What's the purpose of the wg-quick firewall rules?

Alexandru Scvortov wireguard at abstractbinary.org
Mon Jun 6 13:32:33 UTC 2022


Hi,

I'm trying to understand what the firewall rules that wg-quick adds do.

I see these rules being added:

```
table ip raw {
	chain PREROUTING {
		type filter hook prerouting priority raw; policy accept;
		iifname != "wg0" ip daddr 10.10.1.2 fib saddr type != local  counter drop
		iifname != "wg0" ip daddr 10.10.0.2 fib saddr type != local  counter drop
	}
}
table ip mangle {
	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
		meta l4proto udp mark 0xca6c  counter ct mark set mark
	}

	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
		meta l4proto udp  counter meta mark set ct mark
	}
}
```

The `raw` rules seem fine, but I can't figure out what the `mangle` rules are for. They're added in `add_default`, so they have something to do with the "route all traffic through Wireguard" functionality, but removing them doesn't seem to break anything on my laptop.

I think the first iteration of these were added in commit ebcf1ef8b1ad in wireguard-tools, but the commit message is "wg-quick: linux: filter bogus injected packets and don't disable rpfilter", and that doesn't make it any clearer to me.

What breaks if these rules aren't present?

Thank you.

Cheers,
Alex


More information about the WireGuard mailing list