Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 816717 - net-vpn/wireguard-tools[wg-quick] should not hard-depend on a firewall tool (iptables or nftables)
Summary: net-vpn/wireguard-tools[wg-quick] should not hard-depend on a firewall tool (...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal minor (vote)
Assignee: Jason A. Donenfeld
Depends on:
Reported: 2021-10-07 04:21 UTC by Christopher Head
Modified: 2022-02-19 08:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Head 2021-10-07 04:21:38 UTC
net-vpn/wireguard-tools[wg-quick] depends on ||(net-firewall/nftables net-firewall/iptables). However, wg-quick works just fine without either one installed, and without the corresponding kernel options enabled either. From inspection of the wg-quick source code (it’s just a shell script), it seems that iptables/nftables are only called if one elects to set a *default* route via a Wireguard VPN connection, but they are not needed if one only elects to route certain traffic through the VPN (as is my case, and presumably quite a common case, for connecting to an office VPN from home). In fact, there is even already a mention of this fact in the ebuild: wg_quick_optional_config_nob mentions that the routing, iptables, and nftables config options are only needed for automatic routing of default routes, not for general WireGuard usage. It therefore does not make sense to me that the userspace applications are pulled in unconditionally when wg-quick is installed.

Reproducible: Always