Some potential bug in wg-quick re. fwmark and default route

Some potential bug in wg-quick re. fwmark and default route

[Saeid Akbari]

Hi,

Straight to the point :)
Suppose the following scenario:

On a client system I have 2 interfaces:
wg0 -> which has allowedips of 0.0.0.0; so it gets special treatment by wg-
quick -> so `ip rule add not fwmark 51820 table 51820`
wg1 -> which has a restrictive allowedips of 192.168.255.10/32 (not important)

also each one have a FwMark set in their config file:
wg0 -> 51800
wg1 -> 51820

Then: `wg-quick up wg0` and `wg-quick up wg1`

Now the problem is, when I do `wg-quick down wg1` it also deletes the default 
rules for wg0, as its fwmark is 51820 which belongs to table of wg0. I see 
that this might seem a little bit weird to do, but why rely on hard-coded 
numbers if we can use the ones provided by the user...

So wouldn't be better if `add_default()` function first checks if fwmark is 
present on device (thus config file) and use that as fwmark and table-id?

Like what `del_if()` does, borrowing its code:

```DEFAULT_TABLE=
add_default() {
	local fwmark
	fwmark="$(wg show "$INTERFACE" fwmark)"
	[[ $fwmark != off ]] && DEFAULT_TABLE=$(( fwmark )) # borrowed
	if [[ -z $DEFAULT_TABLE ]]; then
		DEFAULT_TABLE=51820
		while [[ -n $(ip -4 route show table $DEFAULT_TABLE) || -n $(ip -6 route 
show table $DEFAULT_TABLE) ]]; do
			((DEFAULT_TABLE++))
		done
	fi```

This way, default interface (the one having allowedips of 0.0.0.0) would 
register its own fwmark, and bringing down other interfaces, doesn't delete 
its rule.


+ But another issue, `del_if()` seems to assume that the interface is used as 
default route when a fwmark is present on it. This causes deletion of "from 
all lookup main suppress_prefixlength 0" when bringing down a non-default 
interface (in this scenario, wg1).

Any ideas?

Thanks.

Re: Some potential bug in wg-quick re. fwmark and default route

[Luis Ressel]

Hello Saeid,

I'm sorry your inquiry has gone unanswered for two weeks; it was simply
drowned by all the user questions. I'm glad I found it now, since you
raise a few interesting points.

As you have discovered, wg-quick is very limited (being the wacky shell
script that it is) and behaves oddly in some corner cases.

I'm drawing a few diagrams right now to see if I can find a way to
improve the add_route/add_default and del_if parts of wg-quick without
increasing the overall complexity too much. Both of your suggestions are
good ideas; if you have further input, that'd be much appreciated!

Cheers,
Luis

Re: Some potential bug in wg-quick re. fwmark and default route

[Jason A. Donenfeld]

Hi Saeid,

Your email got sent to my spam folder. Sorry about that. Thanks for
following up on this, Luis.

Based on Luis' analysis and first patch, I've written a fix here:
https://git.zx2c4.com/WireGuard/commit/?id=406709a6cfee08139daf6f6a58088c45e125e291

Let me know if this works as you expected.

Jason