From: Michael Wu <michael.apply@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: Bug report: Policy routed packets are dropped by wireguard
Date: Sun, 16 May 2021 01:36:33 +0800 [thread overview]
Message-ID: <CAOYRf2F9q-yWwUjoSe01pO1TaeGcF5vGqt8unmowoRJ3iCTP6w@mail.gmail.com> (raw)
Hello,
I'd like to confirm that the following problem seemed to be a bug, and
not configuration error:
https://lists.zx2c4.com/pipermail/wireguard/2019-September/004545.html
(Content dupated at the end of this email for easier reference)
On system 1 (kernel 4.15), everything worked as expected. However, on
system 2 (kernel 5.4), the issue described above is observed.
Regards,
Michael
[System 1]:
Ubuntu 18.04.5 LTS
4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 x86_64
x86_64 x86_64 GNU/Linux
[System 2]:
Ubuntu 20.04.2 LTS
5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64
x86_64 x86_64 GNU/Linux
[Policy routed packets are dropped by wireguard]
Original mail: https://lists.zx2c4.com/pipermail/wireguard/2019-September/004545.html
Hello!
I'm looking for technical advice.
Currently I'm trying to pass marked sessions through wireguard VPN network.
Marking is done by cgroups classid matching:
> iptables -A OUTPUT -m cgroup --cgroup 3735928559 -j MARK --set-xmark 0x1c3/0xffffffff
The only route in the `vpn` table is default routing through wg0:
> ip route add default dev wg0 table vpn
Routing rule is pretty simple:
> ip rule add fwmark 451 table vpn
Now I pass some packets on the interface:
> cgexec -g net_cls:vpn ping 10.0.1.1
I see packets reaching interface but dropped in the driver:
> tcpdump -i wg0 host 10.0.1.1
> ...
> 6 packets dropped by interface
Value in 4th column (TX drop) is increasing in the `/proc/net/dev` for wg0.
If I add route to default routing table and do ping without assigning
cgroup to the process then all is perfectly fine.
> ip route add 10.0.1.0/24 dev wg0
> ping 10.0.1.1
> PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data.
> 64 bytes from 10.0.1.1: icmp_seq=1 ttl=64 time=46.1 ms
Is it some kind of a bug of misconfiguration?
> uname -r
> 5.2.1-gentoo
Installed Gentoo package atom.
> =net-vpn/wireguard-0.0.20190913
Thanks for any help!
next reply other threads:[~2021-05-17 15:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-15 17:36 Michael Wu [this message]
2021-05-18 15:01 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOYRf2F9q-yWwUjoSe01pO1TaeGcF5vGqt8unmowoRJ3iCTP6w@mail.gmail.com \
--to=michael.apply@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).