715892 – net-vpn/wireguard-tools-1.0.20200319.ebuild doesn't check for NF_CONNTRACK_MARK

Bug 715892 - net-vpn/wireguard-tools-1.0.20200319.ebuild doesn't check for NF_CONNTRACK_MARK

Summary: net-vpn/wireguard-tools-1.0.20200319.ebuild doesn't check for NF_CONNTRACK_MARK

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Jason A. Donenfeld

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-02 10:24 UTC by Simeon Simeonov
Modified:	2020-04-03 03:37 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Simeon Simeonov 2020-04-02 10:24:15 UTC

When using nftables NF_CONNTRACK_MARK is a requirement for wg-quick.

After building a custom 5.6 kernek, wireguard-tools-1.0.20200319.ebuild were installed without warnings, but creating a VPN client failed with:

[#] ip link add hb type wireguard
[#] wg setconf hb /dev/fd/63
[#] ip -4 address add 10.0.2.5/32 dev hb
[#] ip link set mtu 1420 up dev hb
[#] resolvconf -a hb -m 0 -x
[#] wg set hb fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev hb table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
/dev/fd/63:6:1-81: Error: Could not process rule: Operation not supported

/dev/fd/63:7:1-74: Error: Could not process rule: Operation not supported

[#] resolvconf -d hb -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev hb


Reproducible: Always




Adding:
wg_quick_optional_config_nob NF_CONNTRACK_MARK

...in the "if has_version net-firewall/nftables; then" block helps.

Comment 1 Simeon Simeonov 2020-04-02 11:25:35 UTC

https://github.com/gentoo/gentoo/pull/15208

Comment 2 Larry the Git Cow gentoo-dev

2020-04-03 03:37:52 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b17f25d5467680509ca9968ffa7baf745010a4f

commit 5b17f25d5467680509ca9968ffa7baf745010a4f
Author:     Simeon Simeonov <sgs@pichove.org>
AuthorDate: 2020-04-02 10:54:31 +0000
Commit:     Jason A. Donenfeld <zx2c4@gentoo.org>
CommitDate: 2020-04-03 03:37:37 +0000

    net-vpn/wireguard-tools: check for NF_CONNTRACK_MARK
    
    Closes: https://bugs.gentoo.org/715892
    Signed-off-by: Jason A. Donenfeld <zx2c4@gentoo.org>

 net-vpn/wireguard-tools/wireguard-tools-1.0.20200319.ebuild | 1 +
 1 file changed, 1 insertion(+)