rc/network
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: rc:9b03b002f78bf05feaa3794e0494824f5259edc1
Branches Tags
rc:master
..
compare: rc:24fc864e63889ab9652f259d9960120065dfbdbd
Branches Tags
rc:master

2 commits
9b03b002f7 ... 24fc864e63

Author SHA1 Message Date
Timotej Lazar
24fc864e63 firewall: don’t configure mdev for interface renaming 
Since Alpine 3.22 this is now done in default configuration.
 2025-07-18 18:49:51 +02:00
Timotej Lazar
6840838978 firewall: ensure wireguard egress traffic uses the anycast source IP 
Before we relied on the IP being first in the interfaces file, which
is less than optimal. Now we use nftables to ensure the correct source
IP is set only for the (fwmarked) wireguard traffic.

Also remove iface hints from interfaces configuration as they are not
needed with ifupdown-ng.
 2025-07-18 18:35:36 +02:00
5 changed files with 20 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

4
roles/firewall/handlers/main.yml
View file

@ -2,10 +2,6 @@
command: ifup --auto
when: "'handler' not in ansible_skip_tags"
- name: mkinitfs
command: mkinitfs
when: "'handler' not in ansible_skip_tags"
- name: reboot
reboot:
when: "'handler' not in ansible_skip_tags"

7
roles/firewall/tasks/main.yml
View file

@ -7,13 +7,6 @@
name: bash,bonding,iproute2
state: latest
- name: Tell mdev to rename network interfaces
lineinfile:
path: /etc/mdev.conf
line: '-net/.* root:root 600 @/sbin/nameif -s'
insertafter: '^# net devices'
notify: mkinitfs
- name: Tell ifupdown to also rename network interfaces
copy:
dest: /etc/network/if-pre-up.d/nameif

7
roles/firewall/templates/interfaces.j2
View file

@ -1,10 +1,9 @@
{% set addrs = interfaces | selectattr('name', '==', 'lo') | map(attribute='ip_addresses') | first -%}
source-directory /etc/network/interfaces.d
auto lo
iface lo inet loopback
address {{ wg_ip }}
iface lo
{% for address in addrs %}
address {{ address.address }}
{% endfor %}
source-directory /etc/network/interfaces.d

13
roles/firewall/templates/nftables.nft.j2
View file

@ -146,6 +146,19 @@ table inet filter {
}
}
table inet wireguard {
chain input {
type filter hook prerouting priority raw; policy accept
udp dport 51820 notrack \
comment "Disable connection tracking for wireguard"
}
chain output {
type route hook output priority raw; policy accept
meta mark 51820 meta nfproto ipv4 ip saddr set {{ wg_ip | ipaddr('address') }} notrack \
comment "Disable connection tracking and set anycast source IP for wireguard"
}
}
table ip nat {
include "/etc/nftables.d/interfaces.nft"
include "/etc/nftables.d/networks.nft"

5
roles/firewall/templates/wg.intf.j2
View file

@ -1,5 +1,8 @@
iface lo
address {{ wg_ip }}
auto wg
iface wg inet static
iface wg
use wireguard
{% if wg_net is defined %}
address {{ wg_net }}