On 06.12.2019 18:18, Jason A. Donenfeld wrote:
But for the sake of wg-quick
the filter can be enables for wireguard interface only to be sure it
wouldn't break anything else
How do you propose this works? That'd require adding -d, right? In
that case we're back to more or less the original rule. If you do it
with -i, then it fails to filter the bad packets that we want to be
filtering.
Actually it appears to be harder than I first think
The -d option will let broadcast addresses to pass the rule. Is it a
problem here? In the original bulletin authors talk about TCP. Testing
for interface name doesn't make much sense either, as you said...
_______________________________________________
WireGuard mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/wireguard
