13 commits

Author	SHA1	Message	Date
Jan Vaclav	4d0223f8a4	firewall/wireguard: drop packets received to wrong interface ... If we receive a packet sent to the WG interface's address, but it does not come from the WG tunnel, let's assume something is broken and drop the packet. This is also inspired by wg-quick firewall rules: https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick/linux.bash?id=17c78d31c27a3c311a2ff42a881057753c6ef2a4#n221 (cherry picked from commit a769c17af7)	2025-05-12 13:38:38 +02:00
Jan Vaclav	2afcebe0c7	wireguard: add firewall rules to copy mark ... When a WG connection is connecting to an IPv6 endpoint, configures a default route, and firewalld is active with IPv6_rpfilter=yes, it never handshakes and doesn't pass traffic. This is because firewalld has a IPv6 reverse path filter which is discarding these packets. Thus, we add some firewall rules whenever a WG connection is brought up that ensure the conntrack mark and packet mark are copied over. These rules are largely inspired by wg-quick: https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick/linux.bash?id=17c78d31c27a3c311a2ff42a881057753c6ef2a4#n221 (cherry picked from commit db557908a2)	2025-05-12 13:38:38 +02:00
Thomas Haller	2c716f04f9	bond: don't configure "counter" on nft rules for slb-bonding/mlag ... Counters are convenient for debugging, but have a performance overhead. Configure them only when debug logging in NetworkManager is enabled.	2023-05-10 19:03:40 +02:00
Thomas Haller	e9268e3924	firewall: add mlag firewall utils for multi chassis link aggregation (MLAG) for bonding-slb ... Add a way to configure MLAG NFT rules for SLB bonding. OVS supports "bonding-slb" (source load balancing, [1]). This is basically setting "mode=balance-xor" and "xmit_hash_policy=vlan+srcmac", which requires no special switch configuration (like LACP). For that to work, we need to filter out packets that the switch sends back on the other port, for which we configure some NFT rules. The rules are taken from mlag.sh at [2] or [3]. See-also: https://bugzilla.redhat.com/show_bug.cgi?id=1724795 [1] https://docs.openvswitch.org/en/latest/topics/bonding/#slb-bondin [2] https://gitlab.com/egarver/virtual-networking [3] https://gitlab.com/jtoppins_redhat/bond-slb-nft	2022-10-04 12:37:41 +02:00
Thomas Haller	cfeecbedff	firewall: expose nm_firewall_nft_call() in header file	2022-09-21 10:08:52 +02:00
Thomas Haller	dc66fb7d04	firewall/trivial: rename nm_firewall_config_apply() to nm_firewall_config_apply_sync() ... Sync/blocking methods are ugly. Their name should highlight this. Also, we may have an async variant, so we will need the "good" name for apply() and apply_finish().	2022-09-21 10:08:35 +02:00
Thomas Haller	7ad3fb1956	firewall/trivial: rename nm_firewall_config_new() to nm_firewall_config_new_shared()	2022-09-19 18:51:38 +02:00
Thomas Haller	e185f7966d	firewall/trivial: rename "shared"/"add" argument in firewall utils to "up"	2022-09-19 18:51:37 +02:00
Thomas Haller	a79d5e2218	firewall: add special firewall-backend "none"	2021-05-14 11:41:33 +02:00
Thomas Haller	1da1ad9c99	firewall: make firewall-backend configurable via "NetworkManager.conf" ... "iptables" and "nftables" will be supported. Currently, the code is unused and only "iptables" is supported.	2021-05-14 11:41:32 +02:00
Thomas Haller	aa859d85d9	firewall: rename NMUtilsShareRules to NMFirewallConfig ... It's still not a very good name, but it seems better then NMUtilsShareRules. Currently, NMFirewallConfig is mostly about masquerading for shared mode. But in practice, it's a piece of configuration for something to configure in the firewall (the NAT and filter rules).	2021-05-07 11:42:51 +02:00
Thomas Haller	b1625697cb	firewall: move firewall code to new "nm-firewall-utils.c" file	2021-05-07 11:42:50 +02:00
Thomas Haller	e9c1d2a9dd	firewall: add new "nm-firewall-utils.[ch]" module	2021-05-07 11:42:50 +02:00