[WireGuard] WireGuard module requires CONFIG_IP6_NF_IPTABLES
Ivan Labáth
labawi-wg at matrix-dream.net
Mon Jul 18 23:37:24 CEST 2016
Hello,
WireGuard seems like a nice simple tool. Much better than
IPsec (at least on linux). Thank you all who help develop it.
I have been trying to use WireGuard, unsuccessfully as it kept failing
to create a net device.
After a while I have traced it to the following line in ratelimiter.c:
> ratelimiter->v6_match = xt_request_find_match(NFPROTO_IPV6, "hashlimit", 1);
> if (IS_ERR(ratelimiter->v6_match)) {
> pr_err("The xt_hashlimit module is required");
> module_put(ratelimiter->v4_match->me);
> return PTR_ERR(ratelimiter->v6_match);
> }
Long story short, xt_hashlimit only builds the IPV6 version
if CONFIG_IP6_NF_IPTABLES is enabled (either module or builtin),
as in:
> #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
and I didn't have it enabled. I didn't have it enabled as I used
nftables.
I would suggest changing the above pr_err to something like:
> pr_err("The xt_hashlimit module with CONFIG_IP6_NF_IPTABLES=[ym] is required");
At this point in execution, xt_haslimit module is present as the IPv4 version succeeded.
Also, it would be appropriate to include it here
https://www.wireguard.io/install/#kernel-requirements
and possibly test for it in packages.
Regards,
Ivan Labáth
More information about the WireGuard
mailing list