From: Jan De Landtsheer <jan.delandtsheer@gmail.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>,
Jan De Landtsheer <jan@delandtsheer.eu>
Subject: Re: FR: interface ListenAddress (Aka:Multihomed server issue)
Date: Thu, 10 Aug 2017 20:50:15 +0000 [thread overview]
Message-ID: <CABQfmN3uYPrhMzUOvQ9cphXVN3WwNE8YAXdyrTa_cYtfr=9BLA@mail.gmail.com> (raw)
In-Reply-To: <CAHmME9qNUzNqPQK-csdRou3Ndy5rqsugdMQ132_uADNOhmMeuw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1365 bytes --]
TCP connections work all right, as they’re established sockets, where the
kernel does the routing… I assumed you would search for the route yourself
;-)
rcu_dereference_bh(rt->dst.dev->ip_ptr) indeed does , as the packet
effectively comes in through the uplink.
In the firewall config I need to specify both interfaces (Uplink and Public
(eth1 and eth0 in the drawing) to filter
nft add rule ip filter input iif {Uplink,Public} jump public and define my
rules in the public chain
nft add rule ip filter public ip daddr 134.56.78.5 udp dport 443 accept so
a packet coming in on Uplink for the wg gets accepted only if the dst ip
matches.
nftables FTW ;-)
That in se is not very important if you have only one uplink, but if you
have multiple routes (default gw’s) you really need the ip behind the
uplinks.
But anyway, tested and confirmed to work now,
Many thanks for the quick reply
On Thu, Aug 10, 2017 at 9:46 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> Hi Jan,
>
> Thanks for the drawing. So the issue is that you want packets to exit
> through eth1 using the addresses of eth0. I believe applying this
> patch should enable that: http://ix.io/z3d Can you apply that and let
> me know if it works?
>
> I'm curious: do TCP connections generally work correctly with your
> configuration?
>
> Jason
>
[-- Attachment #2: Type: text/html, Size: 4136 bytes --]
next prev parent reply other threads:[~2017-08-10 20:28 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-10 9:13 Jan De Landtsheer
2017-08-10 15:51 ` Jason A. Donenfeld
2017-08-10 16:57 ` Jan De Landtsheer
2017-08-10 18:40 ` Jason A. Donenfeld
2017-08-10 19:10 ` Jan De Landtsheer
2017-08-10 19:12 ` Jan De Landtsheer
2017-08-10 19:46 ` Jason A. Donenfeld
2017-08-10 20:50 ` Jan De Landtsheer [this message]
2017-08-10 21:00 ` Jan De Landtsheer
2017-08-10 21:03 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABQfmN3uYPrhMzUOvQ9cphXVN3WwNE8YAXdyrTa_cYtfr=9BLA@mail.gmail.com' \
--to=jan.delandtsheer@gmail.com \
--cc=Jason@zx2c4.com \
--cc=jan@delandtsheer.eu \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).