wg-quick nft instead of iptables

wg-quick nft instead of iptables

[Julian Wollrath]

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]

Hi,

with the newest snapshot wg-quick unfortunately requires iptables while
I only have nftables installed. The attached diff handles the rules
with nftables instead, maybe somebody finds it useful. The small caveat
is, that the rule deletion might not work for everyone.


Cheers,
Julian

--
 ()  ascii ribbon campaign - against html e-mail
 /\                        - against proprietary attachments

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: wg-quick-nftables.diff --]
[-- Type: text/x-patch, Size: 1960 bytes --]

diff --git a/src/tools/wg-quick/linux.bash b/src/tools/wg-quick/linux.bash
index 4fecabb..719e668 100755
--- a/src/tools/wg-quick/linux.bash
+++ b/src/tools/wg-quick/linux.bash
@@ -190,8 +190,11 @@ remove_iptables() {
 			[[ $line == "-A"* ]] && found=1
 			printf -v restore '%s\n%s' "$restore" "${line/#-A/-D}"
 		done < <($iptables-save)
-		[[ $found -ne 1 ]] || echo "$restore" | cmd $iptables-restore -nw
+		#[[ $found -ne 1 ]] || echo "$restore" | cmd $iptables-restore -nw
 	done
+	nft delete rule inet raw prerouting handle $(nft list ruleset -a | grep 'iifname' | grep 'wg0' | sed 's/.*handle //')
+	nft delete rule inet mangle prerouting handle $(nft list ruleset -a | grep 'meta l4proto' | grep 'meta mark set ct' | sed 's/.*handle //')
+	nft delete rule inet mangle postrouting handle $(nft list ruleset -a | grep 'meta l4proto' | grep 'meta mark 0x' | sed 's/.*handle //')
 }

 HAVE_SET_IPTABLES=0
@@ -214,10 +217,13 @@ add_default() {
 	for i in "${ADDRESSES[@]}"; do
 		[[ ( $proto == -4 && $i != *:* ) || ( $proto == -6 && $i == *:* ) ]] || continue
 		printf -v restore '%s\n-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP %s\n' "$restore" "$INTERFACE" "${i%/*}" "$marker"
+		nft add rule "inet raw prerouting iifname != ${INTERFACE} ip daddr ${i%/*} fib saddr type != local counter drop"
 	done
 	printf -v restore '%s\nCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker"
 	[[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
-	echo "$restore" | cmd $iptables-restore -nw
+	nft add rule "inet mangle postrouting meta l4proto udp mark ${table} counter ct mark set mark"
+	nft add rule "inet mangle prerouting meta l4proto udp counter meta mark set ct mark"
+	#echo "$restore" | cmd $iptables-restore -nw
 	HAVE_SET_IPTABLES=1
 	return 0
 }

[-- Attachment #3: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: wg-quick nft instead of iptables

[Jörg Thalheim]

Have you tried if iptables-nftables-compat (might have different names,
depending distribution) works for the rules used in wg-quick?
Its a wrapper that translate iptables rules to nft transparently
by providing a iptables executable.


Julian Wollrath <jwollrath@web.de> writes:

> Hi,
>
> with the newest snapshot wg-quick unfortunately requires iptables while
> I only have nftables installed. The attached diff handles the rules
> with nftables instead, maybe somebody finds it useful. The small caveat
> is, that the rule deletion might not work for everyone.
>
>
> Cheers,
> Julian

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: wg-quick nft instead of iptables

[b13253]

nft is a replacement for iptables, and some distributions (e.g.
Debian) prefer using nft since it is more capable and advanced.

I think it is important to use nft first if it is installed on the
system, then fallback to iptables; rather than in the opposite order.
I suggest that it is better to modify the patch to support iptables
just in case nft is not pre-installed on some distros.

Best regards


On Mon, Dec 9, 2019 at 6:59 PM Jörg Thalheim <joerg@thalheim.io> wrote:
>
>
> Have you tried if iptables-nftables-compat (might have different names,
> depending distribution) works for the rules used in wg-quick?
> Its a wrapper that translate iptables rules to nft transparently
> by providing a iptables executable.
>
>
> Julian Wollrath <jwollrath@web.de> writes:
>
> > Hi,
> >
> > with the newest snapshot wg-quick unfortunately requires iptables while
> > I only have nftables installed. The attached diff handles the rules
> > with nftables instead, maybe somebody finds it useful. The small caveat
> > is, that the rule deletion might not work for everyone.
> >
> >
> > Cheers,
> > Julian
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: wg-quick nft instead of iptables

[Daniel Kahn Gillmor]

[-- Attachment #1.1: Type: text/plain, Size: 516 bytes --]

On Sun 2019-12-08 13:20:13 +0000, Jörg Thalheim wrote:
> Have you tried if iptables-nftables-compat (might have different names,
> depending distribution) works for the rules used in wg-quick?
> Its a wrapper that translate iptables rules to nft transparently
> by providing a iptables executable.

fwiw, i'd rather see wg-quick be capable of working with whichever
executable is installed, rather than expecting someone who uses wg-quick
to also have the iptables translation layer installed.

   --dkg

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard