New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wireguard: Set wireguard and route MTU to detected MTU #16020
Conversation
pkg/wireguard/agent/agent.go
Outdated
// wireguardOverhead is an approximation for the overhead of wireguard | ||
// encapsulation. | ||
// | ||
// https://github.com/torvalds/linux/blob/master/drivers/net/wireguard/device.c#L262: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: maybe you could pin the URL to a specific tag, e.g. 5.12.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -134,6 +146,12 @@ func (a *Agent) Init() error { | |||
return err | |||
} | |||
|
|||
linkMTU := mtuConfig.GetDeviceMTU() - wireguardOverhead | |||
if err := netlink.LinkSetMTU(link, linkMTU); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is not enough. We need to make sure that route MTU in pod netns is set accordingly (MTU minus the WG overhead), grep for GetRouteMTU
. Maybe this is exactly the same what you went in:
Should pkg/mtu be refactored so that the overhead computation works for both IPsec and Wireguard?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep you're right. The route MTU was set too high. Modified pkg/mtu
to handle the wireguard case. That package needs a rewrite soon, but as discussed with @brb this will be addressed in v1.11 anyway, so not worth addressing that now.
e57aa86
to
21680e5
Compare
test-me-please |
21680e5
to
957f95f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I briefly glanced through, looks right to me - adjust route MTU by wireguard if that mode is configured, and set the wireguard interface MTU based on native device MTU minus wireguard overhead.
I assume we don't support wireguard + tunneling today (otherwise there'd be some extra changes lower in GetRouteMTU()
where the encrypt+ipsec cases are handled).
test-runtime |
test-net-next |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks.
One question: have you tested that ping -c1 -s 1412 $REMOTE_POD_IP
doesn't get fragmented, while ping -c1 -s 1413 $REMOTE_POD_IP
does? -s 1412
because +8 for ICMP hdr.
encapEnabled bool | ||
encryptEnabled bool | ||
encapEnabled bool | ||
encryptEnabled bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a follow up we should probably s/encryptEnabled/ipsecEnabled.
@joestringer We do, just that in the case of tunneling pod2pod traffic goes only via the wg tunnel, so it's encapsulated only once (#15716 (comment)). |
Yep, fragments as expected. Though there's odd issue with small fragments getting dropped. Not related to this issue though so I'll debug and fix that separately if I can. EDIT: Figured out the cause. Documented here: #16036. |
test-1.21-4.9 |
test-net-next |
For more optimal packet sizes in large MTU setups, set the cilium_wg0 MTU based on the detected MTU minus overhead. Additionally set the route MTU on container side to detected MTU minus wireguard overhead when wireguard is enabled. Tested manually with "--mtu 1400", causing cilium_wg0 and route MTU to be set to 1320. Signed-off-by: Jussi Maki <jussi@isovalent.com>
957f95f
to
5951163
Compare
test-net-next |
For more optimal packet sizes in large MTU setups, set the
cilium_wg0 MTU based on the detected MTU minus overhead.
Additionally set the route MTU on container side to detected
MTU minus wireguard overhead when wireguard is enabled.
Tested manually with "--mtu 1400", causing cilium_wg0 and
route MTU to be set to 1320.