* [PATCH] wg-quick: check if nftables is functional before using it
@ 2025-04-17 21:50 Tristan
0 siblings, 0 replies; only message in thread
From: Tristan @ 2025-04-17 21:50 UTC (permalink / raw)
To: wireguard
Currently, wg-quick only checks if the nft binary exists before attempting
to use nftables. This can lead to failures when the binary exists but the
required kernel modules aren't loaded.
This change adds a functionality check using 'nft list ruleset' to verify
nftables is operational before attempting to use it, falling back to
iptables if nftables is non-functional.
---
src/wg-quick/linux.bash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash
index 4193ce5..55b1850 100755
--- a/src/wg-quick/linux.bash
+++ b/src/wg-quick/linux.bash
@@ -238,7 +238,7 @@ add_default() {
printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d
ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table
printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta
mark set ct mark \n' "$nftcmd" "$pf" "$nftable"
[[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
- if type -p nft >/dev/null; then
+ if type -p nft >/dev/null && nft list ruleset &>/dev/null; then
cmd nft -f <(echo -n "$nftcmd")
else
echo -n "$restore" | cmd $iptables-restore -n
--
2.47.0
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-05-21 16:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-04-17 21:50 [PATCH] wg-quick: check if nftables is functional before using it Tristan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).