A single fastd instance can now manage multiple TUN/TAP interfaces. This allows to use multiple peers and peer directories in TUN mode, creating one interface for each peer. on-up and on-down scripts are run once for each interface.
By default, all interfaces are created on startup or peer reload; the option interface persist can be used to change this behaviour.
In addition to the multi-peer TUN mode, it is also possible to make fastd create one interface per peer in TAP mode now. This is enabled by the setting mode multitap (the option for multi-interface TUN mode is just mode tun, as there is no TUN mode which handles multiple peers on a single interface.)
Multi-TAP mode is compatible with TAP mode, i.e. the peer may be configured in normal TAP mode (and may use a fastd version without multi-TAP support.
If explicit interface names are configured, these names must now be set for each peer, which may either be done explicitly, or using name patterns.
Peer-specific interfaces may also be configured with peer-specific MTUs.
Interface cleanup on FreeBSD/OpenBSD¶
FreeBSD and OpenBSD do not automatically destroy TUN/TAP interfaces. fastd will now destroy the interfaces it creates on these systems on exit.
Improved capability management¶
fastd will now automatically retain all POSIX capabilities it needs, so all options should now work without full root privileges.
The option drop capabilities force may be used to drop CAP_NET_ADMIN even when fastd would normally retain it.
More powerful peer groups¶
All on-* options may now be overridden per peer group.
In particular, the on-verify option may be moved into a peer group to determine the peer group of unconfigured peers. This allows to set a peer limit for unconfigured peers without globally limiting the peer count.
- When linked with NaCl instead of libsodium, fastd would use SSE for salsa20/salsa2012 on x86 even after determining that SSE is not availble. This led to crashes or transmission failures on CPUs like the Geode.
- Fix crash on x86-64 systems when built with certain combinations of GCC version and stack-protector compiler flags (observed on Fedora)
- fastd did reject configurations which contain neither static peers nor peer directories, but a on-verify option
- The status socket is now removed correctly if fastd exits with an error message
- fastd did exit with regular exit code 0 instead of re-raising the termination signal after cleanup
- Fix in-tree compile on non-Linux systems
- fastd now requires at least libuecc v6 (v7 recommended)
- Some error conditions that can’t be recovered from will now cause fastd to exit instead of just logging an error message. This allows service managers like systemd/procd to restart fastd, so proper operation can be restored.