roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Wiki Activity

fix: remove sysctl rp_filter from WireGuard PostUp/PostDown
Unit Tests / test (push) Failing after 11m57s
Details

Browse Source 
sysctl writes to /proc/sys/net/ are blocked in unprivileged containers
(NET_ADMIN only, no SYS_ADMIN). The rp_filter=0 call at the end of
PostUp caused wg-quick to tear down wg0 immediately on every start,
putting cell-wireguard into a crash loop.

Remove the sysctl lines from both the seed (setup_cell.py) and the
API-regenerated (wireguard_manager.py) wg0.conf. Reverse-path filtering
is an optimisation, not required for VPN functionality; the iptables
FORWARD/MASQUERADE/DNAT rules all still work correctly without it.

Found during clean-install hardening verification on pic1 (f4b8d5c).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
roof
2026-06-10 14:33:05 -04:00
parent f4b8d5c4f7
commit c65beb27a6
2 changed files with 4 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/wireguard_manager.py
+2 -4
View File
@@ -183,13 +183,11 @@ class WireGuardManager(BaseServiceManager):
f'PostUp = iptables -A FORWARD -i %i -j DROP; ' f'PostUp = iptables -A FORWARD -i %i -j DROP; '
f'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ' f'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; '
f'{hairpin}' f'{hairpin}'
f'{dnat_up}; ' f'{dnat_up}\n'
f'sysctl -q net.ipv4.conf.all.rp_filter=0 || true\n'
f'PostDown = iptables -D FORWARD -i %i -j DROP 2>/dev/null || true; ' f'PostDown = iptables -D FORWARD -i %i -j DROP 2>/dev/null || true; '
f'iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE 2>/dev/null || true; ' f'iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE 2>/dev/null || true; '
f'{hairpin_down}' f'{hairpin_down}'
f'{dnat_down}; ' f'{dnat_down}\n'
f'sysctl -q net.ipv4.conf.all.rp_filter=1 || true\n'
) )
@staticmethod @staticmethod
scripts/setup_cell.py
+2 -4
View File
@@ -147,11 +147,9 @@ def write_wg0_conf(private_key: str, address: str, port: int):
f'Address = {address}\n' f'Address = {address}\n'
f'ListenPort = {port}\n' f'ListenPort = {port}\n'
f'PostUp = iptables -A FORWARD -i %i -j ACCEPT; ' f'PostUp = iptables -A FORWARD -i %i -j ACCEPT; '
f'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ' f'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n'
f'sysctl -q net.ipv4.conf.all.rp_filter=0\n'
f'PostDown = iptables -D FORWARD -i %i -j ACCEPT; ' f'PostDown = iptables -D FORWARD -i %i -j ACCEPT; '
f'iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ' f'iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE\n'
f'sysctl -q net.ipv4.conf.all.rp_filter=1\n'
) )
with open(wg_conf, 'w') as f: with open(wg_conf, 'w') as f:
f.write(content) f.write(content)