From baa22ec7a699eb8f5b73db54b9abfbf8580583ae Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 15 Jun 2025 13:52:28 +0100
Subject: [PATCH] wireguard: Don't use fwmarks for the gateways

This slightly conflicts with the reverse path filter which does not seem
to consider the mark and therefore does not resolve to the correct route.

There is not too much benefit of using the mark, except its elegance, a
more accurate lookup and that we were hiding a direct route to the
gateway from the clients.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/wireguard | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index 00862743b..caaa69cb9 100644
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -27,9 +27,6 @@ shopt -s nullglob
 
 eval $(/usr/local/bin/readhash /var/ipfire/wireguard/settings)
 
-# Mark all packets coming out of the WireGuard interfaces
-WG_MARK="0x00800000"
-
 interfaces() {
 	local id
 	local enabled
@@ -223,7 +220,6 @@ generate_config() {
 		fi
 
 		echo "[Interface]"
-		echo "FwMark = ${WG_MARK}"
 
 		if [ -n "${privkey}" ]; then
 			echo "PrivateKey = ${privkey}"
@@ -324,7 +320,7 @@ reload_firewall() {
 
 	# Ensure that the table is being looked up
 	if ! ip rule | grep -q "lookup wg"; then
-		ip rule add table wg fwmark "${WG_MARK}"
+		ip rule add table wg
 	fi
 }
 
-- 
2.39.5