New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
firewall: move rpfilter to mangle.PREROUTING to fix conntrack #110197
Conversation
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
successfully tested with module overlay before patch, with
add patch in module overlay
/etc/nixos/configuration.nix {
imports = [
./hardware-configuration.nix
./extra-modules # module overlays: https://discourse.nixos.org/t/5282
];
} /etc/nixos/extra-modules/default.nix {
ignorePaths = [
"networking/helpers.nix"
];
} /etc/nixos/extra-modules/networking/firewall.nix {
disabledModules = [ "services/networking/firewall.nix" ]; # FIXME only needed in module overlay
###### interface after patch
as expected:
|
I marked this as stale due to inactivity. → More info |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, would be nice to get this in.
thanks for your review i also wanted to show a notice to change config {
networking.firewall.checkReversePath = false; # -> show notice
networking.firewall.checkReversePathNoticePR110197 = false; # -> hide notice sample notice:
|
Not sure this is a good idea. There are many legitimate reasons for disabling rpfilter, such as when running a router. |
rp_filter is "default on" for better security its just a warning in the console, similar to option x was renamed |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
Looks like somebody ran into this in the #wireguard IRC channel today. Any reason it's still pending? |
It's me, I'm somebody. I'll probably have a few comments on this, let me just test it first. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested on both client and server, works fine. Restarting wg-quick
reinstalls the --restore-mark
rule correctly in the first position since -I
is used.
We should probably also remove
nixpkgs/nixos/modules/services/networking/wg-quick.nix
Lines 331 to 333 in d51fd78
# This is forced to false for now because the default "--validmark" rpfilter we apply on reverse path filtering | |
# breaks the wg-quick routing because wireguard packets leave with a fwmark from wireguard. | |
networking.firewall.checkReversePath = false; |
since this PR fixes the issue.
See firewalld/firewalld#603 for a similar issue fixed by moving the rpfilter check to the mangle table. |
fixed 2 comments, rebased |
I was suggesting doing this in this PR |
Last nit: please prefix the commit message with |
(and maybe succinctly explain why this is needed in the commit description) |
fix wireguard (wg-quick) netfilter packet flow: raw.prerouting -> conntrack -> mangle.prerouting rpfilter must be after conntrack otherwise response packets are dropped
also adds https://ipset.netfilter.org/iptables-extensions.man.html
|
We already have |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
@bobby285271 why remove the approvals label? |
I have a bot that runs https://github.com/nix-community/label-approved regularly and it removes approval labels in some cases, maybe we disable that behavior? /cc @Artturin |
Anyway, please merge 😅 |
ping @SuperSandro2000 @NickCao @nrdxp guys, can we please merge this trivial patch? |
Sorry, I am not very confident with networking. |
No, it was requested by @zowoq
|
fix #51258
make
conntrack
work:rpfilter
must be in themangle
table, after theconntrack
stagesee the netfilter flowchart: input path, network layer
Motivation for this change
this patch is needed to make VPN work (wireguard protocol, configured with
wg-quick
, but probably also with openvpn protocol)otherwise the VPN server is not reachable (response packets are dropped)
workarounds:
ip route add $vpn_server_ip via $local_gateway_ip
, for exampleip route add 1.2.3.4 via 192.168.0.1
. this works, because this explcit route has a higher priority in thewg-quick
routing config, so the return-path is found correctlyconfiguration.nix
setnetworking.firewall.checkReversePath = false;
to disablerpfilter
completely (security risk!)not tested yet,
nixos-rebuild switch
fails to compile (for other reasons than this patch)thanks to
another
from#wireguard
atfreenode.net
for finding the bugThings done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)