[WireGuard] WireGuard module requires CONFIG_IP6_NF_IPTABLES

Ivan Labáth labawi-wg at matrix-dream.net
Mon Jul 18 23:37:24 CEST 2016


WireGuard seems like a nice simple tool. Much better than
IPsec (at least on linux). Thank you all who help develop it.

I have been trying to use WireGuard, unsuccessfully as it kept failing
to create a net device.

After a while I have traced it to the following line in ratelimiter.c:

>        ratelimiter->v6_match = xt_request_find_match(NFPROTO_IPV6, "hashlimit", 1);
>        if (IS_ERR(ratelimiter->v6_match)) {
>                pr_err("The xt_hashlimit module is required");
>                module_put(ratelimiter->v4_match->me);
>                return PTR_ERR(ratelimiter->v6_match);
>        }

Long story short, xt_hashlimit only builds the IPV6 version
if CONFIG_IP6_NF_IPTABLES is enabled (either module or builtin),
as in:
and I didn't have it enabled. I didn't have it enabled as I used

I would suggest changing the above pr_err to something like:
> pr_err("The xt_hashlimit module with CONFIG_IP6_NF_IPTABLES=[ym] is required");
At this point in execution, xt_haslimit module is present as the IPv4 version succeeded.

Also, it would be appropriate to include it here
and possibly test for it in packages.

Ivan Labáth

More information about the WireGuard mailing list