All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kalin KOZHUHAROV <me.kalin@gmail.com>
To: vtol <vtol@gmx.net>
Cc: wireguard <wireguard@lists.zx2c4.com>
Subject: Re: WG interface to ipv4
Date: Sat, 5 May 2018 11:28:35 +0200	[thread overview]
Message-ID: <CAKXLc7dZD1Qzx1q1fPPikXPvu+vAgCpKnBBiP_hKSiJOtTbxng@mail.gmail.com> (raw)
In-Reply-To: <493b3bdf-3cf0-5594-dd7e-4b9c8d84e74c@gmx.net>

On Sat, May 5, 2018 at 10:18 AM, =D1=BD=D2=89=E1=B6=AC=E1=B8=B3=E2=84=A0 <v=
tol@gmx.net> wrote:
> I like to keep things neat/controlled and any necessary open socket is on=
ly
> sticking out like a sore (wondering why it is opened when not wanted for)=
.
> It would certainly instill more confidence in network security/control if=
 it
> would be possible to define which sockets are opened by WG, like other ap=
ps
> do.
>
+1 !

> Which brings up the next point, I have asked previously twice about -
> wildcard ip 0.0.0.0 . How to bind WG to a particular iface/subnet, as  a
> another matter of network security?
>
It is not possible AFAIK. I am not sure in the intrinsic workings, may
be it is not possible by design?

Hmm, should be, given that it only listens to UDP on a single IP
address (as configured on the wgX interface).
Well, one can configure multiple addresses to a single interface, but still
What about when we have more than one wgX interface, do they share memory?

Certainly, the source lists it is binds to any interface:
https://git.zx2c4.com/WireGuard/tree/src/socket.c#n330
unconditionally.

So I guess we can use (from `man 7 socket`)

       SO_BINDTODEVICE
              Bind this socket to a particular device like =E2=80=9Ceth0=E2=
=80=9D, as
specified in the passed interface name.  If  the
              name  is an empty string or the option length is zero,
the socket device binding is removed.  The passed
              option is a variable-length null-terminated interface
name string with the maximum size of IFNAMSIZ.  If
              a socket is bound to an interface, only packets received
from that particular interface are processed by
              the socket.  Note that this works only for some socket
types, particularly AF_INET sockets.  It  is  not
              supported for packet sockets (use normal bind(2) there).

              Before  Linux  3.8,  this socket option could be set,
but could not retrieved with getsockopt(2).  Since
              Linux 3.8, it is readable.  The optlen argument should
contain the buffer size available to receive  the
              device name and is recommended to be IFNAMSZ bytes.  The
real device name length is reported back in the
              optlen argument.

Just a wild guess.

Cheers,
Kalin.

  reply	other threads:[~2018-05-05  9:26 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-03 16:57 WG interface to ipv4 ѽ҉ᶬḳ℠
2018-05-04  1:06 ` Jason A. Donenfeld
2018-05-04  9:27   ` ѽ҉ᶬḳ℠
2018-05-05  3:44     ` Jason A. Donenfeld
2018-05-05  8:18       ` ѽ҉ᶬḳ℠
2018-05-05  9:28         ` Kalin KOZHUHAROV [this message]
2018-05-05 17:33           ` Christophe-Marie Duquesne
2018-05-05 17:53             ` ѽ҉ᶬḳ℠
2018-05-06  1:27               ` Jason A. Donenfeld
2018-05-06  7:31                 ` ѽ҉ᶬḳ℠
2018-05-06  9:00                   ` Matthias Urlichs
2018-05-06  9:26                     ` ѽ҉ᶬḳ℠
2018-05-06  0:14             ` RFE: Name of peer in configuration John Huttley
2018-05-06  1:21         ` WG interface to ipv4 Jason A. Donenfeld
2018-05-06  8:58           ` ѽ҉ᶬḳ℠
2018-05-06 13:34             ` Jordan Glover
2018-05-06 14:12               ` ѽ҉ᶬḳ℠
2018-05-06 14:17                 ` Jason A. Donenfeld
2018-05-06 15:21                 ` Toke Høiland-Jørgensen
2018-05-06 16:33                   ` ѽ҉ᶬḳ℠
2018-05-06 18:09                     ` Jordan Glover
2018-05-06 19:39                       ` ѽ҉ᶬḳ℠
2018-05-06 21:37                         ` Android Configuration File John Huttley
2018-05-06 22:10                           ` Jason A. Donenfeld
2018-05-07  4:22                             ` John Huttley
2018-05-07 13:35                         ` WG interface to ipv4 Christophe-Marie Duquesne
2018-05-07 16:34                           ` ѽ҉ᶬḳ℠
2018-05-08  8:48                             ` Christophe-Marie Duquesne
2018-05-08  9:35                               ` ѽ҉ᶬḳ℠
2018-05-07  8:24                   ` ѽ҉ᶬḳ℠
2018-05-07  8:41                     ` Jordan Glover
2018-05-07  9:37                       ` Matthias Urlichs
2018-05-07 11:21                         ` Jordan Glover
2018-05-07  6:49           ` Kalin KOZHUHAROV
2018-05-08 15:44 Riccardo Berto
2018-05-08 16:23 ` logcabin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAKXLc7dZD1Qzx1q1fPPikXPvu+vAgCpKnBBiP_hKSiJOtTbxng@mail.gmail.com \
    --to=me.kalin@gmail.com \
    --cc=vtol@gmx.net \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.