From c972094f59ca74cf7de9b26b8120622146042aba Mon Sep 17 00:00:00 2001
From: Alexandre <44178713+alexbelgium@users.noreply.github.com>
Date: Mon, 22 Dec 2025 08:53:18 +0100
Subject: [PATCH] Handle WireGuard sysctl failure on read-only hosts

---
 qbittorrent/CHANGELOG.md                              |  3 +++
 qbittorrent/config.yaml                               |  2 +-
 .../rootfs/etc/s6-overlay/s6-rc.d/svc-qbittorrent/run | 11 +++++++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/qbittorrent/CHANGELOG.md b/qbittorrent/CHANGELOG.md
index 9e2fda820..cfbb89e08 100644
--- a/qbittorrent/CHANGELOG.md
+++ b/qbittorrent/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 5.1.4-4 (30-12-2025)
+- Allow WireGuard to continue when src_valid_mark sysctl cannot be set on read-only hosts
+
 ## 5.1.4-3 (22-12-2025)
 - Minor bugs fixed
 
diff --git a/qbittorrent/config.yaml b/qbittorrent/config.yaml
index 2bf84e229..0bd08ec32 100644
--- a/qbittorrent/config.yaml
+++ b/qbittorrent/config.yaml
@@ -144,4 +144,4 @@ schema:
 slug: qbittorrent
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: 5.1.4-3
+version: 5.1.4-4
diff --git a/qbittorrent/rootfs/etc/s6-overlay/s6-rc.d/svc-qbittorrent/run b/qbittorrent/rootfs/etc/s6-overlay/s6-rc.d/svc-qbittorrent/run
index 605d5171d..b0f1a99cf 100644
--- a/qbittorrent/rootfs/etc/s6-overlay/s6-rc.d/svc-qbittorrent/run
+++ b/qbittorrent/rootfs/etc/s6-overlay/s6-rc.d/svc-qbittorrent/run
@@ -55,6 +55,17 @@ _setup_wireguard() {
 
         if [ "${status}" -eq 0 ]; then return 0; fi
 
+        # Allow sysctl failures on read-only hosts while keeping the interface up
+        if echo "${output}" | grep -qi 'net\.ipv4\.conf\.all\.src_valid_mark=1'; then
+            if echo "${output}" | grep -qiE 'read-only file system|operation not permitted'; then
+                if ip link show "${wireguard_interface}" >/dev/null 2>&1; then
+                    bashio::log.warning 'WireGuard applied but sysctl net.ipv4.conf.all.src_valid_mark=1 could not be set (read-only). Continuing.'
+                    status=0
+                    return 0
+                fi
+            fi
+        fi
+
         # Check for iptables errors and try legacy fallback
         if echo "${output}" | grep -qiE 'iptables-restore|ip6tables-restore|xtables'; then
             if command -v iptables-legacy >/dev/null 2>&1; then