Re: [PATCH wireguard] wireguard: prevent ipv6 addrconf via IFF_NO_ADDRCONF flag

Next message: Alexander Sverdlin: "[PATCH 0/3] Add support for Baijie Helper A133 board"
Previous message: Guilherme Giacomo Simoes: "[PATCH] x86/vdso: fix incorrect size in munmap during map_vdso failure"
Next in thread: Jason A. Donenfeld: "Re: [PATCH wireguard] wireguard: prevent ipv6 addrconf via IFF_NO_ADDRCONF flag"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason A. Donenfeld

Date: Sun May 03 2026 - 15:18:35 EST

On Sat, Mar 21, 2026 at 08:20:53PM +0100, Valentin Spreckels wrote:
> Hi Jason,
>
> On 11/03/2026 23:59, Jason A. Donenfeld wrote:
> > Hi Valentin,
> >
> > On Sun, Feb 08, 2026 at 06:05:45PM +0100, Valentin Spreckels wrote:
> >> Use the flag introduced in commit 8a321cf7becc6 ("net: add
> >> IFF_NO_ADDRCONF and use it in bonding to prevent ipv6 addrconf")
> >> instead of mangling the addr_gen_mode to prevent ipv6 addrconf.
> >
> > Can you give some more context here? Why was IFF_NO_ADDRCONF added when
> > the IN6_ADDR_GEN_MODE_NONE method has been working fine? What's the
> > difference between these approaches? I don't doubt that your patch is
> > correct, but I would like to better understand this.
>
> Only wireguard configures addr_gen_mode inside the kernel, otherwise it
> is only set by userspace; userspace is also able to overwrite the
> IFF_NO_ADDRCONF set by wireguard.
>
> Commit 8a321cf7becc ("net: add IFF_NO_ADDRCONF and use it in bonding to
> prevent ipv6 addrconf") introduces the private interface flag
> IFF_NO_ADDRCONF, which isn't accessible by userspace.
>
> Thus use the IFF_NO_ADDRCONF flag in wireguard.
>
>
> Does that answer your questions? If yes, I will submit a v2 with this as
> commit message.

I applied this here:
https://git.zx2c4.com/wireguard-linux/commit/?id=88427bcbe5bd3711de387b1c1f6540ef6fc05a78

Sorry for the delay! Patch looks good as-is, once I looked into the
internal mechanism.

Jason