You are not logged in.

Pages: 1

#1 2023-10-20 03:45:00

25pwn
Member
Registered: 2023-01-22
Posts: 26

Allow some cgroups to bypass vpn

I'm trying to write a script that includes or excludes a cgroup from a vpn, such that when excluded, traffic from the cgroup bypasses the vpn. I want to run it manually when I want.

The cgroup in question is:

$ cat /proc/7425/cgroup
0::/user.slice/user-1000.slice/user@1000.service/app.slice/app-flatpak-com.valvesoftware.Steam-7292.scope

the `7292` changes on every run.

I've found a few resources:
- 1: Doesn't quite do what I want and the cgroup name is hardcoded.
- 2: This is a temporary solution

My initial script can log packets from the cgroup:

#!/bin/sh
set -eu
disable_whitelist=false

while [ $# -gt 0 ]; do
    case "${1}" in
        --disable | -d)
            disable_whitelist=true
            shift
            ;;
        *)
            echo "Usage: ${0} [--disable | -d]"
            exit 1
            ;;
    esac
done

table_name="vpn.whitelist"
cgroup="$(find /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/ -type d -name 'app-flatpak-com.valvesoftware.Steam-*.scope' -print -quit)"
cgroup="${cgroup#/sys/fs/cgroup/}"

delete_whitelist()
{
	nft delete table inet "${table_name}"
	printf '%s\n' "removed"
	
}

add_whitelist()
{
	nft add table inet "${table_name}"
	
	nft add chain inet "${table_name}" output '{ type filter hook output priority 0; }'

	nft add rule inet "${table_name}" output \
		socket cgroupv2 level 5 \
		\""${cgroup}"\" \
		log

	printf '%s\n' "added"
}

case ${disable_whitelist} in
	false)
		add_whitelist
		exit 0
		;;
	true)
		delete_whitelist
		exit 0
		;;
	*)
		exit 1
esac

However, I have no idea how to make it bypass the vpn.

I've blindly tried the above script but with:

add_whitelist()
{
	nft add table inet "${table_name}"
	
	nft add chain inet "${table_name}" output '{ type filter hook prerouting priority raw - 1; }'

	nft add rule inet "${table_name}" output \
		socket cgroupv2 level 5 \
		\""${cgroup}"\" \
		accept

	printf '%s\n' "added"
}

But it does not bypass the vpn.

Other information:

# nft list ruleset

table ip6 wg-quick-wgcf-profile {
        chain preraw {
                type filter hook prerouting priority raw; policy accept;
                iifname != "wgcf-profile" ip6 daddr [REDACTED IPV6 ADDRESS] fib saddr type != local drop
        }

        chain premangle {
                type filter hook prerouting priority mangle; policy accept;
                meta l4proto udp meta mark set ct mark
        }

        chain postmangle {
                type filter hook postrouting priority mangle; policy accept;
                meta l4proto udp meta mark [REDACTED MARK] ct mark set meta mark
        }
}
table ip wg-quick-wgcf-profile {
        chain preraw {
                type filter hook prerouting priority raw; policy accept;
                iifname != "wgcf-profile" ip daddr [REDACTED IPV4 ADDRESS] fib saddr type != local drop
        }

        chain premangle {
                type filter hook prerouting priority mangle; policy accept;
                meta l4proto udp meta mark set ct mark
        }

        chain postmangle {
                type filter hook postrouting priority mangle; policy accept;
                meta l4proto udp meta mark [REDACTED MARK] ct mark set meta mark
        }
}

What set of commands do I need to achieve this?

Last edited by 25pwn (2023-10-21 03:26:55)

Offline

#2 2023-10-20 12:25:48

solskog
Member
Registered: 2020-09-05
Posts: 418

Re: Allow some cgroups to bypass vpn

What set of commands do I need to achieve this?

To update the nft output chain when 7292 changes to a new digits? what trigger the change?

Offline

#3 2023-10-21 03:20:21

25pwn
Member
Registered: 2023-01-22
Posts: 26

Re: Allow some cgroups to bypass vpn

solskog wrote:

What set of commands do I need to achieve this?

To update the nft output chain when 7292 changes to a new digits? what trigger the change?

I want to manually enable or disable the whitelist. "To update the nft output chain when 7292 changes to a new digits" is not what I want, but it changes on every run of flatpak steam. I'll manually en/disable the whitelist when I want.

My initial script can already find the cgroup and apply rules for it. My initial script with

add_whitelist()
{
	nft add table inet "${table_name}"
	
	nft add chain inet "${table_name}" output '{ type filter hook output priority 0; }'

	nft add rule inet "${table_name}" output \
		socket cgroupv2 level 5 \
		\""${cgroup}"\" \
		log

	printf '%s\n' "added"
}

Successfully logs packets from the cgroup. However, I have no idea how to make it bypass the vpn.

Last edited by 25pwn (2023-10-21 05:05:19)

Offline

#4 2023-10-21 13:28:48

solskog
Member
Registered: 2020-09-05
Posts: 418

Re: Allow some cgroups to bypass vpn

25pwn wrote:

However, I have no idea how to make it bypass the vpn.

Are you looking for https://en.wikipedia.org/wiki/Split_tunneling

Offline

#5 2023-10-22 16:49:41

25pwn
Member
Registered: 2023-01-22
Posts: 26

Re: Allow some cgroups to bypass vpn

solskog wrote:
25pwn wrote:

However, I have no idea how to make it bypass the vpn.

Are you looking for https://en.wikipedia.org/wiki/Split_tunneling

I want all traffic from the cgroup to bypass the vpn, not specific IPs.

Offline

Pages: 1

Board footer

Powered by FluxBB