[WireGuard] Is nf_conntrack really needed?

Jason A. Donenfeld Jason at zx2c4.com
Tue Nov 22 17:08:02 CET 2016


In fact, it's not needed if it's not needed. How to explain this
apparent tautology?

If conntracking is compiled into the kernel, then for ICMP, I need to
ask conntracking if it's possibly mangled the src IP of the packet
before giving it to the wireguard device. If conntracking isn't
compiled into the kernel, then there's nobody to ask and probably the
packet wasn't mangled, in which case, I don't need to do anything. So,
the following patch makes conntrack optional:


This will be included in the next snapshot.


More information about the WireGuard mailing list