Package: wireguard
Version: 0.0.20191127-2
Severity: normal
Since upgrading to iptables 1.8.4, I can't bring use wg-quick to bring
up an interface anymore. Here's a simple config that reproduces the
problem:
[Interface]
Address = 10.0.1.1
PrivateKey = 0000000000000000000000000000000000000000000=
[Peer]
PublicKey = 0000000000000000000000000000000000000000000=
EndPoint = example.com:691
AllowedIPs = 0.0.0.0/0
Obviously those values are bogus and it won't work to actually pass
traffic, but we should be able to bring up the interface. But I get:
$ wg-quick up $PWD/wg.conf
[#] ip link add wg type wireguard
[#] wg setconf wg /dev/fd/63
[#] ip -4 address add 10.0.1.1 dev wg
[#] ip link set mtu 1420 up dev wg
Error: ipv6: FIB table does not exist.
Dump terminated
[#] wg set wg fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -nw
iptables-restore: COMMIT expected at line 3
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg
$ ifconfig wg
wg: error fetching interface information: Device not found
whereas with iptables 1.8.3-2 from testing, I get:
$ wg-quick up $PWD/wg.conf
[#] ip link add wg type wireguard
[#] wg setconf wg /dev/fd/63
[#] ip -4 address add 10.0.1.1 dev wg
[#] ip link set mtu 1420 up dev wg
Error: ipv6: FIB table does not exist.
Dump terminated
[#] wg set wg fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -nw
$ ifconfig wg
wg: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.0.1.1 netmask 255.255.255.255 destination 10.0.1.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen
1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 296 (296.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Stracing wg-quick shows that it's trying to pass this to
iptables-restore:
*raw
-I PREROUTING ! -i wg -d 10.0.1.1 -m addrtype ! --src-type LOCAL -j DROP -m
comment --comment "wg-quick(8) rule for wg"
COMMIT
*mangle
-I POSTROUTING -m mark --mark 51820 -p udp -j CONNMARK --save-mark -m comment
--comment \"wg-quick(8) rule for wg\"
-I PREROUTING -p udp -j CONNMARK --restore-mark -m comment --comment
\"wg-quick(8) rule for wg\"
COMMIT
Note that blank line before the first COMMIT, which it seems the older
version of iptables was happy to ignore, but 1.8.4 complains about. So
possibly this is an iptables bug, but it seems like wireguard could be
more careful about what it writes.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.3.0-2-amd64 (SMP w/16 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages wireguard depends on:
ii wireguard-dkms 0.0.20191127-2
ii wireguard-tools 0.0.20191127-2
wireguard recommends no packages.
wireguard suggests no packages.
-- no debconf information
