add unreachable rule for uplinks

6 years ago · acf495d4ba
parent e202073040
commit acf495d4ba
2 changed files with 10 additions and 4 deletions
--- a/roles/install_wireguard_backbone/templates/up.sh.j2
+++ b/roles/install_wireguard_backbone/templates/up.sh.j2
@ -4,5 +4,8 @@ wg setconf bb{{ hostvars[item]['wireguard_bb_name'] }} /etc/wireguard/wgbb{{ hos
 ip addr add {{ wireguard_bb_ipv6 }} dev bb{{ hostvars[item]['wireguard_bb_name'] }}
 ip addr add {{ wireguard_bb_ipv4 }}/32 peer {{ hostvars[item]['wireguard_bb_ipv4'] }}/32 dev bb{{ hostvars[item]['wireguard_bb_name'] }}
 ip link set up dev bb{{ hostvars[item]['wireguard_bb_name'] }}
-ip -4 rule add iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk priority 10
-ip -6 rule add iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk priority 10
+ip -4 rule add from all iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk priority 10
+ip -6 rule add from all iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk priority 10
+ip -4 rule add from all iif bb{{ hostvars[item]['wireguard_bb_name'] }} type unreachable priority 200
+ip -6 rule add from all iif bb{{ hostvars[item]['wireguard_bb_name'] }} type unreachable priority 200
+
--- a/roles/install_wireguard_backbone/templates/up2.sh.j2
+++ b/roles/install_wireguard_backbone/templates/up2.sh.j2
@ -4,5 +4,8 @@ wg setconf bb{{ item.name }} /etc/wireguard/wgbb{{ item.name }}.conf
 ip addr add {{ wireguard_bb_ipv6 }} dev bb{{ item.name }}
 ip addr add {{ wireguard_bb_ipv4 }}/32 peer {{ item.ipv4 }}/32 dev bb{{ item.name }}
 ip link set up dev bb{{ item.name }}
-ip -4 rule add iif bb{{ item.name }} table ffmyk priority 10
-ip -6 rule add iif bb{{ item.name }} table ffmyk priority 10
+ip -4 rule add from all iif bb{{ item.name }} table ffmyk priority 10
+ip -6 rule add from all iif bb{{ item.name }} table ffmyk priority 10
+ip -4 rule add from all iif bb{{ item.name }} type unreachable priority 200
+ip -6 rule add from all iif bb{{ item.name }} type unreachable priority 200
+