wg-quick nft instead of iptables

Sun, 08 Dec 2019 02:41:38 -0800 

Hi,

with the newest snapshot wg-quick unfortunately requires iptables while
I only have nftables installed. The attached diff handles the rules
with nftables instead, maybe somebody finds it useful. The small caveat
is, that the rule deletion might not work for everyone.


Cheers,
Julian

--
 ()  ascii ribbon campaign - against html e-mail
 /\                        - against proprietary attachments

diff --git a/src/tools/wg-quick/linux.bash b/src/tools/wg-quick/linux.bash
index 4fecabb..719e668 100755
--- a/src/tools/wg-quick/linux.bash
+++ b/src/tools/wg-quick/linux.bash
@@ -190,8 +190,11 @@ remove_iptables() {
 			[[ $line == "-A"* ]] && found=1
 			printf -v restore '%s\n%s' "$restore" "${line/#-A/-D}"
 		done < <($iptables-save)
-		[[ $found -ne 1 ]] || echo "$restore" | cmd $iptables-restore -nw
+		#[[ $found -ne 1 ]] || echo "$restore" | cmd $iptables-restore -nw
 	done
+	nft delete rule inet raw prerouting handle $(nft list ruleset -a | grep 'iifname' | grep 'wg0' | sed 's/.*handle //')
+	nft delete rule inet mangle prerouting handle $(nft list ruleset -a | grep 'meta l4proto' | grep 'meta mark set ct' | sed 's/.*handle //')
+	nft delete rule inet mangle postrouting handle $(nft list ruleset -a | grep 'meta l4proto' | grep 'meta mark 0x' | sed 's/.*handle //')
 }

 HAVE_SET_IPTABLES=0
@@ -214,10 +217,13 @@ add_default() {
 	for i in "${ADDRESSES[@]}"; do
 		[[ ( $proto == -4 && $i != *:* ) || ( $proto == -6 && $i == *:* ) ]] || continue
 		printf -v restore '%s\n-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP %s\n' "$restore" "$INTERFACE" "${i%/*}" "$marker"
+		nft add rule "inet raw prerouting iifname != ${INTERFACE} ip daddr ${i%/*} fib saddr type != local counter drop"
 	done
 	printf -v restore '%s\nCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker"
 	[[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
-	echo "$restore" | cmd $iptables-restore -nw
+	nft add rule "inet mangle postrouting meta l4proto udp mark ${table} counter ct mark set mark"
+	nft add rule "inet mangle prerouting meta l4proto udp counter meta mark set ct mark"
+	#echo "$restore" | cmd $iptables-restore -nw
 	HAVE_SET_IPTABLES=1
 	return 0
 }

_______________________________________________
WireGuard mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/wireguard

Reply via email to