multiple wireguard interface and kworker ressources

Jason A. Donenfeld Jason at zx2c4.com
Wed Jun 21 15:54:22 CEST 2017


Hi Nicolas,

1000 interfaces with 500 peers each. That's a very impressive quantity
of 500001 wireguard deployments! Please do let me know how that goes.
I'd be interested to learn what the name of this project/company is.

With regards to your problem, I've fixed it by completely rewriting
ratelimiter.c to not use xt_hashtable, a piece of decaying Linux code
from the 1990s, and instead using my own token bucket implementation.
The result performs much better, is easier on RAM usage, and requires
far fewer lines of code. Most importantly for you, all interfaces will
now be able to share the same netns-keyed hashtable, so that the
cleanup routines are always fast, no matter how many interfaces you
have.

I'll likely sit on it for a bit longer while I verify it and make sure
it works, but if you'd like to try it now, it's sitting in the git
master. Please let me know how it goes.

Regards,
Jason


More information about the WireGuard mailing list