Development discussion of WireGuard
 help / color / mirror / Atom feed
* [PATCH] wg-quick: linux: fix sysctl inside a docker container
@ 2020-10-15 14:00 Dashamir Hoxha
  0 siblings, 0 replies; only message in thread
From: Dashamir Hoxha @ 2020-10-15 14:00 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

In Docker containers you cannot run `sysctl`. So, it is not possible to set
`sysctl -q net.ipv4.conf.all.src_valid_mark=1` from inside the container.
However you can set it when creating the container, with the Docker option:
`--sysctl net.ipv4.conf.all.src_valid_mark=1`

This patch checks first if `net.ipv4.conf.all.src_valid_mark` is already set,
before trying to set it. Otherwise `sysctl` will fail in a docker container,
and `wg-quick` will fail to start the interface.

[-- Attachment #2: 0001-wg-quick-linux-fix-sysctl-inside-a-docker-container.patch --]
[-- Type: text/x-patch, Size: 1311 bytes --]

From bb1e5da4dea2570f209ed461ff9cab4c5328df2a Mon Sep 17 00:00:00 2001
From: Dashamir Hoxha <>
Date: Thu, 15 Oct 2020 15:24:15 +0200
Subject: [PATCH] wg-quick: linux: fix sysctl inside a docker container

Signed-off-by: Dashamir Hoxha <>
 src/wg-quick/linux.bash | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash
index e4d4c4f..44f79f1 100755
--- a/src/wg-quick/linux.bash
+++ b/src/wg-quick/linux.bash
@@ -237,7 +237,9 @@ add_default() {
 	printf -v restore '%sCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker"
 	printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table
 	printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta mark set ct mark \n' "$nftcmd" "$pf" "$nftable"
-	[[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
+	if [[ $proto == -4 && $(sysctl -n net.ipv4.conf.all.src_valid_mark) == '0' ]]; then
+		cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
+	fi
 	if type -p nft >/dev/null; then
 		cmd nft -f <(echo -n "$nftcmd")

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2020-10-16 13:25 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-15 14:00 [PATCH] wg-quick: linux: fix sysctl inside a docker container Dashamir Hoxha

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 wireguard wireguard/ \
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:

AGPL code for this site: git clone