[WireGuard] Is nf_conntrack really needed?

[WireGuard] Is nf_conntrack really needed?

[Baptiste Jonglez]

[-- Attachment #1: Type: text/plain, Size: 656 bytes --]

Hi,

I stumbled upon a build error on LEDE, which was caused by a missing
dependency to nf-conntrack (and possibly nf-conntrack6).

I see that NF_CONNTRACK is used only at one place in device.c, and it is
inconditionally required since 3106d632de ("build system: revamp building
and configuration").

Is the inconditional dependency really needed?  nf-conntrack{,6}
introduces another 50 KB of dependencies on LEDE, which means a ~50%
increase in the amount of flash needed.

By the way, nf-conntrack is already required to do NAT, so this discussion
is only relevant for (hypothetical) people building their own LEDE images
without NAT support.

Baptiste

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [WireGuard] Is nf_conntrack really needed?

[Jason A. Donenfeld]

Hey,

In fact, it's not needed if it's not needed. How to explain this
apparent tautology?

If conntracking is compiled into the kernel, then for ICMP, I need to
ask conntracking if it's possibly mangled the src IP of the packet
before giving it to the wireguard device. If conntracking isn't
compiled into the kernel, then there's nobody to ask and probably the
packet wasn't mangled, in which case, I don't need to do anything. So,
the following patch makes conntrack optional:

https://git.zx2c4.com/WireGuard/commit/?id=c90fba009d70eedac614d77ad3494ed450b2995e

This will be included in the next snapshot.

Jason