boringtun icon indicating copy to clipboard operation
boringtun copied to clipboard
verified publisher icon cloudflare

BoringTun should be Linux network namespace aware

Open ignatk opened this issue 4 years ago • 1 comments

Setup scenario:

  1. Create two network namespaces
  2. In each namespace create an interface with boringtun [-f] <some-iface>

Now I can use the wg(8) tool in either namespace (and probably from outside as well) to configure any interface in any network namespace. Moreover, if I use the same interface name in both namespaces, the wg(8) tool will show only 1 interface and setting configuration options using wg(8) actually overwrites both interface configs.

Expected behaviour (on parity with the kernel implementation):

I can independently create and configure a wireguard interface in each network namespace. The interfaces can even be named in the same way (for example wg0) and the wg(8) sees and configures only interfaces from its own network namespace.

ignatk avatar May 10 '21 20:05 ignatk

If you add the O_CLOEXEC flag in this line of tun_linux.rs, I think the issue is fixed.

  • let fd = match unsafe { open(b"/dev/net/tun\0".as_ptr() as _, O_RDWR) } {
  • let fd = match unsafe { open(b"/dev/net/tun\0".as_ptr() as _, O_RDWR | O_CLOEXEC) } {

ghost avatar May 27 '24 09:05 ghost