[PATCH] wg-quick: linux: add support for nft and prefer it

Jason A. Donenfeld Jason at zx2c4.com
Tue Dec 10 18:38:41 CET 2019

On Tue, Dec 10, 2019 at 6:30 PM Vasili Pupkin <diggest at gmail.com> wrote:
> On 10.12.2019 18:48, Jason A. Donenfeld wrote:
> > restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP
> > nftcmd '%sadd rule %s %s preraw iifname != %s %s daddr %s fib saddr type != local drop
> I am trying to understand the rulesets. When you check the type of the
> source address of the incoming packet its type just can't be local to
> our machine, it is the address of the sender. The source address of the
> packet can only be local if the packet was sent from the same machine.
> Isn't this part of the rule redundant?

Those lines are supposed to do the same thing, by the way. If I
screwed up and they differ subtly, please let me know.

The ! --src-type LOCAL thing makes it so that you can still ping
yourself locally. "Allow loopback." This also has the side effect of
letting in dangerous packets that are masquerading as 127/8, but only
if you've explicitly opted in to net.ipv4.conf.lo.route_localnet=1 and
maybe one other safety nob, which nobody in their right mind does for
obvious reasons.

More information about the WireGuard mailing list