FR: interface ListenAddress (Aka:Multihomed server issue)

Jan De Landtsheer jan.delandtsheer at gmail.com
Thu Aug 10 23:00:47 CEST 2017


seeing the latest & greatest, this patch will not apply cleanly, so I don't
know ... is this train of thought going to be kept for later releases ?

On Thu, Aug 10, 2017 at 10:50 PM Jan De Landtsheer <
jan.delandtsheer at gmail.com> wrote:

> TCP connections work all right, as they’re established sockets, where the
> kernel does the routing… I assumed you would search for the route yourself
> ;-)
> rcu_dereference_bh(rt->dst.dev->ip_ptr) indeed does , as the packet
> effectively comes in through the uplink.
>
> In the firewall config I need to specify both interfaces (Uplink and
> Public (eth1 and eth0 in the drawing) to filter
>
> nft add rule ip filter input iif {Uplink,Public} jump public and define
> my rules in the public chain
> nft add rule ip filter public ip daddr 134.56.78.5 udp dport 443 accept
> so a packet coming in on Uplink for the wg gets accepted only if the dst ip
> matches.
>
> nftables FTW ;-)
>
> That in se is not very important if you have only one uplink, but if you
> have multiple routes (default gw’s) you really need the ip behind the
> uplinks.
>
> But anyway, tested and confirmed to work now,
>
> Many thanks for the quick reply
>>
> On Thu, Aug 10, 2017 at 9:46 PM Jason A. Donenfeld <Jason at zx2c4.com>
> wrote:
>
>> Hi Jan,
>>
>> Thanks for the drawing. So the issue is that you want packets to exit
>> through eth1 using the addresses of eth0. I believe applying this
>> patch should enable that: http://ix.io/z3d Can you apply that and let
>> me know if it works?
>>
>> I'm curious: do TCP connections generally work correctly with your
>> configuration?
>>
>> Jason
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20170810/9514cad7/attachment.html>


More information about the WireGuard mailing list