Is net.ipv4.conf.all.src_valid_mark necessary?

[zwimer]

I am running on kernel version 6.6.8 without SYS_MODULE and without any sysctl commands in my docker-compose file. Is net.ipv4.conf.all.src_valid_mark necessary? Am I loosing out on some functionality by not enabling it? I'm looking to find out if net.ipv4.conf.all.src_valid_mark causes WG to work or not work in a binary fashion, or if it is disabling some but not all functionality.

I'm making this issue since there is a comment about SYS_MODULE not being needed in newer kernel versions due to the kernel module being loaded already. I'd like to document what conditions make net.ipv4.conf.all.src_valid_mark necessary or not.

[zwimer]

For reference, inside my working pia wireguard container, sysctl net.ipv4.conf.all.src_valid_mark gives 0.

[thrnz]

The container uses wg-quick to handle setting up the networking side of things, and that tries to set net.ipv4.conf.all.src_valid_mark to 1 when adding the default route, however this requires the container to be run with the privileged flag. Setting it to 1 on container creation instead means the container can be run with lower privileges.

I'm not sure what net.ipv4.conf.all.src_valid_mark=1 functionally does, and whether it's required, and haven't had much luck trying to work it out in the past.

[zwimer]

Interesting. I do notice that in my wg-quick I have the line:

[[ $proto == -4 ]] && set +e && sysctl -q net.ipv4.conf.all.src_valid_mark=1 &> /dev/null && set -e

So it seems not necessarily necessary (for all cases at least) since at least this version allows failure?

In any case, I'll ad it to my docker-compose.yml, just in case. Thanks!

[thrnz]

That line in wg-quick was modified slightly from the original in order to work without privileged being set:

docker-wireguard-pia/Dockerfile

Lines 13 to 16 in ecde52f

	# Modify wg-quick so it doesn't die without --privileged
	# Set net.ipv4.conf.all.src_valid_mark=1 on container creation using --sysctl if required instead
	# To avoid confusion, also suppress the error message that displays even when pre-set to 1 on container creation
	RUN sed -i 's/cmd sysctl.*/set +e \&\& sysctl -q net.ipv4.conf.all.src_valid_mark=1 \&> \/dev\/null \&\& set -e/' /usr/bin/wg-quick

Previously it would try to set it and fail if privileged mode wasn't enabled, even if it had already been set to 1 on container creation, causing wg-quick to error out and die.

Here's the original line:

[[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1

[zwimer]

@thrnz https://www.procustodibus.com/blog/2022/01/wg-quick-firewall-rules/

I think that it was not necessary for me because my system's sysctl net.ipv4.conf.all.rp_filter is set to loose filtering (I didn't manually change this so this might be Fedora's default?)

[thrnz]

Thanks for the link.

It looks like you might have it sussed out. I've had a brief play with rp_filter on a Debian host, and it seems the container only needs src_valid_mark=1 set when rp_filter=1 (ie. strict mode.) It drops incoming traffic otherwise. It seemed to work fine without it set with rp_filter=0/2.

Based on this I've clarified the example docker-compose a bit in #97, and I've also adding a warning to the container if src_valid_mark=1 isn't set when it needs to be.