I have this iptables rule that comes with my autogenerated wireguard config as a postup rule. I tried to figure out each step of the rule. But neither the manual or a search engine would tell me what the %i means, behind the -o/--out-interface option. I guess it’s a lookup or wildcard for the interface name.

iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

It doesn’t mean anything to iptables. It comes from wg-quick, which replaces each %i in a PostUp command with the actual WireGuard interface name currently being configured.

