While researching WireGuard related things I was a bit confused about something in some of the guides I found:
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
Example: https://github.com/pirate/wireguard-docs#Setup
The purpose of the rule being that peers can communicate between each other when the FORWARD chain is set to DROP.
I can’t find any definitive explanation as to why one would want to use conntrack in this situation when no further filtering on traffic between wg0 is done.
One thing I found was this: https://www.tigera.io/blog/when-linux-conntrack-is-no-longer-your-friend/
In addition, conntrack normally improves performance (reduced CPU and reduced packet latencies) since only the first packet in a flow needs to go through the full network stack processing to work out what to do with it.
This was the only reference I could find to it improving performance.
And contradictory to this: https://blog.cloudflare.com/conntrack-tales-one-thousand-and-one-flows/
For example, years ago we decided to avoid using Linux’s “conntrack” – stateful firewall facility. This brought great benefits – it simplified our iptables firewall setup, sped up the system a bit and made the inbound packet path easier to understand.
Is there something to the claim that it improves networking performance or are there any other reasons to use conntrack in this case?
