diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-12-11 12:32:22 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-12-11 12:32:22 +0100 |
commit | 2a00fbe0c9d8b1d16d6b7ac326fce13d703374f8 (patch) | |
tree | e425afc1789740163bc7d4ce853f3186fbcb5890 | |
parent | version: bump snapshot (diff) | |
download | wireguard-monolithic-historical-2a00fbe0c9d8b1d16d6b7ac326fce13d703374f8.tar.xz wireguard-monolithic-historical-2a00fbe0c9d8b1d16d6b7ac326fce13d703374f8.zip |
device: disable rp_filter for wireguard devicesjd/built-in-rp-filter-adjustment
Just like ipsec disables it with secpath, we can too, since allowedips
is really the right mechanism for this.
-rw-r--r-- | src/device.c | 7 | ||||
-rwxr-xr-x | src/tools/wg-quick.bash | 4 |
2 files changed, 7 insertions, 4 deletions
diff --git a/src/device.c b/src/device.c index 31417ea..e6c49c5 100644 --- a/src/device.c +++ b/src/device.c @@ -44,6 +44,13 @@ static int open(struct net_device *dev) */ IN_DEV_CONF_SET(dev_v4, SEND_REDIRECTS, false); IPV4_DEVCONF_ALL(dev_net(dev), SEND_REDIRECTS) = false; + + /* TODO: when we merge to mainline, put this check in fib_validate_source in + * net/ipv4/fib_frontend.c, just like what currently happens with secpath_exists. + */ + IN_DEV_CONF_SET(dev_v4, RP_FILTER, 0); + if (IPV4_DEVCONF_ALL(dev_net(dev), RP_FILTER) == 1) + IPV4_DEVCONF_ALL(dev_net(dev), RP_FILTER) = 2; } #ifndef COMPAT_CANNOT_USE_IN6_DEV_GET if (dev_v6) diff --git a/src/tools/wg-quick.bash b/src/tools/wg-quick.bash index b2acbff..c6736fe 100755 --- a/src/tools/wg-quick.bash +++ b/src/tools/wg-quick.bash @@ -167,10 +167,6 @@ add_default() { cmd ip $proto route add "$1" dev "$INTERFACE" table $DEFAULT_TABLE cmd ip $proto rule add not fwmark $DEFAULT_TABLE table $DEFAULT_TABLE cmd ip $proto rule add table main suppress_prefixlength 0 - local key value - while read -r key _ value; do - [[ $value -eq 1 ]] && sysctl -q "$key=2" - done < <(sysctl -a -r '^net\.ipv4.conf\.[^ .=]+\.rp_filter$') return 0 } |