[Bug 272842] Missing WireGuard integration into the base system rc.d scripts

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272842

--- Comment #7 from crest@rlwinm.de ---
The problem is harder than it looks. The wg-quick script contains an ugly hack
that amounts to a daemon monitoring a route socket to allow WireGuard not just
collect all peers AllowedIPs per tunnel and add an interface route once, but
also resolve conflicts inside a single routing table at runtime which is broken
by design. FreeBSD has the required features (setfib, vnet) to express such a
setup without fragile racy hacks or shells scripts with O(n^2) overhead (with n
= number of routes).

This is the third version of this shell script and I removed a few features
because the rc.d script ran into Greenspun's tenth rule and turned /bin/sh into
a dynamically scoped LISP. That version contained higher order functions to
loop over peers and their settings for use in the {Pre,Post}x{Up,Down} hooks
which would make it trivial to inject the routes from the PostUp hook.

The version I've submitted in this PR lacks such features. To automate it using
this rc.d script you have to parse the WireGuard configuration inside a hook.
It implements both the wg-quick style hooks (it executes them in /bin/sh
instead of /bin/bash) and well as call into /etc/rc.d/netif allowing all the
usual ways to hook interfaces configuration changes to work too.

I can dig out the "semi sentient" rc.d script if you really want to dig through
it, but the version in this PR already contains code to extract only the fields
understood by the kernel from a wg-quick configuration. As long as you only
want to collect the AllowedIPs per interface without preserving which peer they
belong to collecting the AllowedIPs into a single variable would work the same
as collecting multiple Address lines into a single variable.

-- 
You are receiving this mail because:
You are the assignee for the bug.