In Docker containers you cannot run `sysctl`. So, it is not possible to set `sysctl -q net.ipv4.conf.all.src_valid_mark=1` from inside the container. However you can set it when creating the container, with the Docker option: `--sysctl net.ipv4.conf.all.src_valid_mark=1`
This patch checks first if `net.ipv4.conf.all.src_valid_mark` is already set, before trying to set it. Otherwise `sysctl` will fail in a docker container, and `wg-quick` will fail to start the interface.
From bb1e5da4dea2570f209ed461ff9cab4c5328df2a Mon Sep 17 00:00:00 2001 From: Dashamir Hoxha <[email protected]> Date: Thu, 15 Oct 2020 15:24:15 +0200 Subject: [PATCH] wg-quick: linux: fix sysctl inside a docker container Signed-off-by: Dashamir Hoxha <[email protected]> --- src/wg-quick/linux.bash | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash index e4d4c4f..44f79f1 100755 --- a/src/wg-quick/linux.bash +++ b/src/wg-quick/linux.bash @@ -237,7 +237,9 @@ add_default() { printf -v restore '%sCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker" printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta mark set ct mark \n' "$nftcmd" "$pf" "$nftable" - [[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1 + if [[ $proto == -4 && $(sysctl -n net.ipv4.conf.all.src_valid_mark) == '0' ]]; then + cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1 + fi if type -p nft >/dev/null; then cmd nft -f <(echo -n "$nftcmd") else -- 2.25.1
