Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[client] Use the prerouting chain to mark for masquerading to support older systems #2808

Merged
merged 3 commits into from
Nov 7, 2024

Conversation

lixmal
Copy link
Contributor

@lixmal lixmal commented Oct 29, 2024

Describe your changes

Replace dynamic postrouting rules with input interface with dynamic prerouting rules + static postrouting rules.
Older versions, such as Ubuntu 20.04, don't support matching on the input interface in the postrouting chain. As a result the masquerade rules didn't match at all.

Following an example with route 10.20.1.0/24

Before:

nftables:

table ip netbird {
        chain netbird-rt-postrouting {
                type nat hook postrouting priority srcnat - 1; policy accept;
                iifname "wt0" oifname != "lo" ip daddr 10.20.1.0/24 counter packets 0 bytes 0 masquerade
                oifname "wt0" iifname != "lo" ip saddr 10.20.1.0/24 counter packets 0 bytes 0 masquerade
        }
}

iptables:

-A POSTROUTING -j NETBIRD-RT-NAT
-A NETBIRD-RT-NAT -d 10.20.1.0/24 -i wt0 ! -o lo -j MASQUERADE
-A NETBIRD-RT-NAT -s 10.20.1.0/24 ! -i lo -o wt0 -j MASQUERADE

After:

nftables:

table ip netbird {
        chain netbird-rt-postrouting {
                type nat hook postrouting priority srcnat - 1; policy accept;
                meta mark 0x0001bd11 oifname != "lo" counter packets 0 bytes 0 masquerade
                meta mark 0x0001bd12 oifname "wt0" counter packets 0 bytes 0 masquerade
        }

        chain netbird-rt-prerouting {
                type filter hook prerouting priority mangle; policy accept;
                ct state new iifname "wt0" ip daddr 10.20.1.0/24 meta mark set 0x0001bd11
                ct state new iifname != "wt0" ip saddr 10.20.1.0/24 meta mark set 0x0001bd12
        }
}

iptables:


*mangle
-A PREROUTING -j NETBIRD-RT-PRE
-A NETBIRD-RT-PRE -d 10.20.1.0/24 -i wt0 -m conntrack --ctstate NEW -j MARK --set-xmark 0x1bd11/0xffffffff
-A NETBIRD-RT-PRE -s 10.20.1.0/24 ! -i wt0 -m conntrack --ctstate NEW -j MARK --set-xmark 0x1bd12/0xffffffff

*nat
-A POSTROUTING -j NETBIRD-RT-NAT
-A NETBIRD-RT-NAT ! -o lo -m mark --mark 0x1bd11 -j MASQUERADE
-A NETBIRD-RT-NAT -o wt0 -m mark --mark 0x1bd12 -j MASQUERADE

Issue ticket number and link

#2752

Checklist

  • Is it a bug fix
  • Is a typo/documentation fix
  • Is a feature enhancement
  • It is a refactor
  • Created tests that fail without the change (if possible)
  • Extended the README / documentation, if necessary

Copy link

@lixmal lixmal merged commit 509e184 into main Nov 7, 2024
21 checks passed
@lixmal lixmal deleted the use-prerouting-for-masq branch November 7, 2024 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants