From 78e02134e7c58654c29d6c155a362261a4ab3f36 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Sat, 19 Jul 2025 12:01:24 +0200
Subject: [PATCH] firewall: do track wireguard connections not meant for us

Oops. Connection tracking is disabled for our wireguard connections
because of source address mangling. We still need to track outside
connections to allow inbound reply packets through the firewall.
---
 roles/firewall/templates/nftables.nft.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2
index bc45c0b..bd37e3a 100644
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@@ -149,7 +149,7 @@ table inet filter {
 table inet wireguard {
     chain input {
         type filter hook prerouting priority raw; policy accept
-        udp dport 51820 notrack \
+        ip daddr {{ wg_ip | ipaddr('address') }} udp dport 51820 notrack \
         comment "Disable connection tracking for wireguard"
     }
     chain output {