projekte/edgeguard-native
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(firewall+wg): Operator-Rule landete als Comment + wg-quick las falsche Conf

Browse Source 
Zwei show-stopper beim Cutover .101 → .6 entdeckt + behoben:

1. nft-Template-Bug: {{- if ...}}-Whitespace-Trimmer nach der
   '# rule N' Kommentarzeile schluckte den Newline → die ganze
   Operator-Rule landete als Teil des # Kommentars. nft akzeptierte
   die Datei (legaler Comment) und der Operator sah keine Wirkung.
   Fix: Body auf eigener Zeile via {{""}}-Padding, Trimmer raus.

2. wg-Renderer schrieb /etc/edgeguard/wireguard/<iface>.conf, aber
   wg-quick@<iface>.service liest /etc/wireguard/<iface>.conf
   (Distro-Default). Die zwei Files driftet auseinander — beim
   Restart sah wg-quick die alte AllowedIPs. Fix: Renderer legt
   einen Symlink /etc/wireguard/<iface>.conf → /etc/edgeguard/...
   beim Render an (idempotent, ersetzt vorhandene Real-Files).

Beide Fixes waren voraussetzung für den .101 → .6 Cutover, der
jetzt sauber läuft: VIP .100 lebt auf .6, Unify Home dial't durch
zu wg7 (handshake), 10.0.10.x via wg7-Tunnel reachable.

Version 1.0.18.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
2026-05-10 23:43:39 +02:00
parent e8334cd276
commit b1eb940d09
8 changed files with 39 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
internal/firewall/ruleset.nft.tpl
View File

@@ -48,20 +48,14 @@ table inet edgeguard {
tcp dport 8443 ip6 saddr @peer_ipv6 accept
# ── Operator-defined rules ──
{{- range .Legs}}
{{range .Legs}}
# rule {{.RuleID}}{{if .Name}} ({{.Name}}){{end}}{{if .Comment}} — {{.Comment}}{{end}}
{{- if .SrcIfaces}} iifname { {{join .SrcIfaces ", "}} }{{end -}}
{{- if .DstIfaces}} oifname { {{join .DstIfaces ", "}} }{{end -}}
{{- if .SrcAddrs}} ip saddr { {{join .SrcAddrs ", "}} }{{end -}}
{{- if .DstAddrs}} ip daddr { {{join .DstAddrs ", "}} }{{end -}}
{{- with .Service -}}
{{- if and (or (eq .Proto "tcp") (eq .Proto "udp")) .PortStart}} {{.Proto}} dport {{.PortStart}}{{if and .PortEnd (ne .PortEnd .PortStart)}}-{{.PortEnd}}{{end}}
{{- else if eq .Proto "icmp"}} ip protocol icmp
{{- else if eq .Proto "icmpv6"}} ip6 nexthdr icmpv6
{{- end -}}
{{- end -}}
{{- if .Log}} log prefix "edgeguard:{{.RuleID}} "{{end}} {{.Action}}
{{- end}}
{{- /* Body MUSS auf EIGENER Zeile starten (nicht via {{- }} an
die Comment-Zeile angehängt — sonst frisst nft die rule
als Teil des # Kommentars). */ -}}
{{""}}
{{if .SrcIfaces}}iifname { {{join .SrcIfaces ", "}} } {{end}}{{if .DstIfaces}}oifname { {{join .DstIfaces ", "}} } {{end}}{{if .SrcAddrs}}ip saddr { {{join .SrcAddrs ", "}} } {{end}}{{if .DstAddrs}}ip daddr { {{join .DstAddrs ", "}} } {{end}}{{with .Service}}{{if and (or (eq .Proto "tcp") (eq .Proto "udp")) .PortStart}}{{.Proto}} dport {{.PortStart}}{{if and .PortEnd (ne .PortEnd .PortStart)}}-{{.PortEnd}}{{end}} {{else if eq .Proto "icmp"}}ip protocol icmp {{else if eq .Proto "icmpv6"}}ip6 nexthdr icmpv6 {{end}}{{end}}{{if .Log}}log prefix "edgeguard:{{.RuleID}} " {{end}}{{.Action}}
{{end}}
}
chain forward {