| View previous topic :: View next topic |
| Author |
Message |
Langest
n00b
Joined: 19 Jan 2018
Posts: 47
|
 Posted: Fri Sep 04, 2020 7:20 pm Post subject: wireguard wg-quick unknown option "--save-mark" |
 |
|
Hi,
I'm using wireguard to connect to my vpn provider (mullvad.net). They use and require no special configuration.
However, I'm running into an issue with wg-quick.
| Code: | $ wg-quick up mullvad-se4
[#] ip link add mullvad-se4 type wireguard
[#] wg setconf mullvad-se4 /dev/fd/63
[#] ip -4 address add 10.67.20.66/32 dev mullvad-se4
[#] ip -6 address add fc00:bbbb:bbbb:bb01::4:1441/128 dev mullvad-se4
[#] ip link set mtu 1420 up dev mullvad-se4
[#] resolvconf -a mullvad-se4 -m 0 -x
[#] wg set mullvad-se4 fwmark 51820
[#] ip -6 route add ::/0 dev mullvad-se4 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
ip6tables-restore v1.8.5 (legacy): unknown option "--save-mark"
Error occurred at line: 5
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
[#] resolvconf -d mullvad-se4 -f
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev mullvad-se4 |
The error seem to be: ip6tables-restore v1.8.5 (legacy): unknown option "--save-mark"
as you can see above.
Any clue how I could debug this?
Searching the error gave no meaningful results.
Thanks
Last edited by Langest on Sun Sep 06, 2020 8:30 am; edited 3 times in total |
|
| Back to top |
|
 |
etnull
Guru
Joined: 26 Mar 2019
Posts: 487
Location: Russia
|
| Posted: Sat Sep 05, 2020 8:33 am Post subject: |
|
|
Here is what I use for kernel config under
Networking support --> Networking options --> Network packet filtering framework (Netfilter) --> Core Netfilter Configuration
| Code: | │ │ [*] Netfilter ingress support │ │
│ │ < > Netfilter NFACCT over NFNETLINK interface │ │
│ │ < > Netfilter NFQUEUE over NFNETLINK interface │ │
│ │ -*- Netfilter LOG over NFNETLINK interface │ │
│ │ < > Netfilter OSF over NFNETLINK interface │ │
│ │ <*> Netfilter connection tracking support │ │
│ │ < > Netdev packet logging │ │
│ │ -*- Connection mark tracking support │ │
│ │ [ ] Connection tracking zones │ │
│ │ [*] Supply CT list in procfs (OBSOLETE) │ │
│ │ [ ] Connection tracking events │ │
│ │ [ ] Connection tracking timeout │ │
│ │ [ ] Connection tracking timestamping │ │
│ │ [ ] Connection tracking labels │ │
│ │ [*] DCCP protocol connection tracking support │ │
│ │ [*] SCTP protocol connection tracking support │ │
│ │ [*] UDP-Lite protocol connection tracking support │ │
│ │ < > Amanda backup protocol support │ │
│ │ <*> FTP protocol support │ │
│ │ < > H.323 protocol support │ │
│ │ <*> IRC protocol support │ │
│ │ < > NetBIOS name service protocol support │ │
│ │ < > SNMP service protocol support │ │
│ │ < > PPtP protocol support │ │
│ │ < > SANE protocol support │ │
│ │ <*> SIP protocol support │ │
│ │ < > TFTP protocol support │ │
│ │ <*> Connection tracking netlink interface │ │
│ │ [ ] NFQUEUE and NFLOG integration with Connection Tracking │ │
│ │ <*> Network Address Translation support │ │
│ │ < > Netfilter nf_tables support │ │
│ │ -*- Netfilter Xtables support (required for ip_tables) │ │
│ │ *** Xtables combined modules *** │ │
│ │ <*> nfmark target and match support │ │
│ │ <*> ctmark target and match support │ │
│ │ <*> set target and match support │ │
│ │ *** Xtables targets *** │ │
│ │ < > CHECKSUM target support │ │
│ │ < > "CLASSIFY" target support │ │
│ │ < > "CONNMARK" target support │ │
│ │ < > "CT" target support │ │
│ │ < > "DSCP" and "TOS" target support │ │
│ │ < > "HL" hoplimit target support │ │
│ │ < > "HMARK" target support │ │
│ │ < > IDLETIMER target support │ │
│ │ < > "LED" target support │ │
│ │ < > LOG target support │ │
│ │ < > "MARK" target support │ │
│ │ < > "SNAT and DNAT" targets support │ │
│ │ < > "NETMAP" target support │ │
│ │ <*> "NFLOG" target support │ │
│ │ < > "NFQUEUE" target Support │ │
│ │ < > "NOTRACK" target support (DEPRECATED) │ │
│ │ < > "RATEEST" target support │ │
│ │ < > REDIRECT target support │ │
│ │ < > MASQUERADE target support │ │
│ │ < > "TEE" - packet cloning to alternate destination │ │
│ │ < > "TPROXY" target transparent proxying support │ │
│ │ < > "TRACE" target support │ │
│ │ <*> "TCPMSS" target support │ │
│ │ < > "TCPOPTSTRIP" target support │ │
│ │ *** Xtables matches *** │ │
│ │ <*> "addrtype" address type match support │ │
│ │ < > "bpf" match support │ │
│ │ < > "control group" match support │ │
│ │ < > "cluster" match support │ │
│ │ <*> "comment" match support │ │
│ │ < > "connbytes" per-connection counter match support │ │
│ │ < > "connlabel" match support │ │
│ │ < > "connlimit" match support │ │
│ │ < > "connmark" connection mark match support │ │
│ │ <*> "conntrack" connection tracking match support │ │
│ │ < > "cpu" match support │ │
│ │ < > "dccp" protocol match support │ │
│ │ < > "devgroup" match support │ │
│ │ < > "dscp" and "tos" match support │ │
│ │ < > "ecn" match support │ │
│ │ < > "esp" match support │ │
│ │ <*> "hashlimit" match support │ │
│ │ < > "helper" match support │ │
│ │ < > "hl" hoplimit/TTL match support │ │
│ │ < > "ipcomp" match support │ │
│ │ < > "iprange" address range match support │ │
│ │ < > "l2tp" match support │ │
│ │ < > "length" match support │ │
│ │ < > "limit" match support │ │
│ │ < > "mac" address match support │ │
│ │ < > "mark" match support │ │
│ │ < > "multiport" Multiple port match support │ │
│ │ < > "nfacct" match support │ │
│ │ < > "osf" Passive OS fingerprint match │ │
│ │ < > "owner" match support │ │
│ │ <*> IPsec "policy" match support │ │
│ │ < > "pkttype" packet type match support │ │
│ │ < > "quota" match support │ │
│ │ < > "rateest" match support │ │
│ │ < > "realm" match support │ │
│ │ < > "recent" match support │ │
│ │ < > "sctp" protocol match support │ │
│ │ < > "socket" match support │ │
│ │ <*> "state" match support │ │
│ │ < > "statistic" match support │ │
│ │ < > "string" match support │ │
│ │ < > "tcpmss" match support │ │
│ │ < > "time" match support │ │
│ │ < > "u32" match support |
But I don't use ipv6, so it may not work for you, play around with these options. |
|
| Back to top |
|
|
user
Apprentice
Joined: 08 Feb 2004
Posts: 151
|
| Posted: Sat Sep 05, 2020 5:16 pm Post subject: |
|
|
| netfilter module CONNMARK include --save-make option |
|
| Back to top |
|
|
Langest
n00b
Joined: 19 Jan 2018
Posts: 47
|
| Posted: Sun Sep 06, 2020 8:29 am Post subject: |
|
|
Thanks,
CONNMARK was the module I was missing. There were a few ones after that one as well but I managed to figure those out. |
|
| Back to top |
|
|
|
Networking & Security
