Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#3649 - Software flow offloading breaks IPv6 policy-based routing (traffic leak) #8685

Open
openwrt-bot opened this issue Feb 27, 2021 · 2 comments
Labels
flyspray kernel pull request/issue with Linux kernel related changes

Comments

@openwrt-bot
Copy link

LGA1150:

I use ip6tables MARK and iproute2 rule to forward certain traffic to a WireGuard VPN interface.
When software flow offloading is on, IPv6 traffic over VPN no longer works, but IPv4 works fine.
A tcpdump check shows that offloaded IPv6 packets are routed by the main routing table instead of the one specified in ip -6 rule.

Both 5.4 and 5.10 kernel version have this issue.

@openwrt-bot
Copy link
Author

cryobry:

Is it possible that pbr isn't even seeing the packets at all?

I'm experiencing IPv6 leaks even when using ::0/0 as an AllowedIP in my wireguard tunnel w/ software offloading enabled. I have to assume this is related.

@openwrt-bot
Copy link
Author

LGA1150:

As a workaround, disable software offloading on luci firewall, and add the following to custom firewall rules:

iptables -A forwarding_rule -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD
ip6tables -A forwarding_rule -m mark --mark 0 -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD

This will only offload unmarked IPv6 packets.

@aparcar aparcar added the kernel pull request/issue with Linux kernel related changes label Feb 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
flyspray kernel pull request/issue with Linux kernel related changes
Projects
None yet
Development

No branches or pull requests

2 participants