Development discussion of WireGuard
 help / color / mirror / Atom feed
From: Dashamir Hoxha <dashohoxha@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: [PATCH] wg-quick: linux: fix sysctl inside a docker container
Date: Thu, 15 Oct 2020 16:00:56 +0200	[thread overview]
Message-ID: <CAMucfLxvG08p=Z+gR=YjePf1C40y9UiwgzHWgEwxp7jH5Ghviw@mail.gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

In Docker containers you cannot run `sysctl`. So, it is not possible to set
`sysctl -q net.ipv4.conf.all.src_valid_mark=1` from inside the container.
However you can set it when creating the container, with the Docker option:
`--sysctl net.ipv4.conf.all.src_valid_mark=1`

This patch checks first if `net.ipv4.conf.all.src_valid_mark` is already set,
before trying to set it. Otherwise `sysctl` will fail in a docker container,
and `wg-quick` will fail to start the interface.

[-- Attachment #2: 0001-wg-quick-linux-fix-sysctl-inside-a-docker-container.patch --]
[-- Type: text/x-patch, Size: 1311 bytes --]

From bb1e5da4dea2570f209ed461ff9cab4c5328df2a Mon Sep 17 00:00:00 2001
From: Dashamir Hoxha <dashohoxha@gmail.com>
Date: Thu, 15 Oct 2020 15:24:15 +0200
Subject: [PATCH] wg-quick: linux: fix sysctl inside a docker container

Signed-off-by: Dashamir Hoxha <dashohoxha@gmail.com>
---
 src/wg-quick/linux.bash | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash
index e4d4c4f..44f79f1 100755
--- a/src/wg-quick/linux.bash
+++ b/src/wg-quick/linux.bash
@@ -237,7 +237,9 @@ add_default() {
 	printf -v restore '%sCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker"
 	printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table
 	printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta mark set ct mark \n' "$nftcmd" "$pf" "$nftable"
-	[[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
+	if [[ $proto == -4 && $(sysctl -n net.ipv4.conf.all.src_valid_mark) == '0' ]]; then
+		cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
+	fi
 	if type -p nft >/dev/null; then
 		cmd nft -f <(echo -n "$nftcmd")
 	else
-- 
2.25.1


                 reply	other threads:[~2020-10-16 13:20 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAMucfLxvG08p=Z+gR=YjePf1C40y9UiwgzHWgEwxp7jH5Ghviw@mail.gmail.com' \
    --to=dashohoxha@gmail.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).