Problem using nft ct mark to identify wireguard packets

twinkleLED · March 18, 2025, 5:42pm

Using OpenWrt 24.10.0, I have configured wireguard to mark outgoing tunnel packets with fwmark 0x12345678

nft packet logging (second line) shows that the packets are indeed properly marked, but ct mark != 0x00000000 does not trigger on any of the market packets, and nor does ct mark 0x12345678.

counter packets 16 bytes 5316
limit rate 3/minute burst 5 packets log prefix "wgout " counter packets 5 bytes 1948
ct mark != 0x00000000 counter packets 0 bytes 0
ct mark 0x00000000 counter packets 16 bytes 5316

Is the connection tracking package compiled to be able to see these MARKs? Or am I doing something wrong?

brada4 · March 18, 2025, 6:18pm

Wheres the marking line?

twinkleLED · March 18, 2025, 6:27pm

Marking is being done by wireguard when it generates the packets

root@t24:~# wg
interface: wg0
  public key: xxxx=
  private key: (hidden)
  listening port: 19945
  fwmark: 0x12345678

brada4 · March 18, 2025, 6:32pm

Thats meta mark not ct
It is uint32 and typically you set one bit per feature then extract.

twinkleLED · March 18, 2025, 6:38pm

Ahhhhh! Thank you! That works! I will do a little more reading about the distinction

system · March 28, 2025, 6:38pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.