[PATCH] wg-quick: check if nftables is functional before using it

[Tristan]

Currently, wg-quick only checks if the nft binary exists before attempting
to use nftables. This can lead to failures when the binary exists but the
required kernel modules aren't loaded.

This change adds a functionality check using 'nft list ruleset' to verify
nftables is operational before attempting to use it, falling back to
iptables if nftables is non-functional.
---
src/wg-quick/linux.bash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash
index 4193ce5..55b1850 100755
--- a/src/wg-quick/linux.bash
+++ b/src/wg-quick/linux.bash
@@ -238,7 +238,7 @@ add_default() {
printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d
ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table
printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta
mark set ct mark \n' "$nftcmd" "$pf" "$nftable"
[[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
- if type -p nft >/dev/null; then
+ if type -p nft >/dev/null && nft list ruleset &>/dev/null; then
cmd nft -f <(echo -n "$nftcmd")
else
echo -n "$restore" | cmd $iptables-restore -n
--
2.47.0