wg-quick nft instead of iptables

From: Julian Wollrath <jwollrath@web.de>
To: wireguard@lists.zx2c4.com
Subject: wg-quick nft instead of iptables
Date: Tue, 3 Dec 2019 16:51:30 +0100	[thread overview]
Message-ID: <20191203165130.52f438ba@schienar> (raw)

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]

Hi,

with the newest snapshot wg-quick unfortunately requires iptables while
I only have nftables installed. The attached diff handles the rules
with nftables instead, maybe somebody finds it useful. The small caveat
is, that the rule deletion might not work for everyone.


Cheers,
Julian

--
 ()  ascii ribbon campaign - against html e-mail
 /\                        - against proprietary attachments

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: wg-quick-nftables.diff --]
[-- Type: text/x-patch, Size: 1960 bytes --]

diff --git a/src/tools/wg-quick/linux.bash b/src/tools/wg-quick/linux.bash
index 4fecabb..719e668 100755
--- a/src/tools/wg-quick/linux.bash
+++ b/src/tools/wg-quick/linux.bash
@@ -190,8 +190,11 @@ remove_iptables() {
 			[[ $line == "-A"* ]] && found=1
 			printf -v restore '%s\n%s' "$restore" "${line/#-A/-D}"
 		done < <($iptables-save)
-		[[ $found -ne 1 ]] || echo "$restore" | cmd $iptables-restore -nw
+		#[[ $found -ne 1 ]] || echo "$restore" | cmd $iptables-restore -nw
 	done
+	nft delete rule inet raw prerouting handle $(nft list ruleset -a | grep 'iifname' | grep 'wg0' | sed 's/.*handle //')
+	nft delete rule inet mangle prerouting handle $(nft list ruleset -a | grep 'meta l4proto' | grep 'meta mark set ct' | sed 's/.*handle //')
+	nft delete rule inet mangle postrouting handle $(nft list ruleset -a | grep 'meta l4proto' | grep 'meta mark 0x' | sed 's/.*handle //')
 }

 HAVE_SET_IPTABLES=0
@@ -214,10 +217,13 @@ add_default() {
 	for i in "${ADDRESSES[@]}"; do
 		[[ ( $proto == -4 && $i != *:* ) || ( $proto == -6 && $i == *:* ) ]] || continue
 		printf -v restore '%s\n-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP %s\n' "$restore" "$INTERFACE" "${i%/*}" "$marker"
+		nft add rule "inet raw prerouting iifname != ${INTERFACE} ip daddr ${i%/*} fib saddr type != local counter drop"
 	done
 	printf -v restore '%s\nCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker"
 	[[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
-	echo "$restore" | cmd $iptables-restore -nw
+	nft add rule "inet mangle postrouting meta l4proto udp mark ${table} counter ct mark set mark"
+	nft add rule "inet mangle prerouting meta l4proto udp counter meta mark set ct mark"
+	#echo "$restore" | cmd $iptables-restore -nw
 	HAVE_SET_IPTABLES=1
 	return 0
 }

[-- Attachment #3: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
