[WireGuard] WireGuard module requires CONFIG_IP6_NF_IPTABLES

[WireGuard] WireGuard module requires CONFIG_IP6_NF_IPTABLES

[Ivan Labáth]

Hello,

WireGuard seems like a nice simple tool. Much better than
IPsec (at least on linux). Thank you all who help develop it.


I have been trying to use WireGuard, unsuccessfully as it kept failing
to create a net device.

After a while I have traced it to the following line in ratelimiter.c:

>        ratelimiter->v6_match = xt_request_find_match(NFPROTO_IPV6, "hashlimit", 1);
>        if (IS_ERR(ratelimiter->v6_match)) {
>                pr_err("The xt_hashlimit module is required");
>                module_put(ratelimiter->v4_match->me);
>                return PTR_ERR(ratelimiter->v6_match);
>        }

Long story short, xt_hashlimit only builds the IPV6 version
if CONFIG_IP6_NF_IPTABLES is enabled (either module or builtin),
as in:
> #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
and I didn't have it enabled. I didn't have it enabled as I used
nftables.

I would suggest changing the above pr_err to something like:
> pr_err("The xt_hashlimit module with CONFIG_IP6_NF_IPTABLES=[ym] is required");
At this point in execution, xt_haslimit module is present as the IPv4 version succeeded.

Also, it would be appropriate to include it here
https://www.wireguard.io/install/#kernel-requirements
and possibly test for it in packages.

Regards,
Ivan Labáth

Re: [WireGuard] WireGuard module requires CONFIG_IP6_NF_IPTABLES

[Jason A. Donenfeld]

[-- Attachment #1: Type: text/plain, Size: 198 bytes --]

Thanks for letting me know.

https://git.zx2c4.com/WireGuard/commit/?id=9782260da90065b7645e5854ee538543c834b246

I updated the Kconfig there, and I'll update the website documentation in a
minute.

[-- Attachment #2: Type: text/html, Size: 487 bytes --]