I think in the end we'll ship the nftables code. Fedora is defaulting their stuff to nftables now [1][2]. That means systemd-networkd might need or want (speculation) to update their firewall-util.c [3] to support it. And knowing their attitudes on this sort of thing, that means they'll probably (speculation) sunset iptables support and start mandating nftables-enabled kernels. That in turn means non-nftables kernels will probably become fewer and fewer. Some readers on this list might vomit at that kind of reasoning, but I think it nonetheless might reflect a practical reality of the ecosystem that wg-quick(8) lives in. So at the moment, we'll support both iptables(8) and nft(8), preferring the latter if it exists.
[1] https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables [2] https://fedoraproject.org/wiki/Changes/iptables-nft-default [3] https://github.com/systemd/systemd/blob/master/src/shared/firewall-util.c _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
