[PATCH] wg-quick: linux: add support for nft and prefer it
Jason A. Donenfeld
Jason at zx2c4.com
Thu Dec 12 12:21:05 CET 2019
I think in the end we'll ship the nftables code. Fedora is defaulting
their stuff to nftables now [1][2]. That means systemd-networkd might
need or want (speculation) to update their firewall-util.c [3] to
support it. And knowing their attitudes on this sort of thing, that
means they'll probably (speculation) sunset iptables support and start
mandating nftables-enabled kernels. That in turn means non-nftables
kernels will probably become fewer and fewer. Some readers on this
list might vomit at that kind of reasoning, but I think it nonetheless
might reflect a practical reality of the ecosystem that wg-quick(8)
lives in. So at the moment, we'll support both iptables(8) and nft(8),
preferring the latter if it exists.
[1] https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables
[2] https://fedoraproject.org/wiki/Changes/iptables-nft-default
[3] https://github.com/systemd/systemd/blob/master/src/shared/firewall-util.c
More information about the WireGuard
mailing list