wireguard: Set wireguard and route MTU to detected MTU #16020
Conversation
joamaki
added
the
release-note/minor
pkg/wireguard/agent/agent.go
Outdated
| // wireguardOverhead is an approximation for the overhead of wireguard | ||
| // encapsulation. | ||
| // | ||
| // https://github.com/torvalds/linux/blob/master/drivers/net/wireguard/device.c#L262: |
There was a problem hiding this comment.
Nit: maybe you could pin the URL to a specific tag, e.g. 5.12.
| @@ -134,6 +146,12 @@ func (a *Agent) Init() error { | |||
| return err | |||
| } | |||
|
|
|||
| linkMTU := mtuConfig.GetDeviceMTU() - wireguardOverhead | |||
| if err := netlink.LinkSetMTU(link, linkMTU); err != nil { | |||
There was a problem hiding this comment.
I think this is not enough. We need to make sure that route MTU in pod netns is set accordingly (MTU minus the WG overhead), grep for GetRouteMTU. Maybe this is exactly the same what you went in:
Should pkg/mtu be refactored so that the overhead computation works for both IPsec and Wireguard?
There was a problem hiding this comment.
Yep you're right. The route MTU was set too high. Modified pkg/mtu to handle the wireguard case. That package needs a rewrite soon, but as discussed with @brb this will be addressed in v1.11 anyway, so not worth addressing that now.
joamaki
force-pushed
the
jussi/pr/set-wireguard-mtu
branch
from
e57aa86
to
21680e5
Compare
|
test-me-please |
joamaki
force-pushed
the
jussi/pr/set-wireguard-mtu
branch
from
21680e5
to
957f95f
Compare
joamaki
changed the title
There was a problem hiding this comment.
I briefly glanced through, looks right to me - adjust route MTU by wireguard if that mode is configured, and set the wireguard interface MTU based on native device MTU minus wireguard overhead.
I assume we don't support wireguard + tunneling today (otherwise there'd be some extra changes lower in GetRouteMTU() where the encrypt+ipsec cases are handled).
|
test-runtime |
|
test-net-next |
| encapEnabled bool | ||
| encryptEnabled bool | ||
| encapEnabled bool | ||
| encryptEnabled bool |
There was a problem hiding this comment.
As a follow up we should probably s/encryptEnabled/ipsecEnabled.
@joestringer We do, just that in the case of tunneling pod2pod traffic goes only via the wg tunnel, so it's encapsulated only once (#15716 (comment)). |
Yep, fragments as expected. Though there's odd issue with small fragments getting dropped. Not related to this issue though so I'll debug and fix that separately if I can. EDIT: Figured out the cause. Documented here: #16036. |
|
test-1.21-4.9 |
|
test-net-next |
For more optimal packet sizes in large MTU setups, set the cilium_wg0 MTU based on the detected MTU minus overhead. Additionally set the route MTU on container side to detected MTU minus wireguard overhead when wireguard is enabled. Tested manually with "--mtu 1400", causing cilium_wg0 and route MTU to be set to 1320. Signed-off-by: Jussi Maki <jussi@isovalent.com>
joamaki
force-pushed
the
jussi/pr/set-wireguard-mtu
branch
from
957f95f
to
5951163
Compare
|
test-net-next |
joamaki
added
the
ready-to-merge
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.10
in 1.10.0-rc2
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.10
in 1.10.0-rc2
maintainer-s-little-helper
bot
moved this from Backport pending to v1.10
to Backport done to v1.10
in 1.10.0-rc2
maintainer-s-little-helper
bot
moved this from Backport pending to v1.10
to Backport done to v1.10
in 1.10.0-rc2
For more optimal packet sizes in large MTU setups, set the
cilium_wg0 MTU based on the detected MTU minus overhead.
Additionally set the route MTU on container side to detected
MTU minus wireguard overhead when wireguard is enabled.
Tested manually with "--mtu 1400", causing cilium_wg0 and
route MTU to be set to 1320.