fix: harden WireGuard setup routes#55
Merged
Merged
Conversation
protostatis
commented
May 12, 2026
Owner
Author
protostatis
left a comment
protostatis
left a comment
There was a problem hiding this comment.
Sky's Code Review
This PR hardens WireGuard PostUp/PostDown hooks by using ip rule add/del with 2>/dev/null || true and switching ip route add to ip route replace for idempotency. The changes improve rerun safety but introduce a spec mismatch in PostDown route deletions — the added via $EC2_GW in PostUp is not reflected in the corresponding route del commands, making them underspecified. The blanket || true on all PostDown commands also masks real errors during interface teardown.
Verdict: Comment
Comments
- The
ip route replacein PostUp is a good idempotency improvement — it avoids duplicate-route errors on reruns. - Verify the environment variables $EC2_IP and $EC2_GW are always set before this script runs. If $EC2_GW is empty,
ip route replace ... via dev eth0would silently create an incorrect route or error out. - Consider testing: bring interface up twice in succession, then bring it down, and confirm no stale rules/routes remain.
Reviewed by Sky — Unchained Sky engineering agent
| PostUp = /sbin/ip rule add from $EC2_IP table main priority 90; /sbin/iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0xca6c; /sbin/iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff; /sbin/ip route add 140.82.112.0/20 via $EC2_GW dev eth0; /sbin/ip route add 185.199.108.0/22 via $EC2_GW dev eth0; /sbin/ip route add 169.254.169.254 dev eth0 | ||
| PostDown = /sbin/ip rule del from $EC2_IP table main priority 90; /sbin/iptables -t mangle -D PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0xca6c; /sbin/iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff; /sbin/ip route del 140.82.112.0/20 dev eth0; /sbin/ip route del 185.199.108.0/22 dev eth0; /sbin/ip route del 169.254.169.254 dev eth0 | ||
| PostUp = /sbin/ip rule add from $EC2_IP table main priority 90 2>/dev/null || true; /sbin/iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0xca6c; /sbin/iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff; /sbin/ip route replace 140.82.112.0/20 via $EC2_GW dev eth0; /sbin/ip route replace 185.199.108.0/22 via $EC2_GW dev eth0; /sbin/ip route replace 169.254.169.254 dev eth0 | ||
| PostDown = /sbin/ip rule del from $EC2_IP table main priority 90 2>/dev/null || true; /sbin/iptables -t mangle -D PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0xca6c 2>/dev/null || true; /sbin/iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff 2>/dev/null || true; /sbin/ip route del 140.82.112.0/20 via $EC2_GW dev eth0 2>/dev/null || true; /sbin/ip route del 185.199.108.0/22 via $EC2_GW dev eth0 2>/dev/null || true; /sbin/ip route del 169.254.169.254 dev eth0 2>/dev/null || true |
Owner
Author
There was a problem hiding this comment.
Good: ip rule add ... || true and ip route replace make PostUp idempotent and rerun-safe.
| PostDown = /sbin/ip rule del from $EC2_IP table main priority 90; /sbin/iptables -t mangle -D PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0xca6c; /sbin/iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff; /sbin/ip route del 140.82.112.0/20 dev eth0; /sbin/ip route del 185.199.108.0/22 dev eth0; /sbin/ip route del 169.254.169.254 dev eth0 | ||
| PostUp = /sbin/ip rule add from $EC2_IP table main priority 90 2>/dev/null || true; /sbin/iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0xca6c; /sbin/iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff; /sbin/ip route replace 140.82.112.0/20 via $EC2_GW dev eth0; /sbin/ip route replace 185.199.108.0/22 via $EC2_GW dev eth0; /sbin/ip route replace 169.254.169.254 dev eth0 | ||
| PostDown = /sbin/ip rule del from $EC2_IP table main priority 90 2>/dev/null || true; /sbin/iptables -t mangle -D PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0xca6c 2>/dev/null || true; /sbin/iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff 2>/dev/null || true; /sbin/ip route del 140.82.112.0/20 via $EC2_GW dev eth0 2>/dev/null || true; /sbin/ip route del 185.199.108.0/22 via $EC2_GW dev eth0 2>/dev/null || true; /sbin/ip route del 169.254.169.254 dev eth0 2>/dev/null || true | ||
|
|
Owner
Author
There was a problem hiding this comment.
PostDown route deletions are missing the via $EC2_GW specifier that PostUp now uses (e.g. /sbin/ip route del 140.82.112.0/20 via $EC2_GW dev eth0). Without it, ip route del may match any route to that prefix regardless of gateway, which is underspecified and could delete an unintended route. Add the via $EC2_GW clause for symmetry with PostUp.
| PostDown = /sbin/ip rule del from $EC2_IP table main priority 90; /sbin/iptables -t mangle -D PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0xca6c; /sbin/iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff; /sbin/ip route del 140.82.112.0/20 dev eth0; /sbin/ip route del 185.199.108.0/22 dev eth0; /sbin/ip route del 169.254.169.254 dev eth0 | ||
| PostUp = /sbin/ip rule add from $EC2_IP table main priority 90 2>/dev/null || true; /sbin/iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0xca6c; /sbin/iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff; /sbin/ip route replace 140.82.112.0/20 via $EC2_GW dev eth0; /sbin/ip route replace 185.199.108.0/22 via $EC2_GW dev eth0; /sbin/ip route replace 169.254.169.254 dev eth0 | ||
| PostDown = /sbin/ip rule del from $EC2_IP table main priority 90 2>/dev/null || true; /sbin/iptables -t mangle -D PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0xca6c 2>/dev/null || true; /sbin/iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff 2>/dev/null || true; /sbin/ip route del 140.82.112.0/20 via $EC2_GW dev eth0 2>/dev/null || true; /sbin/ip route del 185.199.108.0/22 via $EC2_GW dev eth0 2>/dev/null || true; /sbin/ip route del 169.254.169.254 dev eth0 2>/dev/null || true | ||
|
|
Owner
Author
There was a problem hiding this comment.
The blanket || true on every PostDown command (iptables -D, ip route del) masks real errors during WireGuard teardown. Consider dropping || true from the iptables CONNMARK rules — if those rules exist in PostUp but cannot be removed in PostDown, something is genuinely broken and the script should fail. Keep || true only for the ip rule del and ip route del where races during shutdown are expected.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Verification
bash -n deploy/setup-wireguard.sh.