Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Wireguard interface don't exist when nftables loads
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
gabrielg
Tux's lil' helper
Tux's lil' helper


Joined: 16 Nov 2012
Posts: 137

PostPosted: Sat Nov 02, 2024 3:06 pm    Post subject: Wireguard interface don't exist when nftables loads Reply with quote

Hi, all,
I'm looking for best practice advice regarding Wireguard and nftables. As the subject says: my nftables rules fail to load at boot time because the Wireguard interface is not yet up and running. Once the boot process completes, I can reload nftables and the system works correctly.

Some key details:
- I'm using wg-quick to set up the Wireguard interface
- Network management is done by netifrc
- I'm using OpenRC (I did try rc_need="wg-quick.interface" in /etc/conf.d/nftables but that caused an infinite loop)

Some more -perhaps irrelevant- details:
The reason why I need nftables rules on the Wireguard interface is that I have two systems connected by said Wireguard bridge that require to interact with one another on certain ports; one of such systems is connected to a network that has hosts that need to reach the remote system, for which I NAT such hosts on the Wireguard interface. Naturally, I'm using nftables to restrict which ports each host on the bridge can access and to masquerade the hosts on the network.

For now, the way in which I solved this is by a somewhat crude method: I have two nftables configurations that are identical except that the non default one adds the Wireguard interface definition and the associated rules. wg-quick loads the alternative set when it comes up and reloads the default set when it goes down. This approach has some drawbacks, therefore I'm here looking for better ideas.

Thanks!

Gabriel
Back to top
View user's profile Send private message
zen_desu
Tux's lil' helper
Tux's lil' helper


Joined: 25 Oct 2024
Posts: 94

PostPosted: Sat Nov 02, 2024 3:33 pm    Post subject: Re: Wireguard interface don't exist when nftables loads Reply with quote

gabrielg wrote:
Hi, all,
I'm looking for best practice advice regarding Wireguard and nftables. As the subject says: my nftables rules fail to load at boot time because the Wireguard interface is not yet up and running. Once the boot process completes, I can reload nftables and the system works correctly.

Some key details:
- I'm using wg-quick to set up the Wireguard interface
- Network management is done by netifrc
- I'm using OpenRC (I did try rc_need="wg-quick.interface" in /etc/conf.d/nftables but that caused an infinite loop)

Some more -perhaps irrelevant- details:
The reason why I need nftables rules on the Wireguard interface is that I have two systems connected by said Wireguard bridge that require to interact with one another on certain ports; one of such systems is connected to a network that has hosts that need to reach the remote system, for which I NAT such hosts on the Wireguard interface. Naturally, I'm using nftables to restrict which ports each host on the bridge can access and to masquerade the hosts on the network.

For now, the way in which I solved this is by a somewhat crude method: I have two nftables configurations that are identical except that the non default one adds the Wireguard interface definition and the associated rules. wg-quick loads the alternative set when it comes up and reloads the default set when it goes down. This approach has some drawbacks, therefore I'm here looking for better ideas.

Thanks!

Gabriel


What do your nftables rules look like?

If you use "iif" or "oif" it required the interface to be present. If you use "iifname" or "oifname" the rules should not do anything until the interface is added, then they become active.
_________________
µgRD dev
Wiki writer
Back to top
View user's profile Send private message
gabrielg
Tux's lil' helper
Tux's lil' helper


Joined: 16 Nov 2012
Posts: 137

PostPosted: Sun Nov 03, 2024 9:54 am    Post subject: [SOLVED] Wireguard interface don't exist when nftables loads Reply with quote

Thanks, zen_desu - it was indeed a couple of rogue NAT rules that were using oif as opposed to oifname. I thought I had checked this, but nftables was failing on a define var = interface line, as opposed to the offending ones, so I was mislead.
Thanks again for the help!
Back to top
View user's profile Send private message
nicop
Tux's lil' helper
Tux's lil' helper


Joined: 10 Apr 2014
Posts: 104

PostPosted: Sun Nov 03, 2024 11:27 pm    Post subject: Reply with quote

Hi,

If I understood your request correctly, I believe I have this kind of thing in conf. d/net :
Code:
postup() {
# the first line adds the wg0 interface to basics rules applied to each interface when up.
   nft add chain netdev global ingress "{ devices = { ${IFACE} }; }"
   if [ "${IFACE}" == "wg0" ]; then
   nft -f /var/lib/nftables/10rules-wg0.nft || exit 1
   fi
}

predown() {
   nft delete chain netdev global ingress "{ devices = { ${IFACE} }; }" 2>/dev/null
   if [ "${IFACE}" == "wg0" ]; then
   nft destroy table inet wg0
   fi
   return 0
}


10rules-wg0.nft contains some pre/post-routing policies in a new table :
Code:
#!/sbin/nft -f
include "/var/lib/nftables/defines.nft"

table inet wg0 {
   chain preraw-wg0 {
      type filter hook prerouting priority raw; policy accept;
      iifname != "wg0" ip6 daddr $wg0_ip6 fib saddr type != local log prefix "fw wg0: " drop comment "Drop external ipv6 sources to wg0"
   }
   
   chain premangle-wg0 {
      type filter hook prerouting priority mangle; policy accept;
      meta l4proto udp meta mark set ct mark
   }

   chain postmangle-wg0 {
      type filter hook postrouting priority mangle; policy accept;
      meta l4proto udp meta mark 0x1cd40 ct mark set meta mark
   }

   chain postrouting-wg0 {
      type nat hook postrouting priority srcnat;
      iifname "wg0" ip6 saddr $wg0_sub6 oifname "gre0" snat ip6 to $srcnat_XX_ip6 comment "SRC-NAT VPN-IPV6 to XX"
      iifname "wg0" ip6 saddr $wg0_sub6 oif "enp3s0" snat ip6 to $srcnat_ip6 comment "SRC-NAT VPN-IPV6 to WAN"
   }
}
Back to top
View user's profile Send private message
gabrielg
Tux's lil' helper
Tux's lil' helper


Joined: 16 Nov 2012
Posts: 137

PostPosted: Mon Nov 04, 2024 9:14 am    Post subject: Reply with quote

Hi, nicop,
Thank you for your help - I had solved the problem with the other post, but your solution is good if I had a larger set of rules that depend on the Wireguard interface, so thank you.
Out of curiosity, are you starting your Wireguard interface with netifrc, other than wg-quick directly?
Back to top
View user's profile Send private message
nicop
Tux's lil' helper
Tux's lil' helper


Joined: 10 Apr 2014
Posts: 104

PostPosted: Mon Nov 04, 2024 9:50 am    Post subject: Reply with quote

yes netifrc. But a proposal for conf. d/net was recently updated in the wiki. Unlike this conf, I don’t apply a rule to redirect all traffic.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum