> > header_ops looks like the best approach to me, too. The protocol field > > needs to reflect the protocol of the *outer* packet, of course, but if > > I read wg_allowedips_lookup_dst correctly, wireguard maintains the > > same outer protocol as the inner protocol, no sit (6-in-4) and such. > > WireGuard does allow 6-in-4 and 4-in-6 actually. But parse_protocol is > only ever called on the inner packet. The only code paths leading to > it are af_packet-->ndo_start_xmit, and ndo_start_xmit examines > skb->protocol of that inner packet, which means it entirely concerns > the inner packet.
Of course, you are right. This inspects the packet before passing to the device ndo_start_xmit, so before any encapsulation would take place. > And generally, for wireguard, userspace only ever > deals with the inner packet. That inner packet then gets encrypted and > poked at in strange ways, and then the encrypted blob of sludge gets > put into a udp packet and sent some place. So I'm quite sure that the > behavior just committed is right. > > And from writing a few libpcap examples, things seem to be working > very well, including Hans' example. Definitely. Thanks again.
