# Custom wg-easy with iptables-nft (nftables-backed iptables)
# Fixes crash-loop when host kernel lacks legacy iptable_nat module.
FROM weejewel/wg-easy:latest

# Alpine's iptables-nft provides iptables that uses nftables kernel API
# instead of the legacy iptable_nat module. This works on kernels
# where only nftables netfilter modules are available.
RUN apk add --no-cache iptables-nft

# Ensure iptables-nft takes priority over legacy iptables
RUN ln -sf /sbin/iptables-nft /sbin/iptables && \
    ln -sf /sbin/iptables-nft-save /sbin/iptables-save && \
    ln -sf /sbin/iptables-nft-restore /sbin/iptables-restore && \
    ln -sf /sbin/ip6tables-nft /sbin/ip6tables && \
    ln -sf /sbin/ip6tables-nft-save /sbin/ip6tables-save && \
    ln -sf /sbin/ip6tables-nft-restore /sbin/ip6tables-restore