Regarding "Inferring and hijacking VPN-tunneled TCP connections"
Vasili Pupkin
diggest at gmail.com
Fri Dec 6 17:03:54 CET 2019
On 06.12.2019 18:08, Jason A. Donenfeld wrote:
> On Fri, Dec 6, 2019 at 4:06 PM Jordan Glover
> <Golden_Miller83 at protonmail.ch> wrote:
>> On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>>
>>> If we can make nft coexistance work reliably, perhaps we can run the
>>> nft rule on systems where the nft binary simply exists.
>>>
>> Will this work correctly on systems where nft binary exist but only
>> iptables rules are used?
> That's what I meant by, "if we can make nft coexistance work reliably."
>
Take a look at the table on the bottom of this page
https://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F
On my system their rules coexist fine. Both nftables and iptables are
just high level interfaces to kernel netfilter hooks after all, if
either of them drop the packet then the packet is dropped. It is also
possible to write the same filter using iptables, not as easy and not as
beautiful as nft though. Finally wireguard can do this directly
interacting with netfilter as the last resort.
I'd like if kernel developers reconsider the default system behavior on
this... It is so stupid that the system expose all its IPs on all
interfaces by default. But Linus don't like patches that break things
and this will break some bad network setups, yes weak and insecure but
still.
More information about the WireGuard
mailing list