wg-quick: android: prevent outgoing handshake packets from being dropped

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

diff --git a/src/wg-quick/android.c b/src/wg-quick/android.c
index 66e5b3f5fe8c7385d2ed1292261f5875a8a5a7ba..b2ca81489ae113768d4d314c2148832e788329eb 100644 (file)
--- a/src/wg-quick/android.c
+++ b/src/wg-quick/android.c
@@ -258,6 +258,8 @@ static void del_if(const char *iface)
 
        xregcomp(&reg, regex, REG_EXTENDED);
 
+       cmd("iptables -D OUTPUT -m mark --mark 0x20000 -j ACCEPT -m comment --comment \"wireguard rule %s\"", iface);
+       cmd("ip6tables -D OUTPUT -m mark --mark 0x20000 -j ACCEPT -m comment --comment \"wireguard rule %s\"", iface);
        cmd("ip link del %s", iface);
        for (char *ret = cmd_ret(&c, "ip rule show"); ret; ret = cmd_ret(&c, NULL)) {
                if (!regexec(&reg, ret, ARRAY_SIZE(matches), matches, 0)) {
@@ -279,6 +281,8 @@ static void up_if(unsigned int *netid, const char *iface)
                *netid = random() & 0xfffe;
 
        cmd("wg set %s fwmark 0x20000", iface);
+       cmd("iptables -I OUTPUT 1 -m mark --mark 0x20000 -j ACCEPT -m comment --comment \"wireguard rule %s\"", iface);
+       cmd("ip6tables -I OUTPUT 1 -m mark --mark 0x20000 -j ACCEPT -m comment --comment \"wireguard rule %s\"", iface);
        cndc("interface setcfg %s up", iface);
        cndc("network create %u vpn 1 1", *netid);
        cndc("network interface add %u %s", *netid, iface);