diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2019-12-17 14:14:13 +0100 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-12-17 14:18:09 +0100 |
| commit | 2e52c410fd177d853104ba940e2341729586be81 (patch) | |
| tree | 6541189819d1b7ed82b1df751893a81ad7968348 | |
| parent | tools: adjust wg.8 syntax for consistency in COMMANDS section (diff) | |
| download | wireguard-monolithic-historical-2e52c410fd177d853104ba940e2341729586be81.tar.xz wireguard-monolithic-historical-2e52c410fd177d853104ba940e2341729586be81.zip | |
wg-quick: linux: use already configured addresses instead of in-memory
The ADDRESSES array might not have addresses added during PreUp. But
moreover, nft(8) and iptables(8) don't like ip addresses in the form
somev6prefix::someipv4suffix, such as fd00::1.2.3.4, while ip(8) can
handle it. So by adding these first and then asking for them back, we
always get normalized addresses suitable for nft(8) and iptables(8).
Reported-by: Silvan Nagl <mail@53c70r.de>
Diffstat (limited to '')
| -rwxr-xr-x | src/tools/wg-quick/linux.bash | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/tools/wg-quick/linux.bash b/src/tools/wg-quick/linux.bash index 423a2c7..e9c9052 100755 --- a/src/tools/wg-quick/linux.bash +++ b/src/tools/wg-quick/linux.bash @@ -205,7 +205,7 @@ remove_firewall() { HAVE_SET_FIREWALL=0 add_default() { - local table i + local table line if ! get_fwmark table; then table=51820 while [[ -n $(ip -4 route show table $table 2>/dev/null) || -n $(ip -6 route show table $table 2>/dev/null) ]]; do @@ -224,11 +224,11 @@ add_default() { printf -v nftcmd '%sadd chain %s %s preraw { type filter hook prerouting priority -300; }\n' "$nftcmd" "$pf" "$nftable" printf -v nftcmd '%sadd chain %s %s premangle { type filter hook prerouting priority -150; }\n' "$nftcmd" "$pf" "$nftable" printf -v nftcmd '%sadd chain %s %s postmangle { type filter hook postrouting priority -150; }\n' "$nftcmd" "$pf" "$nftable" - for i in "${ADDRESSES[@]}"; do - [[ ( $proto == -4 && $i != *:* ) || ( $proto == -6 && $i == *:* ) ]] || continue - printf -v restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP %s\n' "$restore" "$INTERFACE" "${i%/*}" "$marker" - printf -v nftcmd '%sadd rule %s %s preraw iifname != %s %s daddr %s fib saddr type != local drop\n' "$nftcmd" "$pf" "$nftable" "$INTERFACE" "$pf" "${i%/*}" - done + while read -r line; do + [[ $line =~ .*inet6?\ ([0-9a-f:.]+)/[0-9]+.* ]] || continue + printf -v restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP %s\n' "$restore" "$INTERFACE" "${BASH_REMATCH[1]}" "$marker" + printf -v nftcmd '%sadd rule %s %s preraw iifname != %s %s daddr %s fib saddr type != local drop\n' "$nftcmd" "$pf" "$nftable" "$INTERFACE" "$pf" "${BASH_REMATCH[1]}" + done < <(ip -o $proto addr show dev "$INTERFACE" 2>/dev/null) printf -v restore '%sCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker" printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta mark set ct mark \n' "$nftcmd" "$pf" "$nftable" |