From 5179edb4582edd973ffdb1ccc96129fbac103b2d Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sun, 13 Mar 2022 15:15:08 +0100
Subject: [PATCH] bundles/wireguard: fix forwarding firewall rules

---
 bundles/wireguard/metadata.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py
index 573aa4e..35067d2 100644
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@@ -221,12 +221,11 @@ def snat(metadata):
     if not node.has_bundle('nftables') or node.os == 'arch':
         raise DoNotRunAgain
 
-    rules = {
-        'inet filter forward iif wg0 accept',
-        'inet filter forward oif wg0 accept',
-    }
+    rules = set()
+    for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())):
+        rules.add(f'inet filter forward iif wg{number} accept')
+        rules.add(f'inet filter forward oif wg{number} accept')
 
-    for config in metadata.get('wireguard/peers', {}).values():
         if 'snat_to' in config:
             rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format(
                 config['my_ip'],