[PATCH wireguard-tools v2 0/2] ipc: linux: kernel-side device filtering

[PATCH wireguard-tools v2 0/2] ipc: linux: kernel-side device filtering

[Asbjørn Sloth Tønnesen]

Move device filtering to the kernel, thereby reducing netlink traffic.

The first patch request kernel-side filtering.

The second patch removes the old filtering code, as an
additional step, which breaks on earlier than Linux v4.6.

I assume that a dependency on Linux v4.6+ is acceptable for wg-tools
now, as wireguard-linux-compat haven't been updated for 3 years.

---
Changes:
v2:
- Added info about kernel-support to commit message
- Added another patch, for removing client-side filtering

v1: https://lists.zx2c4.com/pipermail/wireguard/2025-September/009004.html

Asbjørn Sloth Tønnesen (2):
  ipc: linux: filter netdevices kernel-side
  ipc: linux: remove user-space device filtering

 src/ipc-linux.h | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

-- 
2.51.0

[PATCH wireguard-tools v2 1/2] ipc: linux: filter netdevices kernel-side

[Asbjørn Sloth Tønnesen]

Tell the kernel that we are only interested in wireguard
netdevices, so that the kernel don't have to dump all the
other netdevices.

Kernel-side support for this was added in Linux v4.6 in
commit dc599f76c22b ("net: Add support for filtering link dump
by master device and kind").

Tested with 10000 netdevices (common with ISP BNG setups),
out of which 1 was a wireguard netdevice.

Baseline:
  # time ./src/wg show
  real    0m0.342s
  user    0m0.013s
  sys     0m0.290s

With patch:
  # time ./src/wg show
  real    0m0.006s
  user    0m0.000s
  sys     0m0.005s

Signed-off-by: Asbjørn Sloth Tønnesen <wireguard@asbjorn.st>
---
 src/ipc-linux.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/ipc-linux.h b/src/ipc-linux.h
index 01247f1..c56fede 100644
--- a/src/ipc-linux.h
+++ b/src/ipc-linux.h
@@ -80,6 +80,7 @@ static int kernel_get_wireguard_interfaces(struct string_list *list)
 	int ret = 0;
 	struct nlmsghdr *nlh;
 	struct ifinfomsg *ifm;
+	struct nlattr *linkinfo_nest;
 
 	ret = -ENOMEM;
 	rtnl_buffer = calloc(SOCKET_BUFFER_SIZE, 1);
@@ -105,6 +106,11 @@ static int kernel_get_wireguard_interfaces(struct string_list *list)
 	nlh->nlmsg_seq = seq;
 	ifm = mnl_nlmsg_put_extra_header(nlh, sizeof(*ifm));
 	ifm->ifi_family = AF_UNSPEC;
+
+	linkinfo_nest = mnl_attr_nest_start(nlh, IFLA_LINKINFO);
+	mnl_attr_put_strz(nlh, IFLA_INFO_KIND, WG_GENL_NAME);
+	mnl_attr_nest_end(nlh, linkinfo_nest);
+
 	message_len = nlh->nlmsg_len;
 
 	if (mnl_socket_sendto(nl, rtnl_buffer, message_len) < 0) {
-- 
2.51.0

[PATCH wireguard-tools v2 2/2] ipc: linux: remove user-space device filtering

[Asbjørn Sloth Tønnesen]

As devices are now filtered kernel-side, then we can remove
the code for filtering in user-space.

This breaks device listing for kernels earlier than Linux v4.6.

Signed-off-by: Asbjørn Sloth Tønnesen <wireguard@asbjorn.st>
---
 src/ipc-linux.h | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/src/ipc-linux.h b/src/ipc-linux.h
index c56fede..45bb55c 100644
--- a/src/ipc-linux.h
+++ b/src/ipc-linux.h
@@ -29,25 +29,13 @@
 
 struct interface {
 	const char *name;
-	bool is_wireguard;
 };
 
-static int parse_linkinfo(const struct nlattr *attr, void *data)
-{
-	struct interface *interface = data;
-
-	if (mnl_attr_get_type(attr) == IFLA_INFO_KIND && !strcmp(WG_GENL_NAME, mnl_attr_get_str(attr)))
-		interface->is_wireguard = true;
-	return MNL_CB_OK;
-}
-
 static int parse_infomsg(const struct nlattr *attr, void *data)
 {
 	struct interface *interface = data;
 
-	if (mnl_attr_get_type(attr) == IFLA_LINKINFO)
-		return mnl_attr_parse_nested(attr, parse_linkinfo, data);
-	else if (mnl_attr_get_type(attr) == IFLA_IFNAME)
+	if (mnl_attr_get_type(attr) == IFLA_IFNAME)
 		interface->name = mnl_attr_get_str(attr);
 	return MNL_CB_OK;
 }
@@ -61,7 +49,7 @@ static int read_devices_cb(const struct nlmsghdr *nlh, void *data)
 	ret = mnl_attr_parse(nlh, sizeof(struct ifinfomsg), parse_infomsg, &interface);
 	if (ret != MNL_CB_OK)
 		return ret;
-	if (interface.name && interface.is_wireguard)
+	if (interface.name)
 		ret = string_list_add(list, interface.name);
 	if (ret < 0)
 		return ret;
-- 
2.51.0