On 06.12.2019 19:12, Jordan Glover wrote:
But nft rule won't be visible from iptables tools like iptables-save,
right? This may be confusing for people who still use iptables for
setting up firewall on their systems.
Right. And for those using NFT, they will see a strange rule in their
default inet filter table. Also nft users may delete this table or its
input chain or alter the chain hook specification before calling
wg-quick and in this case the magic command will crash. So it should be
added to wireguard specific table instead of inet filter and this is
actually the only easy way to revert the ruleset in nft, you should
delete your table to revert the changes.
nft add table inet $table
nft add chain inet $table input {' type filter hook input priority 0;
policy accept; '}
nft add rule inet $table input fib daddr . iif type != { local,
broadcast, multicast } drop
and then:
nft delete table inet $table
when we are done.
_______________________________________________
WireGuard mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/wireguard
