[WireGuard] Is nf_conntrack really needed?

Jason A. Donenfeld Jason at zx2c4.com
Tue Nov 22 17:08:02 CET 2016


Hey,

In fact, it's not needed if it's not needed. How to explain this
apparent tautology?

If conntracking is compiled into the kernel, then for ICMP, I need to
ask conntracking if it's possibly mangled the src IP of the packet
before giving it to the wireguard device. If conntracking isn't
compiled into the kernel, then there's nobody to ask and probably the
packet wasn't mangled, in which case, I don't need to do anything. So,
the following patch makes conntrack optional:

https://git.zx2c4.com/WireGuard/commit/?id=c90fba009d70eedac614d77ad3494ed450b2995e

This will be included in the next snapshot.

Jason


More information about the WireGuard mailing list