From 71ce4786ba8aeb5867bc64344b82a7c518582e75 Mon Sep 17 00:00:00 2001 From: Khalefa Date: Fri, 5 Jun 2026 13:27:35 +0300 Subject: [PATCH] fix(awg): force rp_filter off on each interface at bring-up MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The cascade black-holed at a mid hop whose awg interfaces still had rp_filter=2: the effective value is max(conf.all, conf.), and an interface created before a default-rp_filter relax keeps its inherited value — so relaxing only `all`/`default` doesn't cover already-up interfaces (cloud-init sets default=0 at boot, but a node provisioned another way, or before that fix, wouldn't have it). Now Runtime.Up sets net.ipv4.conf.{all,}.rp_filter=0 right after `awg-quick up`, best-effort, for every awg interface (awg0 + inner links). Proven live: a 3-hop cascade (nyc→lon→fra→ams) egressed at the exit once the mids' interfaces were relaxed. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- internal/awg/runtime.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/internal/awg/runtime.go b/internal/awg/runtime.go index 49e6d4a..03956ba 100644 --- a/internal/awg/runtime.go +++ b/internal/awg/runtime.go @@ -9,6 +9,7 @@ import ( "errors" "fmt" "os/exec" + "path/filepath" "strconv" "strings" "time" @@ -110,6 +111,15 @@ func (r *ExecRuntime) Up(ctx context.Context, confPath string) error { return fmt.Errorf("awg-quick up %s: %w (output: %s)", confPath, err, redactOutput(out)) } + // Cascade traffic crosses adapters asymmetrically; reverse-path filtering — + // even "loose" (2) — silently drops it. The effective value is max(conf.all, + // conf.), and an interface created before a default-rp_filter relax + // keeps its inherited value, so force it off on THIS interface (and globally) + // right after bring-up. Best-effort: a sysctl failure must not fail bring-up, + // and this backstops the cloud-init/netpolicy relax (it bit the cascade twice). + iface := strings.TrimSuffix(filepath.Base(confPath), ".conf") + _ = exec.CommandContext(ctx, "sysctl", "-w", "net.ipv4.conf.all.rp_filter=0").Run() + _ = exec.CommandContext(ctx, "sysctl", "-w", "net.ipv4.conf."+iface+".rp_filter=0").Run() return nil }