From: Vasili Pupkin <diggest@gmail.com>
To: Jordan Glover <Golden_Miller83@protonmail.ch>
Cc: "William J. Tolley" <william@breakpointingbad.com>,
WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"
Date: Fri, 6 Dec 2019 20:06:00 +0300 [thread overview]
Message-ID: <860fe8c7-de2a-57c7-e69a-7ae9cbf263ae@gmail.com> (raw)
In-Reply-To: <sZXjoRuWmvBHjZtlb28qeohg4R8BAHjCk5b-I2TWb5-ew1OZJBGYefxuSzTjFP7e5lESacVJMtp4fKIl7wyXJCI1iIznqnStW6OxG-P9YeQ=@protonmail.ch>
On 06.12.2019 19:12, Jordan Glover wrote:
> But nft rule won't be visible from iptables tools like iptables-save,
> right? This may be confusing for people who still use iptables for
> setting up firewall on their systems.
>
Right. And for those using NFT, they will see a strange rule in their
default inet filter table. Also nft users may delete this table or its
input chain or alter the chain hook specification before calling
wg-quick and in this case the magic command will crash. So it should be
added to wireguard specific table instead of inet filter and this is
actually the only easy way to revert the ruleset in nft, you should
delete your table to revert the changes.
nft add table inet $table
nft add chain inet $table input {' type filter hook input priority 0;
policy accept; '}
nft add rule inet $table input fib daddr . iif type != { local,
broadcast, multicast } drop
and then:
nft delete table inet $table
when we are done.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-12-06 17:06 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-05 19:13 Regarding "Inferring and hijacking VPN-tunneled TCP connections" Jason A. Donenfeld
2019-12-05 19:50 ` Vasili Pupkin
2019-12-05 20:24 ` Jason A. Donenfeld
2019-12-05 21:28 ` Vasili Pupkin
2019-12-06 15:18 ` Jason A. Donenfeld
2019-12-06 17:21 ` Vasili Pupkin
2019-12-07 20:51 ` Lonnie Abelbeck
2019-12-06 12:58 ` William J. Tolley
2019-12-06 15:06 ` Jordan Glover
2019-12-06 15:08 ` Jason A. Donenfeld
2019-12-06 16:03 ` Vasili Pupkin
2019-12-06 16:12 ` Jordan Glover
2019-12-06 17:06 ` Vasili Pupkin [this message]
2019-12-05 20:10 ` zrm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=860fe8c7-de2a-57c7-e69a-7ae9cbf263ae@gmail.com \
--to=diggest@gmail.com \
--cc=Golden_Miller83@protonmail.ch \
--cc=william@breakpointingbad.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox