On Tue, Dec 10, 2019 at 6:30 PM Vasili Pupkin <[email protected]> wrote: > > On 10.12.2019 18:48, Jason A. Donenfeld wrote: > > > restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j > > DROP > > nftcmd '%sadd rule %s %s preraw iifname != %s %s daddr %s fib saddr type != > > local drop > > > I am trying to understand the rulesets. When you check the type of the > source address of the incoming packet its type just can't be local to > our machine, it is the address of the sender. The source address of the > packet can only be local if the packet was sent from the same machine. > Isn't this part of the rule redundant?
Those lines are supposed to do the same thing, by the way. If I screwed up and they differ subtly, please let me know. The ! --src-type LOCAL thing makes it so that you can still ping yourself locally. "Allow loopback." This also has the side effect of letting in dangerous packets that are masquerading as 127/8, but only if you've explicitly opted in to net.ipv4.conf.lo.route_localnet=1 and maybe one other safety nob, which nobody in their right mind does for obvious reasons. _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
