rc/network
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

firewall: do track wireguard connections not meant for us

Browse source 
Oops. Connection tracking is disabled for our wireguard connections
because of source address mangling. We still need to track outside
connections to allow inbound reply packets through the firewall.
This commit is contained in:
Timotej Lazar 2025-07-19 12:01:24 +02:00
parent c53df0aa9c
commit 78e02134e7
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
roles/firewall/templates/nftables.nft.j2
View file

@ -149,7 +149,7 @@ table inet filter {
table inet wireguard { table inet wireguard {
chain input { chain input {
type filter hook prerouting priority raw; policy accept type filter hook prerouting priority raw; policy accept
udp dport 51820 notrack \ ip daddr {{ wg_ip | ipaddr('address') }} udp dport 51820 notrack \
comment "Disable connection tracking for wireguard" comment "Disable connection tracking for wireguard"
} }
chain output { chain output {