From: Dashamir Hoxha <dashohoxha@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: [PATCH] wg-quick: linux: fix sysctl inside a docker container
Date: Thu, 15 Oct 2020 16:00:56 +0200 [thread overview]
Message-ID: <CAMucfLxvG08p=Z+gR=YjePf1C40y9UiwgzHWgEwxp7jH5Ghviw@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 477 bytes --]
In Docker containers you cannot run `sysctl`. So, it is not possible to set
`sysctl -q net.ipv4.conf.all.src_valid_mark=1` from inside the container.
However you can set it when creating the container, with the Docker option:
`--sysctl net.ipv4.conf.all.src_valid_mark=1`
This patch checks first if `net.ipv4.conf.all.src_valid_mark` is already set,
before trying to set it. Otherwise `sysctl` will fail in a docker container,
and `wg-quick` will fail to start the interface.
[-- Attachment #2: 0001-wg-quick-linux-fix-sysctl-inside-a-docker-container.patch --]
[-- Type: text/x-patch, Size: 1311 bytes --]
From bb1e5da4dea2570f209ed461ff9cab4c5328df2a Mon Sep 17 00:00:00 2001
From: Dashamir Hoxha <dashohoxha@gmail.com>
Date: Thu, 15 Oct 2020 15:24:15 +0200
Subject: [PATCH] wg-quick: linux: fix sysctl inside a docker container
Signed-off-by: Dashamir Hoxha <dashohoxha@gmail.com>
---
src/wg-quick/linux.bash | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash
index e4d4c4f..44f79f1 100755
--- a/src/wg-quick/linux.bash
+++ b/src/wg-quick/linux.bash
@@ -237,7 +237,9 @@ add_default() {
printf -v restore '%sCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker"
printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table
printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta mark set ct mark \n' "$nftcmd" "$pf" "$nftable"
- [[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
+ if [[ $proto == -4 && $(sysctl -n net.ipv4.conf.all.src_valid_mark) == '0' ]]; then
+ cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
+ fi
if type -p nft >/dev/null; then
cmd nft -f <(echo -n "$nftcmd")
else
--
2.25.1
reply other threads:[~2020-10-16 13:20 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMucfLxvG08p=Z+gR=YjePf1C40y9UiwgzHWgEwxp7jH5Ghviw@mail.gmail.com' \
--to=dashohoxha@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).