wg-quick: linux: use already configured addresses instead of in-memory

The ADDRESSES array might not have addresses added during PreUp. But moreover, nft(8) and iptables(8) don't like ip addresses in the form somev6prefix::someipv4suffix, such as fd00::1.2.3.4, while ip(8) can handle it. So by adding these first and then asking for them back, we always get normalized addresses suitable for nft(8) and iptables(8). Reported-by: Silvan Nagl <[email protected]>
WireGuard · Dec 17, 2019 · 2e52c41 · 2e52c41
1 parent 3721521
commit 2e52c41
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/src/tools/wg-quick/linux.bash b/src/tools/wg-quick/linux.bash
@@ -205,7 +205,7 @@ remove_firewall() {
 
 HAVE_SET_FIREWALL=0
 add_default() {
-	local table i
+	local table line
 	if ! get_fwmark table; then
 		table=51820
 		while [[ -n $(ip -4 route show table $table 2>/dev/null) || -n $(ip -6 route show table $table 2>/dev/null) ]]; do
@@ -224,11 +224,11 @@ add_default() {
 	printf -v nftcmd '%sadd chain %s %s preraw { type filter hook prerouting priority -300; }\n' "$nftcmd" "$pf" "$nftable"
 	printf -v nftcmd '%sadd chain %s %s premangle { type filter hook prerouting priority -150; }\n' "$nftcmd" "$pf" "$nftable"
 	printf -v nftcmd '%sadd chain %s %s postmangle { type filter hook postrouting priority -150; }\n' "$nftcmd" "$pf" "$nftable"
-	for i in "${ADDRESSES[@]}"; do
-		[[ ( $proto == -4 && $i != *:* ) || ( $proto == -6 && $i == *:* ) ]] || continue
-		printf -v restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP %s\n' "$restore" "$INTERFACE" "${i%/*}" "$marker"
-		printf -v nftcmd '%sadd rule %s %s preraw iifname != %s %s daddr %s fib saddr type != local drop\n' "$nftcmd" "$pf" "$nftable" "$INTERFACE" "$pf" "${i%/*}"
-	done
+	while read -r line; do
+		[[ $line =~ .*inet6?\ ([0-9a-f:.]+)/[0-9]+.* ]] || continue
+		printf -v restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP %s\n' "$restore" "$INTERFACE" "${BASH_REMATCH[1]}" "$marker"
+		printf -v nftcmd '%sadd rule %s %s preraw iifname != %s %s daddr %s fib saddr type != local drop\n' "$nftcmd" "$pf" "$nftable" "$INTERFACE" "$pf" "${BASH_REMATCH[1]}"
+	done < <(ip -o $proto addr show dev "$INTERFACE" 2>/dev/null)
 	printf -v restore '%sCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker"
 	printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table
 	printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta mark set ct mark \n' "$nftcmd" "$pf" "$nftable"