Skip to content

fix(awg): force rp_filter off per-interface at bring-up#10

Merged
bodaay merged 1 commit into
mainfrom
fix/rp-filter-on-up
Jun 5, 2026
Merged

fix(awg): force rp_filter off per-interface at bring-up#10
bodaay merged 1 commit into
mainfrom
fix/rp-filter-on-up

Conversation

@bodaay

@bodaay bodaay commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Backstops the cloud-init/netpolicy relax — an already-up awg interface keeps its inherited rp_filter=2, and effective = max(all, iface), so a mid hop black-holed the cascade. Proven live on a 3-hop nyc→lon→fra→ams path.

🤖 Generated with Claude Code

@bodaay
fix(awg): force rp_filter off on each interface at bring-up
71ce478 
The cascade black-holed at a mid hop whose awg interfaces still had rp_filter=2:
the effective value is max(conf.all, conf.<iface>), and an interface created
before a default-rp_filter relax keeps its inherited value — so relaxing only
`all`/`default` doesn't cover already-up interfaces (cloud-init sets default=0 at
boot, but a node provisioned another way, or before that fix, wouldn't have it).
Now Runtime.Up sets net.ipv4.conf.{all,<iface>}.rp_filter=0 right after
`awg-quick up`, best-effort, for every awg interface (awg0 + inner links). Proven
live: a 3-hop cascade (nyc→lon→fra→ams) egressed at the exit once the mids'
interfaces were relaxed.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
@bodaay bodaay merged commit b345977 into main Jun 5, 2026
1 of 2 checks passed
@bodaay bodaay deleted the fix/rp-filter-on-up branch June 5, 2026 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bodaay