| View previous topic :: View next topic |
| Author |
Message |
gabrielg
Tux's lil' helper
Joined: 16 Nov 2012
Posts: 137
|
 Posted: Sat Nov 02, 2024 3:06 pm Post subject: Wireguard interface don't exist when nftables loads |
 |
|
Hi, all,
I'm looking for best practice advice regarding Wireguard and nftables. As the subject says: my nftables rules fail to load at boot time because the Wireguard interface is not yet up and running. Once the boot process completes, I can reload nftables and the system works correctly.
Some key details:
- I'm using wg-quick to set up the Wireguard interface
- Network management is done by netifrc
- I'm using OpenRC (I did try rc_need="wg-quick.interface" in /etc/conf.d/nftables but that caused an infinite loop)
Some more -perhaps irrelevant- details:
The reason why I need nftables rules on the Wireguard interface is that I have two systems connected by said Wireguard bridge that require to interact with one another on certain ports; one of such systems is connected to a network that has hosts that need to reach the remote system, for which I NAT such hosts on the Wireguard interface. Naturally, I'm using nftables to restrict which ports each host on the bridge can access and to masquerade the hosts on the network.
For now, the way in which I solved this is by a somewhat crude method: I have two nftables configurations that are identical except that the non default one adds the Wireguard interface definition and the associated rules. wg-quick loads the alternative set when it comes up and reloads the default set when it goes down. This approach has some drawbacks, therefore I'm here looking for better ideas.
Thanks!
Gabriel |
|
| Back to top |
|
 |
zen_desu
n00b
Joined: 25 Oct 2024
Posts: 10
|
| Posted: Sat Nov 02, 2024 3:33 pm Post subject: Re: Wireguard interface don't exist when nftables loads |
|
|
| gabrielg wrote: | Hi, all,
I'm looking for best practice advice regarding Wireguard and nftables. As the subject says: my nftables rules fail to load at boot time because the Wireguard interface is not yet up and running. Once the boot process completes, I can reload nftables and the system works correctly.
Some key details:
- I'm using wg-quick to set up the Wireguard interface
- Network management is done by netifrc
- I'm using OpenRC (I did try rc_need="wg-quick.interface" in /etc/conf.d/nftables but that caused an infinite loop)
Some more -perhaps irrelevant- details:
The reason why I need nftables rules on the Wireguard interface is that I have two systems connected by said Wireguard bridge that require to interact with one another on certain ports; one of such systems is connected to a network that has hosts that need to reach the remote system, for which I NAT such hosts on the Wireguard interface. Naturally, I'm using nftables to restrict which ports each host on the bridge can access and to masquerade the hosts on the network.
For now, the way in which I solved this is by a somewhat crude method: I have two nftables configurations that are identical except that the non default one adds the Wireguard interface definition and the associated rules. wg-quick loads the alternative set when it comes up and reloads the default set when it goes down. This approach has some drawbacks, therefore I'm here looking for better ideas.
Thanks!
Gabriel |
What do your nftables rules look like?
If you use "iif" or "oif" it required the interface to be present. If you use "iifname" or "oifname" the rules should not do anything until the interface is added, then they become active.
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
gabrielg
Tux's lil' helper
Joined: 16 Nov 2012
Posts: 137
|
| Posted: Sun Nov 03, 2024 9:54 am Post subject: [SOLVED] Wireguard interface don't exist when nftables loads |
|
|
Thanks, zen_desu - it was indeed a couple of rogue NAT rules that were using oif as opposed to oifname. I thought I had checked this, but nftables was failing on a define var = interface line, as opposed to the offending ones, so I was mislead.
Thanks again for the help! |
|
| Back to top |
|
|
nicop
Tux's lil' helper
Joined: 10 Apr 2014
Posts: 85
|
| Posted: Sun Nov 03, 2024 11:27 pm Post subject: |
|
|
Hi,
If I understood your request correctly, I believe I have this kind of thing in conf. d/net :
| Code: | postup() {
# the first line adds the wg0 interface to basics rules applied to each interface when up.
nft add chain netdev global ingress "{ devices = { ${IFACE} }; }"
if [ "${IFACE}" == "wg0" ]; then
nft -f /var/lib/nftables/10rules-wg0.nft || exit 1
fi
}
predown() {
nft delete chain netdev global ingress "{ devices = { ${IFACE} }; }" 2>/dev/null
if [ "${IFACE}" == "wg0" ]; then
nft destroy table inet wg0
fi
return 0
} |
10rules-wg0.nft contains some pre/post-routing policies in a new table :
| Code: | #!/sbin/nft -f
include "/var/lib/nftables/defines.nft"
table inet wg0 {
chain preraw-wg0 {
type filter hook prerouting priority raw; policy accept;
iifname != "wg0" ip6 daddr $wg0_ip6 fib saddr type != local log prefix "fw wg0: " drop comment "Drop external ipv6 sources to wg0"
}
chain premangle-wg0 {
type filter hook prerouting priority mangle; policy accept;
meta l4proto udp meta mark set ct mark
}
chain postmangle-wg0 {
type filter hook postrouting priority mangle; policy accept;
meta l4proto udp meta mark 0x1cd40 ct mark set meta mark
}
chain postrouting-wg0 {
type nat hook postrouting priority srcnat;
iifname "wg0" ip6 saddr $wg0_sub6 oifname "gre0" snat ip6 to $srcnat_XX_ip6 comment "SRC-NAT VPN-IPV6 to XX"
iifname "wg0" ip6 saddr $wg0_sub6 oif "enp3s0" snat ip6 to $srcnat_ip6 comment "SRC-NAT VPN-IPV6 to WAN"
}
} |
|
|
| Back to top |
|
|
gabrielg
Tux's lil' helper
Joined: 16 Nov 2012
Posts: 137
|
| Posted: Mon Nov 04, 2024 9:14 am Post subject: |
|
|
Hi, nicop,
Thank you for your help - I had solved the problem with the other post, but your solution is good if I had a larger set of rules that depend on the Wireguard interface, so thank you.
Out of curiosity, are you starting your Wireguard interface with netifrc, other than wg-quick directly? |
|
| Back to top |
|
|
nicop
Tux's lil' helper
Joined: 10 Apr 2014
Posts: 85
|
| Posted: Mon Nov 04, 2024 9:50 am Post subject: |
|
|
| yes netifrc. But a proposal for conf. d/net was recently updated in the wiki. Unlike this conf, I don’t apply a rule to redirect all traffic. |
|
| Back to top |
|
|
|
Networking & Security
