From 6840838978c7097b508e02881db1d7d2f618ab3c Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Fri, 18 Jul 2025 18:35:36 +0200 Subject: [PATCH 1/2] firewall: ensure wireguard egress traffic uses the anycast source IP Before we relied on the IP being first in the interfaces file, which is less than optimal. Now we use nftables to ensure the correct source IP is set only for the (fwmarked) wireguard traffic. Also remove iface hints from interfaces configuration as they are not needed with ifupdown-ng. --- roles/firewall/templates/interfaces.j2 | 7 +++---- roles/firewall/templates/nftables.nft.j2 | 13 +++++++++++++ roles/firewall/templates/wg.intf.j2 | 5 ++++- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/roles/firewall/templates/interfaces.j2 b/roles/firewall/templates/interfaces.j2 index fae0f3d..75980f2 100644 --- a/roles/firewall/templates/interfaces.j2 +++ b/roles/firewall/templates/interfaces.j2 @@ -1,10 +1,9 @@ {% set addrs = interfaces | selectattr('name', '==', 'lo') | map(attribute='ip_addresses') | first -%} -source-directory /etc/network/interfaces.d - auto lo -iface lo inet loopback - address {{ wg_ip }} +iface lo {% for address in addrs %} address {{ address.address }} {% endfor %} + +source-directory /etc/network/interfaces.d diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2 index 5afa559..bc45c0b 100644 --- a/roles/firewall/templates/nftables.nft.j2 +++ b/roles/firewall/templates/nftables.nft.j2 @@ -146,6 +146,19 @@ table inet filter { } } +table inet wireguard { + chain input { + type filter hook prerouting priority raw; policy accept + udp dport 51820 notrack \ + comment "Disable connection tracking for wireguard" + } + chain output { + type route hook output priority raw; policy accept + meta mark 51820 meta nfproto ipv4 ip saddr set {{ wg_ip | ipaddr('address') }} notrack \ + comment "Disable connection tracking and set anycast source IP for wireguard" + } +} + table ip nat { include "/etc/nftables.d/interfaces.nft" include "/etc/nftables.d/networks.nft" diff --git a/roles/firewall/templates/wg.intf.j2 b/roles/firewall/templates/wg.intf.j2 index 266eef8..f66ff27 100644 --- a/roles/firewall/templates/wg.intf.j2 +++ b/roles/firewall/templates/wg.intf.j2 @@ -1,5 +1,8 @@ +iface lo + address {{ wg_ip }} + auto wg -iface wg inet static +iface wg use wireguard {% if wg_net is defined %} address {{ wg_net }} From 24fc864e63889ab9652f259d9960120065dfbdbd Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Fri, 18 Jul 2025 18:49:51 +0200 Subject: [PATCH 2/2] =?UTF-8?q?firewall:=20don=E2=80=99t=20configure=20mde?= =?UTF-8?q?v=20for=20interface=20renaming?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since Alpine 3.22 this is now done in default configuration. --- roles/firewall/handlers/main.yml | 4 ---- roles/firewall/tasks/main.yml | 7 ------- 2 files changed, 11 deletions(-) diff --git a/roles/firewall/handlers/main.yml b/roles/firewall/handlers/main.yml index d2beb3b..47d1eec 100644 --- a/roles/firewall/handlers/main.yml +++ b/roles/firewall/handlers/main.yml @@ -2,10 +2,6 @@ command: ifup --auto when: "'handler' not in ansible_skip_tags" -- name: mkinitfs - command: mkinitfs - when: "'handler' not in ansible_skip_tags" - - name: reboot reboot: when: "'handler' not in ansible_skip_tags" diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index 83e748f..5220db0 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -7,13 +7,6 @@ name: bash,bonding,iproute2 state: latest -- name: Tell mdev to rename network interfaces - lineinfile: - path: /etc/mdev.conf - line: '-net/.* root:root 600 @/sbin/nameif -s' - insertafter: '^# net devices' - notify: mkinitfs - - name: Tell ifupdown to also rename network interfaces copy: dest: /etc/network/if-pre-up.d/nameif