Skip to content

add so_mark sockopt support #1331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 12, 2025
Merged

add so_mark sockopt support #1331

merged 1 commit into from
Mar 12, 2025

Conversation

jampe
Copy link
Contributor

@jampe jampe commented Feb 16, 2025

This PR adds the ability to mark the traffic on the nebula interface for linux based systems. This allows the user to handle the nebula generated taffic via ip rules and using generic routing tables. For example, this allows the use of default routes via nebula for clients that already have a default gw set due to their network setup.

Current state:

0.0.0.0/0 routing is already possible in nebula using network namespaces (see https://www.wireguard.com/netns/) however I noticed in my own testing that moving network interfaces between namespaces can often introduce different new problems. E.g. you loose ip assignements on interfaces, ip a does not show your physical nic anymore resulting in problems with network managers on desktop style clients.

Related issues / existing pull requests:

To enable 0.0.0.0/0 routing one would have to start nebula using listen.so_mark set to e.g. 4242 and then set the following ip rules / ip routes (taken from https://ro-che.info/articles/2021-02-27-linux-routing and the wg-quick project):

> ip rule add not from all fwmark 4242 lookup 4242
> ip rule add from all lookup main suppress_prefixlength 0
> ip route add default dev nebula1 via <nebula_unsafe_route_gw> table 4242

This PR leaves the "final routing descision" to the user by adding only the abbitity to actually do it to nebula. This even enables setups with multiple 0.0.0.0/0 unsafe routes in the nebula config. Meaning one could add multiple 0.0.0.0/0 unsafe route endpoints and change which endpoint to actually use on the fly. You could also do something like source based routing to different gws at the same time.

@nbrownus nbrownus added this to the v2.0.0 milestone Mar 12, 2025
@nbrownus nbrownus merged commit 1d3c853 into slackhq:master Mar 12, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feature request: Add ability to set fwmark on clearnet traffic make default route via nebula node (full subnet routing, 0.0.0.0/0, etc.)
3 participants