CVE-2019-14899 and iifname-based firewall

Julian Orth ju.orth at gmail.com
Thu Dec 5 19:13:05 CET 2019


Hello list, hello Jason,

I'm using the following nftables rules:

table inet filter {
     chain input {
         type filter hook input priority filter
         ct state { established, related } accept

         [...]

         iifname "wg0" accept
         udp dport 51820 accept

         [...]

         reject
     }
}

After reading about CVE-2019-14899 I'm unsure if this allows an attacker 
to injects packets into tcp connections.

If so, what is the best way to prevent this? Is setting rp_filter=1 
sufficient?

Independently of the CVE I want to confirm if my firewall rules do what 
I want them to do.
The nftables rules above are based on the following paragraph from 
wireguard.com:

 >[...] system administrators do not need complicated firewall
 >extensions [...] but rather they can simply match on "is it from this
 >IP? on this interface?", and be assured that it is a secure and
 >authentic packet

Is this idea correctly represented by the rule "iifname wg0 accept"? 
(I'm intentionally accepting connections from all peers in this case.)

Thank you
Julian



More information about the WireGuard mailing list