openwrt route_allowed_ips is inprecise

Baptiste Jonglez baptiste at
Mon Dec 19 14:19:54 CET 2016

On Mon, Dec 19, 2016 at 02:09:33PM +0100, Jason A. Donenfeld wrote:
> On Mon, Dec 19, 2016 at 2:06 PM, Baptiste Jonglez
> <baptiste at> wrote:
> > Please provide numbers.  I would be very surprised if a few redundant
> > routes have any performance impact, given that the kernel can handle 600k
> > routes without major issues.
> I'm thinking about the case in which a server has a 10/8 of clients,
> each of which gets a /32. In this case quite a few routes wind up in
> the table...

How many?  What is the performance impact?

> Fortunately the change is pretty easy. Instead of running
> `proto_add_ipv4_route ...` you run:
> [[ $(ip route get "$i") != *dev\ $INTERFACE\ * ]] && proto_add_ipv4_route ...

I really don't like this kind of magic: if there are 42 allowed_ips
entries in the config, then I would expect 42 routes to be created.  If
you don't want them, then just disable route_allowed_ips and add static or
interface routes yourself.

Also, are you sure that this works with busybox's version of "ip"?  What
if "ip" is not enabled in the image?

All in all, since this change is not functionally needed, I don't see the
point of adding the extra complexity and spending the time to test and
maintain this.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the WireGuard mailing list