wireguard.yaml 8.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298
  1. # SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)
  2. ---
  3. name: wireguard
  4. protocol: genetlink-legacy
  5. doc: |
  6. **Netlink protocol to control WireGuard network devices.**
  7. The below enums and macros are for interfacing with WireGuard, using generic
  8. netlink, with family ``WG_GENL_NAME`` and version ``WG_GENL_VERSION``. It
  9. defines two commands: get and set. Note that while they share many common
  10. attributes, these two commands actually accept a slightly different set of
  11. inputs and outputs. These differences are noted under the individual
  12. attributes.
  13. c-family-name: wg-genl-name
  14. c-version-name: wg-genl-version
  15. max-by-define: true
  16. definitions:
  17. -
  18. name-prefix: wg-
  19. name: key-len
  20. type: const
  21. value: 32
  22. -
  23. name: --kernel-timespec
  24. type: struct
  25. header: linux/time_types.h
  26. members:
  27. -
  28. name: sec
  29. type: u64
  30. doc: Number of seconds, since UNIX epoch.
  31. -
  32. name: nsec
  33. type: u64
  34. doc: Number of nanoseconds, after the second began.
  35. -
  36. name: wgdevice-flags
  37. name-prefix: wgdevice-f-
  38. enum-name: wgdevice-flag
  39. type: flags
  40. entries:
  41. - replace-peers
  42. -
  43. name: wgpeer-flags
  44. name-prefix: wgpeer-f-
  45. enum-name: wgpeer-flag
  46. type: flags
  47. entries:
  48. - remove-me
  49. - replace-allowedips
  50. - update-only
  51. -
  52. name: wgallowedip-flags
  53. name-prefix: wgallowedip-f-
  54. enum-name: wgallowedip-flag
  55. type: flags
  56. entries:
  57. - remove-me
  58. attribute-sets:
  59. -
  60. name: wgdevice
  61. enum-name: wgdevice-attribute
  62. name-prefix: wgdevice-a-
  63. attr-cnt-name: --wgdevice-a-last
  64. attributes:
  65. -
  66. name: unspec
  67. type: unused
  68. value: 0
  69. -
  70. name: ifindex
  71. type: u32
  72. -
  73. name: ifname
  74. type: string
  75. checks:
  76. max-len: 15
  77. -
  78. name: private-key
  79. type: binary
  80. doc: Set to all zeros to remove.
  81. display-hint: hex
  82. checks:
  83. exact-len: wg-key-len
  84. -
  85. name: public-key
  86. type: binary
  87. display-hint: hex
  88. checks:
  89. exact-len: wg-key-len
  90. -
  91. name: flags
  92. type: u32
  93. doc: |
  94. ``0`` or ``WGDEVICE_F_REPLACE_PEERS`` if all current peers should be
  95. removed prior to adding the list below.
  96. enum: wgdevice-flags
  97. -
  98. name: listen-port
  99. type: u16
  100. doc: Set as ``0`` to choose randomly.
  101. -
  102. name: fwmark
  103. type: u32
  104. doc: Set as ``0`` to disable.
  105. -
  106. name: peers
  107. type: indexed-array
  108. sub-type: nest
  109. nested-attributes: wgpeer
  110. doc: |
  111. The index/type parameter is unused on ``SET_DEVICE`` operations and is
  112. zero on ``GET_DEVICE`` operations.
  113. -
  114. name: wgpeer
  115. enum-name: wgpeer-attribute
  116. name-prefix: wgpeer-a-
  117. attr-cnt-name: --wgpeer-a-last
  118. attributes:
  119. -
  120. name: unspec
  121. type: unused
  122. value: 0
  123. -
  124. name: public-key
  125. type: binary
  126. display-hint: hex
  127. checks:
  128. exact-len: wg-key-len
  129. -
  130. name: preshared-key
  131. type: binary
  132. doc: Set as all zeros to remove.
  133. display-hint: hex
  134. checks:
  135. exact-len: wg-key-len
  136. -
  137. name: flags
  138. type: u32
  139. doc: |
  140. ``0`` and/or ``WGPEER_F_REMOVE_ME`` if the specified peer should not
  141. exist at the end of the operation, rather than added/updated and/or
  142. ``WGPEER_F_REPLACE_ALLOWEDIPS`` if all current allowed IPs of this
  143. peer should be removed prior to adding the list below and/or
  144. ``WGPEER_F_UPDATE_ONLY`` if the peer should only be set if it already
  145. exists.
  146. enum: wgpeer-flags
  147. -
  148. name: endpoint
  149. type: binary
  150. doc: struct sockaddr_in or struct sockaddr_in6
  151. checks:
  152. min-len: 16
  153. -
  154. name: persistent-keepalive-interval
  155. type: u16
  156. doc: Set as ``0`` to disable.
  157. -
  158. name: last-handshake-time
  159. type: binary
  160. struct: --kernel-timespec
  161. checks:
  162. exact-len: 16
  163. -
  164. name: rx-bytes
  165. type: u64
  166. -
  167. name: tx-bytes
  168. type: u64
  169. -
  170. name: allowedips
  171. type: indexed-array
  172. sub-type: nest
  173. nested-attributes: wgallowedip
  174. doc: |
  175. The index/type parameter is unused on ``SET_DEVICE`` operations and is
  176. zero on ``GET_DEVICE`` operations.
  177. -
  178. name: protocol-version
  179. type: u32
  180. doc: |
  181. Should not be set or used at all by most users of this API, as the
  182. most recent protocol will be used when this is unset. Otherwise,
  183. must be set to ``1``.
  184. -
  185. name: wgallowedip
  186. enum-name: wgallowedip-attribute
  187. name-prefix: wgallowedip-a-
  188. attr-cnt-name: --wgallowedip-a-last
  189. attributes:
  190. -
  191. name: unspec
  192. type: unused
  193. value: 0
  194. -
  195. name: family
  196. type: u16
  197. doc: IP family, either ``AF_INET`` or ``AF_INET6``.
  198. -
  199. name: ipaddr
  200. type: binary
  201. doc: Either ``struct in_addr`` or ``struct in6_addr``.
  202. display-hint: ipv4-or-v6
  203. checks:
  204. min-len: 4
  205. -
  206. name: cidr-mask
  207. type: u8
  208. -
  209. name: flags
  210. type: u32
  211. doc: |
  212. ``WGALLOWEDIP_F_REMOVE_ME`` if the specified IP should be removed;
  213. otherwise, this IP will be added if it is not already present.
  214. enum: wgallowedip-flags
  215. operations:
  216. enum-name: wg-cmd
  217. name-prefix: wg-cmd-
  218. list:
  219. -
  220. name: get-device
  221. value: 0
  222. doc: |
  223. Retrieve WireGuard device
  224. ~~~~~~~~~~~~~~~~~~~~~~~~~
  225. The command should be called with one but not both of:
  226. - ``WGDEVICE_A_IFINDEX``
  227. - ``WGDEVICE_A_IFNAME``
  228. The kernel will then return several messages (``NLM_F_MULTI``). It is
  229. possible that all of the allowed IPs of a single peer will not fit
  230. within a single netlink message. In that case, the same peer will be
  231. written in the following message, except it will only contain
  232. ``WGPEER_A_PUBLIC_KEY`` and ``WGPEER_A_ALLOWEDIPS``. This may occur
  233. several times in a row for the same peer. It is then up to the receiver
  234. to coalesce adjacent peers. Likewise, it is possible that all peers will
  235. not fit within a single message. So, subsequent peers will be sent in
  236. following messages, except those will only contain ``WGDEVICE_A_IFNAME``
  237. and ``WGDEVICE_A_PEERS``. It is then up to the receiver to coalesce
  238. these messages to form the complete list of peers.
  239. Since this is an ``NLA_F_DUMP`` command, the final message will always
  240. be ``NLMSG_DONE``, even if an error occurs. However, this ``NLMSG_DONE``
  241. message contains an integer error code. It is either zero or a negative
  242. error code corresponding to the errno.
  243. attribute-set: wgdevice
  244. flags: [uns-admin-perm]
  245. dump:
  246. pre: wg-get-device-start
  247. post: wg-get-device-done
  248. request:
  249. attributes:
  250. - ifindex
  251. - ifname
  252. reply: &all-attrs
  253. attributes:
  254. - ifindex
  255. - ifname
  256. - private-key
  257. - public-key
  258. - flags
  259. - listen-port
  260. - fwmark
  261. - peers
  262. -
  263. name: set-device
  264. value: 1
  265. doc: |
  266. Set WireGuard device
  267. ~~~~~~~~~~~~~~~~~~~~
  268. This command should be called with a wgdevice set, containing one but
  269. not both of ``WGDEVICE_A_IFINDEX`` and ``WGDEVICE_A_IFNAME``.
  270. It is possible that the amount of configuration data exceeds that of the
  271. maximum message length accepted by the kernel. In that case, several
  272. messages should be sent one after another, with each successive one
  273. filling in information not contained in the prior. Note that if
  274. ``WGDEVICE_F_REPLACE_PEERS`` is specified in the first message, it
  275. probably should not be specified in fragments that come after, so that
  276. the list of peers is only cleared the first time but appended after.
  277. Likewise for peers, if ``WGPEER_F_REPLACE_ALLOWEDIPS`` is specified in
  278. the first message of a peer, it likely should not be specified in
  279. subsequent fragments.
  280. If an error occurs, ``NLMSG_ERROR`` will reply containing an errno.
  281. attribute-set: wgdevice
  282. flags: [uns-admin-perm]
  283. do:
  284. request: *all-attrs