673948 – net-vpn/wireguard checks for NETFILTER_XT_MARK but it is not required

Bug 673948 - net-vpn/wireguard checks for NETFILTER_XT_MARK but it is not required

Summary: net-vpn/wireguard checks for NETFILTER_XT_MARK but it is not required

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Jason A. Donenfeld

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-12-29 06:46 UTC by kfm
Modified:	2019-12-28 07:52 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description kfm 2018-12-29 06:46:25 UTC

With USE="tools" in effect, the wireguard ebuild checks for NETFILTER_XT_MARK. I believe this to be incorrect because the option only governs the availability of the mark match and MARK target in xtables, yet wireguard does not use iptables in any shape or form, by default.

Granted, there are sample PostUp and PreDown directives in the wg-quick(8) man page that demonstrate the use of the xtables mark match but such does not amount to a requirement.

I have tested wireguard with a kernel that has xtables completely disabled, in favour of nftables (which has its own syntax for mark matching). I found that wg-quick still functions correctly and that the routing policy rule that references the fwmark is still added successfully.

As of iptables-1.8.0, both xtables and nftables are supported as backends. While Gentoo has not yet implemented a suitable eselect module, this could eventually mean that NETFILTER_XT_MARK is not necessarily required for the examples in the man page either.