From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: ju.orth@gmail.com
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Setting the transit namespace at runtime
Date: Thu, 6 Sep 2018 19:26:33 -0600 [thread overview]
Message-ID: <CAHmME9rB71UbcY-kLkJO0yOVQ-s31E_S9yCKdZTh6F9-PScN5A@mail.gmail.com> (raw)
In-Reply-To: <CAHijbEWf1S0Tc+zxZBvmJ0xe5iBU00pOxikejetF8x33Qh=GcQ@mail.gmail.com>
Hi Julian,
I'd thought of this early on, but failed to come up with what seemed
like an actually realistic use case for it.
On Thu, Sep 6, 2018 at 10:15 AM Julian Orth <ju.orth@gmail.com> wrote:
> * If multiple processes are creating Wireguard devices at the same time, then
> their device namespaces are isolated as long as each process uses its own
> network namespace. This means that there is no problem if two processes try
> to create the `wg0` device at the same time.
The typical solution for this is to create "wg%d":
zx2c4@thinkpad ~ $ ip link add wg%d type wireguard
zx2c4@thinkpad ~ $ ip link add wg%d type wireguard
zx2c4@thinkpad ~ $ ip link add wg%d type wireguard
zx2c4@thinkpad ~ $ ip link add wg%d type wireguard
zx2c4@thinkpad ~ $ ip link add wg%d type wireguard
zx2c4@thinkpad ~ $ ip link show | grep wg
47: wg0: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN mode
DEFAULT group default qlen 1000
48: wg1: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN mode
DEFAULT group default qlen 1000
49: wg2: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN mode
DEFAULT group default qlen 1000
50: wg3: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN mode
DEFAULT group default qlen 1000
51: wg4: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN mode
DEFAULT group default qlen 1000
Or you just use a try-loop, incrementing until there are no races with
another process who has already claimed it.
Alternatively if you just generate a random byte sequence that's also
a valid interface name, you get around 119.5 bits of randomness, which
makes the possibility of collision for this use case sufficiently
unlikely. (A random UUID only has 122 bits of randomness, for
comparison.)
> * The intention is for the `wg0` device to be used only within the `vpn`
> namespace. It does not feel clean that the device has to live in the init
> namespace for an arbitrarily short but non-zero amount of time. This also
> leaks the existence of the `wg0` device to all processes living in the init
> namespace.
I wonder what happens with that "leak" that you're concerned with. It
doesn't have to be configured with any information like ip addresses
or routes, and the original name can be entirely different from the
final name used.
Jason
next prev parent reply other threads:[~2018-09-07 1:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-03 16:16 Setting the transit namespace at runtime Julian Orth
2018-09-06 20:42 ` Julian Orth
2018-09-07 1:29 ` Jason A. Donenfeld
2018-09-07 1:26 ` Jason A. Donenfeld [this message]
2018-09-07 19:06 ` Julian Orth
2018-09-09 22:27 ` Jason A. Donenfeld
2018-09-10 7:16 ` Julian Orth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHmME9rB71UbcY-kLkJO0yOVQ-s31E_S9yCKdZTh6F9-PScN5A@mail.gmail.com \
--to=jason@zx2c4.com \
--cc=ju.orth@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).