WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Policy routed packets are dropped by wireguard
@ 2019-09-14 23:59 Eugene
  0 siblings, 0 replies; only message in thread
From: Eugene @ 2019-09-14 23:59 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1.1: Type: text/plain, Size: 1439 bytes --]

Hello!

I'm looking for technical advice.
Currently I'm trying to pass marked sessions through wireguard VPN network.

Marking is done by cgroups classid matching:
> iptables -A OUTPUT -m cgroup --cgroup 3735928559 -j MARK --set-xmark 0x1c3/0xffffffff

The only route in the `vpn` table is default routing through wg0:
> ip route add default dev wg0 table vpn

Routing rule is pretty simple:
> ip rule add fwmark 451 table vpn

Now I pass some packets on the interface:
> cgexec -g net_cls:vpn ping 10.0.1.1

I see packets reaching interface but dropped in the driver:
> tcpdump -i wg0 host 10.0.1.1
> ...
> 6 packets dropped by interface

Value in 4th column (TX drop) is increasing in the `/proc/net/dev` for wg0.

If I add route to default routing table and do ping without assigning cgroup to the process then all is perfectly fine.
> ip route add 10.0.1.0/24 dev wg0

> ping 10.0.1.1                                                                  
> PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data.                                                
> 64 bytes from 10.0.1.1: icmp_seq=1 ttl=64 time=46.1 ms

Is it some kind of a bug of misconfiguration?

> uname -r                                                                       
> 5.2.1-gentoo

Installed Gentoo package atom.
> =net-vpn/wireguard-0.0.20190913

Thanks for any help!

-- 
Eugene Bright
IT engineer
Tel: + 79257289622


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-14 23:59 Policy routed packets are dropped by wireguard Eugene

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git