Regarding "Inferring and hijacking VPN-tunneled TCP connections"

Jordan Glover Golden_Miller83 at protonmail.ch
Fri Dec 6 17:12:19 CET 2019


On Friday, December 6, 2019 4:03 PM, Vasili Pupkin <diggest at gmail.com> wrote:

> On 06.12.2019 18:08, Jason A. Donenfeld wrote:
>
> > On Fri, Dec 6, 2019 at 4:06 PM Jordan Glover
> > Golden_Miller83 at protonmail.ch wrote:
> >
> > > On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld Jason at zx2c4.com wrote:
> > >
> > > > If we can make nft coexistance work reliably, perhaps we can run the
> > > > nft rule on systems where the nft binary simply exists.
> > >
> > > Will this work correctly on systems where nft binary exist but only
> > > iptables rules are used?
> > > That's what I meant by, "if we can make nft coexistance work reliably."
>
> Take a look at the table on the bottom of this page
> https://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F
>
> On my system their rules coexist fine. Both nftables and iptables are
> just high level interfaces to kernel netfilter hooks after all, if
> either of them drop the packet then the packet is dropped. It is also
> possible to write the same filter using iptables, not as easy and not as
> beautiful as nft though. Finally wireguard can do this directly
> interacting with netfilter as the last resort.

But nft rule won't be visible from iptables tools like iptables-save,
right? This may be confusing for people who still use iptables for
setting up firewall on their systems.

Jordan


More information about the WireGuard mailing list