[WireGuard] Is nf_conntrack really needed?

Baptiste Jonglez baptiste at bitsofnetworks.org
Tue Nov 22 13:17:48 CET 2016


I stumbled upon a build error on LEDE, which was caused by a missing
dependency to nf-conntrack (and possibly nf-conntrack6).

I see that NF_CONNTRACK is used only at one place in device.c, and it is
inconditionally required since 3106d632de ("build system: revamp building
and configuration").

Is the inconditional dependency really needed?  nf-conntrack{,6}
introduces another 50 KB of dependencies on LEDE, which means a ~50%
increase in the amount of flash needed.

By the way, nf-conntrack is already required to do NAT, so this discussion
is only relevant for (hypothetical) people building their own LEDE images
without NAT support.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20161122/bf79fe4e/attachment.asc>

More information about the WireGuard mailing list