Regarding "Inferring and hijacking VPN-tunneled TCP connections"

Vasili Pupkin diggest at
Fri Dec 6 17:03:54 CET 2019

On 06.12.2019 18:08, Jason A. Donenfeld wrote:
> On Fri, Dec 6, 2019 at 4:06 PM Jordan Glover
> <Golden_Miller83 at> wrote:
>> On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld <Jason at> wrote:
>>> If we can make nft coexistance work reliably, perhaps we can run the
>>> nft rule on systems where the nft binary simply exists.
>> Will this work correctly on systems where nft binary exist but only
>> iptables rules are used?
> That's what I meant by, "if we can make nft coexistance work reliably."

Take a look at the table on the bottom of this page

On my system their rules coexist fine. Both nftables and iptables are 
just high level interfaces to kernel netfilter hooks after all, if 
either of them drop the packet then the packet is dropped. It is also 
possible to write the same filter using iptables, not as easy and not as 
beautiful as nft though. Finally wireguard can do this directly 
interacting with netfilter as the last resort.

I'd like if kernel developers reconsider the default system behavior on 
this... It is so stupid that the system expose all its IPs on all 
interfaces by default. But Linus don't like patches that break things 
and this will break some bad network setups, yes weak and insecure but 

More information about the WireGuard mailing list