openwrt route_allowed_ips is inprecise
Baptiste Jonglez
baptiste at bitsofnetworks.org
Tue Dec 20 02:13:34 CET 2016
On Sun, Dec 18, 2016 at 09:14:18PM +0100, Jason A. Donenfeld wrote:
> The way it should be done is described in wg-config:
>
> https://git.zx2c4.com/WireGuard/tree/contrib/examples/wg-config/wg-config#n130
>
> if [[ $AUTO_ROUTE -eq 1 ]]; then
> for i in $(wg show "$INTERFACE" allowed-ips | cut -f 2 | tr -d ,); do
> if ! add_default "$i" && [[ $(ip route get "$i") != *dev\
> $INTERFACE\ * ]]; then
> add_route "$i"
> fi
> done
> fi
> the important thing is that I run `ip route get` for each one, and only
> add a route if necessary.
By the way, besides the issue of magic, this approach seems incorrect
depending on the order of the routes. Consider the case where cmd_add()
handles the following sequence of allowed-ips:
10.0.0.0/8 dev wg0
10.4.7.0/24 dev wg0
10.4.0.0/16 dev wg1
Your method would incorrectly drop the second route, and then the third
route would take over traffic for this /24 through the wrong interface.
I'm sure this approach can be made to actually work in all cases (with
great complexity), but really, who cares about a few redundant routes.
Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20161220/4b1a3bc2/attachment-0001.asc>
More information about the WireGuard
mailing list