bundles/wireguard: fix forwarding firewall rules

bundles/wireguard/metadata.py

@@ -221,12 +221,11 @@ def snat(metadata):
     if not node.has_bundle('nftables') or node.os == 'arch':
         raise DoNotRunAgain
 
-    rules = {
+    rules = set()
-        'inet filter forward iif wg0 accept',
+    for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())):
-        'inet filter forward oif wg0 accept',
+        rules.add(f'inet filter forward iif wg{number} accept')
-    }
+        rules.add(f'inet filter forward oif wg{number} accept')
 
-    for config in metadata.get('wireguard/peers', {}).values():
         if 'snat_to' in config:
             rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format(
                 config['my_ip'],