Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 816717

Summary: net-vpn/wireguard-tools[wg-quick] should not hard-depend on a firewall tool (iptables or nftables)
Product: Gentoo Linux Reporter: Christopher Head <bugs>
Component: Current packagesAssignee: Jason A. Donenfeld <zx2c4>
Status: UNCONFIRMED ---    
Severity: minor CC: kfm
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Christopher Head 2021-10-07 04:21:38 UTC 
net-vpn/wireguard-tools[wg-quick] depends on ||(net-firewall/nftables net-firewall/iptables). However, wg-quick works just fine without either one installed, and without the corresponding kernel options enabled either. From inspection of the wg-quick source code (it’s just a shell script), it seems that iptables/nftables are only called if one elects to set a *default* route via a Wireguard VPN connection, but they are not needed if one only elects to route certain traffic through the VPN (as is my case, and presumably quite a common case, for connecting to an office VPN from home). In fact, there is even already a mention of this fact in the ebuild: wg_quick_optional_config_nob mentions that the routing, iptables, and nftables config options are only needed for automatic routing of default routes, not for general WireGuard usage. It therefore does not make sense to me that the userspace applications are pulled in unconditionally when wg-quick is installed.

Reproducible: Always
Comment 1 Sotir Danailov 2023-01-04 10:34:39 UTC 
> However, wg-quick works just fine without either one installed, and without the corresponding kernel options enabled either.
It needs fwmark (firewall mark) to work. It uses it in iptables/nftables to make sure that only wireguard packets get out so that nothing leaks.
Comment 2 Sotir Danailov 2023-01-04 16:17:40 UTC 
> It needs fwmark
Actually my bad, it doesn't, it's optional.