wireguard: Don't use fwmarks for the gateways

This slightly conflicts with the reverse path filter which does not seem
to consider the mark and therefore does not resolve to the correct route.

There is not too much benefit of using the mark, except its elegance, a
more accurate lookup and that we were hiding a direct route to the
gateway from the clients.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index 00862743b66b61ab3502759f29f05cd347947abf..caaa69cb96081db46ee6878ff0bef7d1bceb7387 100644 (file)
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -27,9 +27,6 @@ shopt -s nullglob
 
 eval $(/usr/local/bin/readhash /var/ipfire/wireguard/settings)
 
-# Mark all packets coming out of the WireGuard interfaces
-WG_MARK="0x00800000"
-
 interfaces() {
        local id
        local enabled
@@ -223,7 +220,6 @@ generate_config() {
                fi
 
                echo "[Interface]"
-               echo "FwMark = ${WG_MARK}"
 
                if [ -n "${privkey}" ]; then
                        echo "PrivateKey = ${privkey}"
@@ -324,7 +320,7 @@ reload_firewall() {
 
        # Ensure that the table is being looked up
        if ! ip rule | grep -q "lookup wg"; then
-               ip rule add table wg fwmark "${WG_MARK}"
+               ip rule add table wg
        fi
 }