Hello, Under a setup where wireguard is being used both on the host system and VNET jails, doing a `service wireguard stop` or `service wireguard restart` on the host system unconditionally kldunload's if_wg, thus taking away wireguard tunnels from jails (the interfaces simply disappear from jails), requiring a manual wireguard restart in jails (as long as if_wg is loaded). On my own systems, i have simply commented the kldunload bit from the host rc.d script as a workaround, but that's obviously not the right approach for the port. I actually don't know what the right approach would be. Perhaps an rcvar setting could be introduced to prevent the kldunload? Thanks, Kind regards
Which WireGuard rc.d script are you using? The one I wrote from that's still stuck in PR/review, wg-quick, something else? Is it also unloaded if if_wg.ko is loaded via if_wg_load="YES" in /boot/loader.conf or kld_list="if_wg ..." in /etc/rc.conf?
I do not see a good reason to unload modules previously loaded on restarting services.
(In reply to crest from comment #1) > Which WireGuard rc.d script are you using? The one I wrote from that's still > stuck in PR/review, wg-quick, something else? Is it https://reviews.freebsd.org/D41318 ?
(In reply to crest from comment #1) I'm referring to the /usr/local/etc/rc.d/wireguard script, installed by the net/wireguard-tools port. The offending lines are: if kldstat -q -n if_wg; then if ! kldunload if_wg > /dev/null 2>&1; then warn "Can't unload if_wg module." return 1 fi fi This will unconditionally klunload the if_wg module, whether it was loaded via /boot/loader.conf, manually, or by the above wireguard rc script.
I think the commit message from back then describes it pretty well: net/wireguard-tools: Unload if_wg kernel module after stop if it was loaded This helps to reload also the kernel module after an update with a simple restart or stop/start of the service. https://svnweb.freebsd.org/ports?view=revision&revision=569184
(In reply to Bernhard Froehlich from comment #5) > net/wireguard-tools: Unload if_wg kernel module after stop if it was loaded > This helps to reload also the kernel module after an update with a simple > restart or stop/start of the service. > https://svnweb.freebsd.org/ports?view=revision&revision=569184 Then that will certainly interrupt wireguard tunnels in VNET jails. Also it does not work inside jails. Given, 1. wireguard has been re-imported to base since 744bfb213144 (Import the WireGuard driver from zx2c4.com.) 2. It now works greatly in VNET jails. 3. It is stable enough and for a given support life time of release (e.g. 14.0), it should not be get updated frequently (except for security issues / serious bugs). IMO the previous commit https://svnweb.freebsd.org/ports?view=revision&revision=569184 helps reloading if_wg kernel module make more troubles than it resolves. Users should be aware to reload modules and then restart all wireguard services in / out jails.
The environment this rc script is used in has changed quite a bit over time. When it was written the main purpose was to test the wireguard-kmod port and make sure that a wireguard restart also uses the new kmod. We had frequent updates and I am not sure if it worked in VNET jails. Now the wireguard-kmod port is almost gone so frequent updates might only happen on CURRENT where kernel and wg(4) are updated in sync - so a reboot is required anyway. Looking a bit over the fence kldunload seems to be a common practice in similar ports: net-mgmt/ng_ipacct net/ndproxy Considering all of it I think you are right and it makes sense to revert that commit.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c83f22d493f0736384be0b389122208955dcfbee commit c83f22d493f0736384be0b389122208955dcfbee Author: Bernhard Froehlich <decke@FreeBSD.org> AuthorDate: 2023-11-06 11:09:20 +0000 Commit: Bernhard Froehlich <decke@FreeBSD.org> CommitDate: 2023-11-06 11:09:20 +0000 net/wireguard-tools: Revert kldunload from rc.d scripts Unloading if_wg(4) kmod was added to rc.d scripts to make sure that a service restart also reload the kernel module. Now we don't have frequent updates anymore and the wireguard-kmod port will soon be gone but people using this script face issues in VNET jails. This commit reverts 562d171b9dacad8f63e6e4a45035824b10b59341 PR: 274428 Reported by: vedad@kajtaz.net net/wireguard-tools/Makefile | 2 +- net/wireguard-tools/files/wireguard_lite.in | 7 ------- net/wireguard-tools/files/wireguard_wgquick.in | 7 ------- 3 files changed, 1 insertion(+), 15 deletions(-)