From c65beb27a603956791dd6c6c6ef583c83c98c96b Mon Sep 17 00:00:00 2001
From: roof <roof@pic.ngo>
Date: Wed, 10 Jun 2026 14:33:05 -0400
Subject: [PATCH] fix: remove sysctl rp_filter from WireGuard PostUp/PostDown

sysctl writes to /proc/sys/net/ are blocked in unprivileged containers
(NET_ADMIN only, no SYS_ADMIN). The rp_filter=0 call at the end of
PostUp caused wg-quick to tear down wg0 immediately on every start,
putting cell-wireguard into a crash loop.

Remove the sysctl lines from both the seed (setup_cell.py) and the
API-regenerated (wireguard_manager.py) wg0.conf. Reverse-path filtering
is an optimisation, not required for VPN functionality; the iptables
FORWARD/MASQUERADE/DNAT rules all still work correctly without it.

Found during clean-install hardening verification on pic1 (f4b8d5c).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 api/wireguard_manager.py | 6 ++----
 scripts/setup_cell.py    | 6 ++----
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/api/wireguard_manager.py b/api/wireguard_manager.py
index e5c14c0..7e59f71 100644
--- a/api/wireguard_manager.py
+++ b/api/wireguard_manager.py
@@ -183,13 +183,11 @@ class WireGuardManager(BaseServiceManager):
             f'PostUp = iptables -A FORWARD -i %i -j DROP; '
             f'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; '
             f'{hairpin}'
-            f'{dnat_up}; '
-            f'sysctl -q net.ipv4.conf.all.rp_filter=0 || true\n'
+            f'{dnat_up}\n'
             f'PostDown = iptables -D FORWARD -i %i -j DROP 2>/dev/null || true; '
             f'iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE 2>/dev/null || true; '
             f'{hairpin_down}'
-            f'{dnat_down}; '
-            f'sysctl -q net.ipv4.conf.all.rp_filter=1 || true\n'
+            f'{dnat_down}\n'
         )
 
     @staticmethod
diff --git a/scripts/setup_cell.py b/scripts/setup_cell.py
index ca2a5f8..af07a04 100644
--- a/scripts/setup_cell.py
+++ b/scripts/setup_cell.py
@@ -147,11 +147,9 @@ def write_wg0_conf(private_key: str, address: str, port: int):
         f'Address = {address}\n'
         f'ListenPort = {port}\n'
         f'PostUp = iptables -A FORWARD -i %i -j ACCEPT; '
-        f'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; '
-        f'sysctl -q net.ipv4.conf.all.rp_filter=0\n'
+        f'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n'
         f'PostDown = iptables -D FORWARD -i %i -j ACCEPT; '
-        f'iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; '
-        f'sysctl -q net.ipv4.conf.all.rp_filter=1\n'
+        f'iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE\n'
     )
     with open(wg_conf, 'w') as f:
         f.write(content)