Hi Alexander, On Thu, Nov 09, 2023 at 12:57:26PM +0100, Alexander Zubkov wrote:
I heard recently about the lightweight tunnel infrastructure in Linux kernel (ip route ... encap ...). And I think this might be helpful in the context of this thread.
I hadn't seen that yet, thanks for pointing it out.
Linux kernel allows already to add encapsulation parameters to the route entry in its table. So you do not need to create tunnel devices for that. And wireguard encapsulation and destination might be added there too.
Right, I think ultimately it's going to come down to either technical constraints or in the absence of that, maintainer preference whether via-wgpeer or "encap wg" is the way. The idea is very similar anyway.
But as I understood the technology, it works only in one way (for outgoing packets) and the decapsulation should be processed separately, for example in case of VXLAN and MPLS they have their own tables.
That would be a problem as I specifically want to tie the source address filtering to this too. I'll have a look at the internals (if and) when I get around to starting work on this. Thanks, --Daniel