search

gravitl / netmaker

Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
https://netmaker.io
Other
9.52k stars 552 forks source link

[BUG]: iptables postUp and postDown rules should be inserted #1667

Closed voroskoi closed 1 year ago

voroskoi commented 2 years ago

Contact Details

No response

What happened?

Hi,

First things first: Netmaker is amazing, thank you!

I usually set up my firewall rules in the following method: ACCEPT something ACCEPT something else LOG everything reaches this rule DROP everything reaches this rule

The policy is ACCEPT, so I can flush everything and start over without locking myself out.

Because netmaker rules are appended they all go after the DROP rule and do not take effect.

Is there any particular reason for this? For my use case inserting would be better, but I am not sure if it has any drawback. Are You open to change this behavior?

Thanks,

Version

v0.16.1

What OS are you using?

Linux

Relevant log output

No response

Contributing guidelines

afeiszli commented 2 years ago

This is worth considering, but could have considerable consequences so would need a good amount of testing.

In the meantime, you can turn RCE="on" in your docker compose (env section) and edit the postup/postdown commands to use "-I" instead of "-A".

mattkasun commented 1 year ago

Netclient no longer uses postup/postdown commands