&2 <<-_EOF 301 | Usage: $PROGRAM [ up | down | save | strip ] [ CONFIG_FILE | INTERFACE ] 302 | 303 | CONFIG_FILE is a configuration file, whose filename is the interface name 304 | followed by \`.conf'. Otherwise, INTERFACE is an interface name, with 305 | configuration found at /etc/wireguard/INTERFACE.conf. It is to be readable 306 | by wg(8)'s \`setconf' sub-command, with the exception of the following additions 307 | to the [Interface] section, which are handled by $PROGRAM: 308 | 309 | - Address: may be specified one or more times and contains one or more 310 | IP addresses (with an optional CIDR mask) to be set for the interface. 311 | - DNS: an optional DNS server to use while the device is up. 312 | - MTU: an optional MTU for the interface; if unspecified, auto-calculated. 313 | - Table: an optional routing table to which routes will be added; if 314 | unspecified or \`auto', the default table is used. If \`off', no routes 315 | are added. 316 | - PreUp, PostUp, PreDown, PostDown: script snippets which will be executed 317 | by bash(1) at the corresponding phases of the link, most commonly used 318 | to configure DNS. The string \`%i' is expanded to INTERFACE. 319 | - SaveConfig: if set to \`true', the configuration is saved from the current 320 | state of the interface upon shutdown. 321 | 322 | See wg-quick(8) for more info and examples. 323 | _EOF 324 | } 325 | 326 | cmd_up() { 327 | local i 328 | [[ -z $(ip link show dev "$INTERFACE" 2>/dev/null) ]] || die "\`$INTERFACE' already exists" 329 | trap 'del_if; exit' INT TERM EXIT 330 | execute_hooks "${PRE_UP[@]}" 331 | add_if 332 | set_config 333 | for i in "${ADDRESSES[@]}"; do 334 | add_addr "$i" 335 | done 336 | set_mtu_up 337 | set_dns 338 | for i in $(while read -r _ i; do for i in $i; do [[ $i =~ ^[0-9a-z:.]+/[0-9]+$ ]] && echo "$i"; done; done < <(wg show "$INTERFACE" allowed-ips) | sort -nr -k 2 -t /); do 339 | add_route "$i" 340 | done 341 | execute_hooks "${POST_UP[@]}" 342 | trap - INT TERM EXIT 343 | } 344 | 345 | cmd_down() { 346 | [[ " $(wg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface" 347 | execute_hooks "${PRE_DOWN[@]}" 348 | [[ $SAVE_CONFIG -eq 0 ]] || save_config 349 | del_if 350 | unset_dns || true 351 | remove_firewall || true 352 | execute_hooks "${POST_DOWN[@]}" 353 | } 354 | 355 | cmd_save() { 356 | [[ " $(wg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface" 357 | save_config 358 | } 359 | 360 | cmd_strip() { 361 | echo "$WG_CONFIG" 362 | } 363 | 364 | # ~~ function override insertion point ~~ 365 | 366 | if [[ $# -eq 1 && ( $1 == --help || $1 == -h || $1 == help ) ]]; then 367 | cmd_usage 368 | elif [[ $# -eq 2 && $1 == up ]]; then 369 | auto_su 370 | parse_options "$2" 371 | cmd_up 372 | elif [[ $# -eq 2 && $1 == down ]]; then 373 | auto_su 374 | parse_options "$2" 375 | cmd_down 376 | elif [[ $# -eq 2 && $1 == save ]]; then 377 | auto_su 378 | parse_options "$2" 379 | cmd_save 380 | elif [[ $# -eq 2 && $1 == strip ]]; then 381 | auto_su 382 | parse_options "$2" 383 | cmd_strip 384 | else 385 | cmd_usage 386 | exit 1 387 | fi 388 | 389 | exit 0 390 | --------------------------------------------------------------------------------