Is `net.ipv4.conf.all.src_valid_mark` necessary?
Opened this issue · 6 comments
I am running on kernel version 6.6.8
without SYS_MODULE
and without any sysctl
commands in my docker-compose file. Is net.ipv4.conf.all.src_valid_mark
necessary? Am I loosing out on some functionality by not enabling it? I'm looking to find out if net.ipv4.conf.all.src_valid_mark
causes WG to work or not work in a binary fashion, or if it is disabling some but not all functionality.
I'm making this issue since there is a comment about SYS_MODULE
not being needed in newer kernel versions due to the kernel module being loaded already. I'd like to document what conditions make net.ipv4.conf.all.src_valid_mark
necessary or not.
For reference, inside my working pia wireguard container, sysctl net.ipv4.conf.all.src_valid_mark
gives 0
.
The container uses wg-quick
to handle setting up the networking side of things, and that tries to set net.ipv4.conf.all.src_valid_mark
to 1 when adding the default route, however this requires the container to be run with the privileged flag. Setting it to 1 on container creation instead means the container can be run with lower privileges.
I'm not sure what net.ipv4.conf.all.src_valid_mark=1
functionally does, and whether it's required, and haven't had much luck trying to work it out in the past.
Interesting. I do notice that in my wg-quick
I have the line:
[[ $proto == -4 ]] && set +e && sysctl -q net.ipv4.conf.all.src_valid_mark=1 &> /dev/null && set -e
So it seems not necessarily necessary (for all cases at least) since at least this version allows failure?
In any case, I'll ad it to my docker-compose.yml
, just in case. Thanks!
That line in wg-quick
was modified slightly from the original in order to work without privileged being set:
docker-wireguard-pia/Dockerfile
Lines 13 to 16 in ecde52f
Previously it would try to set it and fail if privileged mode wasn't enabled, even if it had already been set to 1 on container creation, causing wg-quick
to error out and die.
Here's the original line:
[[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
@thrnz https://www.procustodibus.com/blog/2022/01/wg-quick-firewall-rules/
I think that it was not necessary for me because my system's sysctl net.ipv4.conf.all.rp_filter
is set to loose filtering (I didn't manually change this so this might be Fedora's default?)
Thanks for the link.
It looks like you might have it sussed out. I've had a brief play with rp_filter
on a Debian host, and it seems the container only needs src_valid_mark=1
set when rp_filter=1
(ie. strict mode.) It drops incoming traffic otherwise. It seemed to work fine without it set with rp_filter=0/2
.
Based on this I've clarified the example docker-compose a bit in #97, and I've also adding a warning to the container if src_valid_mark=1
isn't set when it needs to be.