Feature request: tag incoming packets
Matthias Urlichs
matthias.urlichs at noris.de
Sun Jan 31 14:07:39 UTC 2021
Hello,
the problem: given a wireguard interface with many peers, all with
different network addresses and whatnot. I want to do ingress traffic
accounting and some special filtering.
Adding an incoming filter that re-classifies all incoming packets to its
customer account seems like a lot of superfluous work, and the whole
thing seems somewhat fragile.
It'd be way nicer if wireguard had a per-peer netfilter tag which it
would simply set on all incoming packets from that peer. Examining that
in my netfilter tables would then cause no superfluous CPU load, and
updates to peer status would be atomic and not risk colliding with other
processes' update of nftables.
--
-- Matthias Urlichs
--
Matthias Urlichs
Executive Principal Solution Architect (Linux)
noris network AG
Thomas-Mann-Straße 16-20
90471 Nürnberg
Deutschland
Tel +49 911 9352 1717
Fax +49 911 9352 100
Email matthias.urlichs at noris.de
noris network AG - Mehr Leistung als Standard
Vorstand: Ingo Kraupa (Vorsitzender), Joachim Astel, Stefan Keller, Florian Sippel
Vorsitzender des Aufsichtsrats: Stefan Schnabel - AG Nürnberg HRB 17689
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2816 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20210131/ab7cd78d/attachment.bin>
More information about the WireGuard
mailing list