[PATCH] wg-quick: linux: raise priority for mangle nft chain

[Dominique Martinet]

Setting mark must be done as early as possible in case there are
ipv6 rpfilter rules in the mangle table (a nft filter could be done
later but with ip6tables this is the latest it can be checked).
Mark must be set before the return path check for it to work correctly.

priority -160 gets rendered as "mangle - 10" in nft list table,
and will correctly set the mark before other mangle prerouting rules
if there are any and same as before if there aren't.

Signed-off-by: Dominique Martinet <asmadeus at codewreck.org>
---
Well no more answer to RFC thread so resending as proper patch with sob.

Regarding the postrouting hook I'll stick to the same -150 as described
in my answer in other thread: I do not see any use case for it so safer
to leave it untouched for me.

Thanks,

 src/wg-quick/linux.bash | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash
index 7c2c002..9001c6a 100755
--- a/src/wg-quick/linux.bash
+++ b/src/wg-quick/linux.bash
@@ -222,7 +222,7 @@ add_default() {
 	local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd 
 	printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable"
 	printf -v nftcmd '%sadd chain %s %s preraw { type filter hook prerouting priority -300; }\n' "$nftcmd" "$pf" "$nftable"
-	printf -v nftcmd '%sadd chain %s %s premangle { type filter hook prerouting priority -150; }\n' "$nftcmd" "$pf" "$nftable"
+	printf -v nftcmd '%sadd chain %s %s premangle { type filter hook prerouting priority -160; }\n' "$nftcmd" "$pf" "$nftable"
 	printf -v nftcmd '%sadd chain %s %s postmangle { type filter hook postrouting priority -150; }\n' "$nftcmd" "$pf" "$nftable"
 	while read -r line; do
 		[[ $line =~ .*inet6?\ ([0-9a-f:.]+)/[0-9]+.* ]] || continue
-- 
2.26.2