Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 715892 - net-vpn/wireguard-tools-1.0.20200319.ebuild doesn't check for NF_CONNTRACK_MARK
Summary: net-vpn/wireguard-tools-1.0.20200319.ebuild doesn't check for NF_CONNTRACK_MARK
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Jason A. Donenfeld
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-02 10:24 UTC by Simeon Simeonov
Modified: 2020-04-03 03:37 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simeon Simeonov 2020-04-02 10:24:15 UTC 
When using nftables NF_CONNTRACK_MARK is a requirement for wg-quick.

After building a custom 5.6 kernek, wireguard-tools-1.0.20200319.ebuild were installed without warnings, but creating a VPN client failed with:

[#] ip link add hb type wireguard
[#] wg setconf hb /dev/fd/63
[#] ip -4 address add 10.0.2.5/32 dev hb
[#] ip link set mtu 1420 up dev hb
[#] resolvconf -a hb -m 0 -x
[#] wg set hb fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev hb table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
/dev/fd/63:6:1-81: Error: Could not process rule: Operation not supported

/dev/fd/63:7:1-74: Error: Could not process rule: Operation not supported

[#] resolvconf -d hb -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev hb


Reproducible: Always




Adding:
wg_quick_optional_config_nob NF_CONNTRACK_MARK

...in the "if has_version net-firewall/nftables; then" block helps.
Comment 1 Simeon Simeonov 2020-04-02 11:25:35 UTC 
https://github.com/gentoo/gentoo/pull/15208
Comment 2 Larry the Git Cow gentoo-dev 2020-04-03 03:37:52 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b17f25d5467680509ca9968ffa7baf745010a4f

commit 5b17f25d5467680509ca9968ffa7baf745010a4f
Author:     Simeon Simeonov <sgs@pichove.org>
AuthorDate: 2020-04-02 10:54:31 +0000
Commit:     Jason A. Donenfeld <zx2c4@gentoo.org>
CommitDate: 2020-04-03 03:37:37 +0000

    net-vpn/wireguard-tools: check for NF_CONNTRACK_MARK
    
    Closes: https://bugs.gentoo.org/715892
    Signed-off-by: Jason A. Donenfeld <zx2c4@gentoo.org>

 net-vpn/wireguard-tools/wireguard-tools-1.0.20200319.ebuild | 1 +
 1 file changed, 1 insertion(+)