From 2a00fbe0c9d8b1d16d6b7ac326fce13d703374f8 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Mon, 11 Dec 2017 12:32:22 +0100 Subject: device: disable rp_filter for wireguard devices Just like ipsec disables it with secpath, we can too, since allowedips is really the right mechanism for this. --- src/device.c | 7 +++++++ src/tools/wg-quick.bash | 4 ---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/device.c b/src/device.c index 31417ea..e6c49c5 100644 --- a/src/device.c +++ b/src/device.c @@ -44,6 +44,13 @@ static int open(struct net_device *dev) */ IN_DEV_CONF_SET(dev_v4, SEND_REDIRECTS, false); IPV4_DEVCONF_ALL(dev_net(dev), SEND_REDIRECTS) = false; + + /* TODO: when we merge to mainline, put this check in fib_validate_source in + * net/ipv4/fib_frontend.c, just like what currently happens with secpath_exists. + */ + IN_DEV_CONF_SET(dev_v4, RP_FILTER, 0); + if (IPV4_DEVCONF_ALL(dev_net(dev), RP_FILTER) == 1) + IPV4_DEVCONF_ALL(dev_net(dev), RP_FILTER) = 2; } #ifndef COMPAT_CANNOT_USE_IN6_DEV_GET if (dev_v6) diff --git a/src/tools/wg-quick.bash b/src/tools/wg-quick.bash index b2acbff..c6736fe 100755 --- a/src/tools/wg-quick.bash +++ b/src/tools/wg-quick.bash @@ -167,10 +167,6 @@ add_default() { cmd ip $proto route add "$1" dev "$INTERFACE" table $DEFAULT_TABLE cmd ip $proto rule add not fwmark $DEFAULT_TABLE table $DEFAULT_TABLE cmd ip $proto rule add table main suppress_prefixlength 0 - local key value - while read -r key _ value; do - [[ $value -eq 1 ]] && sysctl -q "$key=2" - done < <(sysctl -a -r '^net\.ipv4.conf\.[^ .=]+\.rp_filter$') return 0 } -- cgit v1.2.3-59-g8ed1b