From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 15 Jun 2025 12:52:28 +0000 (+0100)
Subject: wireguard: Don't use fwmarks for the gateways
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=baa22ec7a699eb8f5b73db54b9abfbf8580583ae;p=ipfire-2.x.git

wireguard: Don't use fwmarks for the gateways

This slightly conflicts with the reverse path filter which does not seem
to consider the mark and therefore does not resolve to the correct route.

There is not too much benefit of using the mark, except its elegance, a
more accurate lookup and that we were hiding a direct route to the
gateway from the clients.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index 00862743b..caaa69cb9 100644
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -27,9 +27,6 @@ shopt -s nullglob
 
 eval $(/usr/local/bin/readhash /var/ipfire/wireguard/settings)
 
-# Mark all packets coming out of the WireGuard interfaces
-WG_MARK="0x00800000"
-
 interfaces() {
 	local id
 	local enabled
@@ -223,7 +220,6 @@ generate_config() {
 		fi
 
 		echo "[Interface]"
-		echo "FwMark = ${WG_MARK}"
 
 		if [ -n "${privkey}" ]; then
 			echo "PrivateKey = ${privkey}"
@@ -324,7 +320,7 @@ reload_firewall() {
 
 	# Ensure that the table is being looked up
 	if ! ip rule | grep -q "lookup wg"; then
-		ip rule add table wg fwmark "${WG_MARK}"
+		ip rule add table wg
 	fi
 }