From 6d5ba7eb6ebf9c3da8789429cb010c7bb86650ca Mon Sep 17 00:00:00 2001 From: Krzysztof Burghardt Date: Thu, 8 Aug 2024 09:17:52 +0200 Subject: [PATCH] NFT rules refactoring for easy-wg-quick own tables (#112) --- easy-wg-quick | 31 +++++++++++++++---------------- tests/firewall.bats | 4 ++-- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/easy-wg-quick b/easy-wg-quick index 44ea1f2..8841dd1 100755 --- a/easy-wg-quick +++ b/easy-wg-quick @@ -291,25 +291,24 @@ EOF create_nft_rules() { cat << EOF -PostUp = nft add table inet filter -PostUp = nft add table ip nat -PostUp = nft add chain inet filter %i-postrouting "{ type nat hook postrouting priority 100 ; }" -PostUp = nft add chain inet filter %i-forward "{ type filter hook forward priority 0; }" -PostUp = nft add chain ip nat %i-postrouting "{ type nat hook postrouting priority 100 ; }" -PostUp = nft add rule inet filter %i-postrouting ip protocol tcp tcp flags "&(syn|rst)" == syn oifname $EXT_NET_IF tcp option maxseg size set rt mtu -PostUp = nft add rule ip nat %i-postrouting oifname $EXT_NET_IF masquerade -PostUp = nft add rule inet filter %i-forward iifname %i accept -PostUp = nft add rule inet filter %i-forward oifname %i ct state related,established accept -PostDown = nft delete chain inet filter %i-postrouting -PostDown = nft delete chain inet filter %i-forward -PostDown = nft delete chain ip nat %i-postrouting +PostUp = nft add table inet easy-wg-quick-%i +PostUp = nft add chain inet easy-wg-quick-%i forward "{ type filter hook forward priority 0; }" +PostUp = nft add rule inet easy-wg-quick-%i forward iifname %i accept +PostUp = nft add rule inet easy-wg-quick-%i forward oifname %i ct state related,established accept +PostUp = nft add chain inet easy-wg-quick-%i postrouting "{ type nat hook postrouting priority 0; }" +PostUp = nft add rule inet easy-wg-quick-%i postrouting ip protocol tcp tcp flags "&(syn|rst)" == syn oifname $EXT_NET_IF tcp option maxseg size set rt mtu +PostUp = nft add table ip easy-wg-quick-%i +PostUp = nft add chain ip easy-wg-quick-%i postrouting "{ type nat hook postrouting priority 0; }" +PostUp = nft add rule ip easy-wg-quick-%i postrouting oifname $EXT_NET_IF masquerade +PostDown = nft delete table inet easy-wg-quick-%i +PostDown = nft delete table ip easy-wg-quick-%i EOF if $NET6 && test "$NET6MODE" = "masquerade"; then cat << EOF -PostUp = nft add table ip6 nat -PostUp = nft add chain ip6 nat %i-postrouting "{ type nat hook postrouting priority 100 ; }" -PostUp = nft add rule ip6 nat %i-postrouting oifname $EXT_NET_IF masquerade -PostDown = nft delete chain ip6 nat %i-postrouting +PostUp = nft add table ip6 easy-wg-quick-%i +PostUp = nft add chain ip6 easy-wg-quick-%i postrouting "{ type nat hook postrouting priority 0; }" +PostUp = nft add rule ip6 easy-wg-quick-%i postrouting oifname $EXT_NET_IF masquerade +PostDown = nft delete table ip6 easy-wg-quick-%i EOF fi } diff --git a/tests/firewall.bats b/tests/firewall.bats index 476b737..727dcfb 100755 --- a/tests/firewall.bats +++ b/tests/firewall.bats @@ -17,9 +17,9 @@ load teardown setup run ../easy-wg-quick [[ "$status" -eq 0 ]] [[ "${#lines[@]}" -gt 10 ]] - run grep 'nft add rule inet filter %i-forward' wghub.conf + run grep 'nft add rule inet easy-wg-quick-%i forward' wghub.conf [[ "$status" -eq 0 ]] - [[ "${lines[0]}" == "PostUp = nft add rule inet filter %i-forward iifname %i accept" ]] + [[ "${lines[0]}" == "PostUp = nft add rule inet easy-wg-quick-%i forward iifname %i accept" ]] } @test "run with firewall type set to firewalld" {