Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Wireguard interface don't exist when nftables loads
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
gabrielg
Tux's lil' helper
Tux's lil' helper


Joined: 16 Nov 2012
Posts: 135

PostPosted: Sat Nov 02, 2024 3:06 pm    Post subject: Wireguard interface don't exist when nftables loads Reply with quote

Hi, all,
I'm looking for best practice advice regarding Wireguard and nftables. As the subject says: my nftables rules fail to load at boot time because the Wireguard interface is not yet up and running. Once the boot process completes, I can reload nftables and the system works correctly.

Some key details:
- I'm using wg-quick to set up the Wireguard interface
- Network management is done by netifrc
- I'm using OpenRC (I did try rc_need="wg-quick.interface" in /etc/conf.d/nftables but that caused an infinite loop)

Some more -perhaps irrelevant- details:
The reason why I need nftables rules on the Wireguard interface is that I have two systems connected by said Wireguard bridge that require to interact with one another on certain ports; one of such systems is connected to a network that has hosts that need to reach the remote system, for which I NAT such hosts on the Wireguard interface. Naturally, I'm using nftables to restrict which ports each host on the bridge can access and to masquerade the hosts on the network.

For now, the way in which I solved this is by a somewhat crude method: I have two nftables configurations that are identical except that the non default one adds the Wireguard interface definition and the associated rules. wg-quick loads the alternative set when it comes up and reloads the default set when it goes down. This approach has some drawbacks, therefore I'm here looking for better ideas.

Thanks!

Gabriel
Back to top
View user's profile Send private message
zen_desu
n00b
n00b


Joined: 25 Oct 2024
Posts: 8

PostPosted: Sat Nov 02, 2024 3:33 pm    Post subject: Re: Wireguard interface don't exist when nftables loads Reply with quote

gabrielg wrote:
Hi, all,
I'm looking for best practice advice regarding Wireguard and nftables. As the subject says: my nftables rules fail to load at boot time because the Wireguard interface is not yet up and running. Once the boot process completes, I can reload nftables and the system works correctly.

Some key details:
- I'm using wg-quick to set up the Wireguard interface
- Network management is done by netifrc
- I'm using OpenRC (I did try rc_need="wg-quick.interface" in /etc/conf.d/nftables but that caused an infinite loop)

Some more -perhaps irrelevant- details:
The reason why I need nftables rules on the Wireguard interface is that I have two systems connected by said Wireguard bridge that require to interact with one another on certain ports; one of such systems is connected to a network that has hosts that need to reach the remote system, for which I NAT such hosts on the Wireguard interface. Naturally, I'm using nftables to restrict which ports each host on the bridge can access and to masquerade the hosts on the network.

For now, the way in which I solved this is by a somewhat crude method: I have two nftables configurations that are identical except that the non default one adds the Wireguard interface definition and the associated rules. wg-quick loads the alternative set when it comes up and reloads the default set when it goes down. This approach has some drawbacks, therefore I'm here looking for better ideas.

Thanks!

Gabriel


What do your nftables rules look like?

If you use "iif" or "oif" it required the interface to be present. If you use "iifname" or "oifname" the rules should not do anything until the interface is added, then they become active.
_________________
µgRD dev
Wiki writer
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum