wg-quick: account for specified fwmark in auto routing mode

If we're doing automatic routing with default routes, but the config has
also specified an explicit fwmark, then use that explicit fwmark, even
if it's conflicting, since the administrator has explicitly opted into
using it. Also, when shutting down the interface, we only now remove the
fancy rules if we're in automatic routing mode with default routes.

Suggested-by: Luis Ressel <aranea@aixah.de>
Reported-by: Saeid Akbari <saeidscorp@yahoo.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

diff --git a/src/wg-quick.bash b/src/wg-quick.bash
index 2a0abe023c4a70a2b099acfa14d9943dcdc48209..f8c1ce74a252584074d54f28f0f1bac87e841cd7 100755 (executable)
--- a/src/wg-quick.bash
+++ b/src/wg-quick.bash
@@ -87,20 +87,17 @@ add_if() {
 }
 
 del_if() {
-       local fwmark
+       local table
        [[ $HAVE_SET_DNS -eq 0 ]] || unset_dns
-       fwmark="$(wg show "$INTERFACE" fwmark)"
-       DEFAULT_TABLE=0
-       [[ $fwmark != off ]] && DEFAULT_TABLE=$(( fwmark ))
-       if [[ $DEFAULT_TABLE -ne 0 ]]; then
-               while [[ $(ip -4 rule show) == *"lookup $DEFAULT_TABLE"* ]]; do
-                       cmd ip -4 rule delete table $DEFAULT_TABLE
+       if [[ -z $TABLE || $TABLE == auto ]] && get_fwmark table && [[ $(wg show "$INTERFACE" allowed-ips) =~ /0(\ |$'\n'|$) ]]; then
+               while [[ $(ip -4 rule show) == *"lookup $table"* ]]; do
+                       cmd ip -4 rule delete table $table
                done
                while [[ $(ip -4 rule show) == *"from all lookup main suppress_prefixlength 0"* ]]; do
                        cmd ip -4 rule delete table main suppress_prefixlength 0
                done
-               while [[ $(ip -6 rule show) == *"lookup $DEFAULT_TABLE"* ]]; do
-                       cmd ip -6 rule delete table $DEFAULT_TABLE
+               while [[ $(ip -6 rule show) == *"lookup $table"* ]]; do
+                       cmd ip -6 rule delete table $table
                done
                while [[ $(ip -6 rule show) == *"from all lookup main suppress_prefixlength 0"* ]]; do
                        cmd ip -6 rule delete table main suppress_prefixlength 0
@@ -169,21 +166,28 @@ add_route() {
        fi
 }
 
-DEFAULT_TABLE=
+get_fwmark() {
+       local fwmark
+       fwmark="$(wg show "$INTERFACE" fwmark)" || return 1
+       [[ -n $fwmark && $fwmark != off ]] || return 1
+       printf -v "$1" "%d" "$fwmark"
+       return 0
+}
+
 add_default() {
-       if [[ -z $DEFAULT_TABLE ]]; then
-               DEFAULT_TABLE=51820
-               while [[ -n $(ip -4 route show table $DEFAULT_TABLE) || -n $(ip -6 route show table $DEFAULT_TABLE) ]]; do
-                       ((DEFAULT_TABLE++))
+       local table proto key value
+       if ! get_fwmark table; then
+               table=51820
+               while [[ -n $(ip -4 route show table $table) || -n $(ip -6 route show table $table) ]]; do
+                       ((table++))
                done
+               cmd wg set "$INTERFACE" fwmark $table
        fi
-       local proto=-4
+       proto=-4
        [[ $1 == *:* ]] && proto=-6
-       cmd wg set "$INTERFACE" fwmark $DEFAULT_TABLE
-       cmd ip $proto route add "$1" dev "$INTERFACE" table $DEFAULT_TABLE
-       cmd ip $proto rule add not fwmark $DEFAULT_TABLE table $DEFAULT_TABLE
+       cmd ip $proto route add "$1" dev "$INTERFACE" table $table
+       cmd ip $proto rule add not fwmark $table table $table
        cmd ip $proto rule add table main suppress_prefixlength 0
-       local key value
        while read -r key _ value; do
                [[ $value -eq 1 ]] && sysctl -q "$key=2"
        done < <(sysctl -a -r '^net\.ipv4.conf\.[^ .=]+\.rp_filter$')