[PATCH wireguard-tools v3 0/3] ipc: linux: kernel-side netdevice filtering

[PATCH wireguard-tools v3 0/3] ipc: linux: kernel-side netdevice filtering

[Asbjørn Sloth Tønnesen]

Move device filtering to the kernel, thereby reducing netlink traffic.

The first patch request kernel-side filtering.

The second patch requests that the kernel doesn't include statistics
in netdevice dumps.

The third patch removes the old filtering code, as an
additional step, which breaks on earlier than Linux v4.6.

I assume that a dependency on Linux v4.6+ is acceptable for wg-tools
now, as wireguard-linux-compat haven't been updated for 3 years.

---
Changes:
v3:
- Added patch to set RTEXT_FILTER_SKIP_STATS
- Re-worked commit messages a bit.

v2: https://lists.zx2c4.com/pipermail/wireguard/2025-October/009080.html
- Added info about kernel-support to commit message
- Added another patch, for removing client-side filtering

v1: https://lists.zx2c4.com/pipermail/wireguard/2025-September/009004.html

Asbjørn Sloth Tønnesen (3):
  ipc: linux: filter netdevices kernel-side
  ipc: linux: skip statistics on netdevice listing
  ipc: linux: remove user-space netdevice filtering

 src/ipc-linux.h | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

-- 
2.51.0

[PATCH wireguard-tools v3 1/3] ipc: linux: filter netdevices kernel-side

[Asbjørn Sloth Tønnesen]

Tell the kernel that we are only interested in wireguard netdevices,
so that the kernel don't have to dump all the other netdevices.

Kernel-side support for this was added in Linux v4.6 in
commit dc599f76c22b ("net: Add support for filtering link dump by
master device and kind").

Tested with 10000 netdevices (common with ISP BNG setups), and a
single wireguard netdevice.

Baseline:
  # time ./src/wg show
  real    0m0.342s
  user    0m0.013s
  sys     0m0.290s

With patch:
  # time ./src/wg show
  real    0m0.006s
  user    0m0.000s
  sys     0m0.005s

Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
---
 src/ipc-linux.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/ipc-linux.h b/src/ipc-linux.h
index 01247f1..c56fede 100644
--- a/src/ipc-linux.h
+++ b/src/ipc-linux.h
@@ -80,6 +80,7 @@ static int kernel_get_wireguard_interfaces(struct string_list *list)
 	int ret = 0;
 	struct nlmsghdr *nlh;
 	struct ifinfomsg *ifm;
+	struct nlattr *linkinfo_nest;
 
 	ret = -ENOMEM;
 	rtnl_buffer = calloc(SOCKET_BUFFER_SIZE, 1);
@@ -105,6 +106,11 @@ static int kernel_get_wireguard_interfaces(struct string_list *list)
 	nlh->nlmsg_seq = seq;
 	ifm = mnl_nlmsg_put_extra_header(nlh, sizeof(*ifm));
 	ifm->ifi_family = AF_UNSPEC;
+
+	linkinfo_nest = mnl_attr_nest_start(nlh, IFLA_LINKINFO);
+	mnl_attr_put_strz(nlh, IFLA_INFO_KIND, WG_GENL_NAME);
+	mnl_attr_nest_end(nlh, linkinfo_nest);
+
 	message_len = nlh->nlmsg_len;
 
 	if (mnl_socket_sendto(nl, rtnl_buffer, message_len) < 0) {
-- 
2.51.0

[PATCH wireguard-tools v3 2/3] ipc: linux: skip statistics on netdevice listing

[Asbjørn Sloth Tønnesen]

Gathering interface statistics can be a relatively expensive operation
on certain systems as it requires iterating over all the cpus.

This patch instructs the kernel to not include netdevice statistics,
in the netdevice listing.

Kernel-side support for this was added in Linux v4.4 in commit
d5566fd72ec1 ("rtnetlink: RTEXT_FILTER_SKIP_STATS support to avoid
dumping inet/inet6 stats"), this saves 368 bytes of statistics.

In the Linux v6.19 commit 105bae321862 ("rtnetlink: honor
RTEXT_FILTER_SKIP_STATS in IFLA_STATS"), it is expanded to skip more
statistics bringing the savings to 800 bytes per netdevice.

As the minimum kernel version for wireguard-tools is unclear, it's
wrapped in a #ifdef guard. If the minimum version is v4.4+ it can be
removed.

Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
---
 src/ipc-linux.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/ipc-linux.h b/src/ipc-linux.h
index c56fede..61e2c1a 100644
--- a/src/ipc-linux.h
+++ b/src/ipc-linux.h
@@ -106,6 +106,9 @@ static int kernel_get_wireguard_interfaces(struct string_list *list)
 	nlh->nlmsg_seq = seq;
 	ifm = mnl_nlmsg_put_extra_header(nlh, sizeof(*ifm));
 	ifm->ifi_family = AF_UNSPEC;
+#ifdef RTEXT_FILTER_SKIP_STATS
+	mnl_attr_put_u32(nlh, IFLA_EXT_MASK, RTEXT_FILTER_SKIP_STATS);
+#endif
 
 	linkinfo_nest = mnl_attr_nest_start(nlh, IFLA_LINKINFO);
 	mnl_attr_put_strz(nlh, IFLA_INFO_KIND, WG_GENL_NAME);
-- 
2.51.0

[PATCH wireguard-tools v3 3/3] ipc: linux: remove user-space netdevice filtering

[Asbjørn Sloth Tønnesen]

As devices are now filtered kernel-side, then we can remove
the code for filtering in user-space.

This breaks device listing for kernels earlier than Linux v4.6,
device-specific commands will continue to work.

As the minimum kernel version for wireguard-tools is unclear, it's
unclear if the user-space filtering can be removed yet.

Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
---
 src/ipc-linux.h | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/src/ipc-linux.h b/src/ipc-linux.h
index 61e2c1a..639fb00 100644
--- a/src/ipc-linux.h
+++ b/src/ipc-linux.h
@@ -29,25 +29,13 @@
 
 struct interface {
 	const char *name;
-	bool is_wireguard;
 };
 
-static int parse_linkinfo(const struct nlattr *attr, void *data)
-{
-	struct interface *interface = data;
-
-	if (mnl_attr_get_type(attr) == IFLA_INFO_KIND && !strcmp(WG_GENL_NAME, mnl_attr_get_str(attr)))
-		interface->is_wireguard = true;
-	return MNL_CB_OK;
-}
-
 static int parse_infomsg(const struct nlattr *attr, void *data)
 {
 	struct interface *interface = data;
 
-	if (mnl_attr_get_type(attr) == IFLA_LINKINFO)
-		return mnl_attr_parse_nested(attr, parse_linkinfo, data);
-	else if (mnl_attr_get_type(attr) == IFLA_IFNAME)
+	if (mnl_attr_get_type(attr) == IFLA_IFNAME)
 		interface->name = mnl_attr_get_str(attr);
 	return MNL_CB_OK;
 }
@@ -61,7 +49,7 @@ static int read_devices_cb(const struct nlmsghdr *nlh, void *data)
 	ret = mnl_attr_parse(nlh, sizeof(struct ifinfomsg), parse_infomsg, &interface);
 	if (ret != MNL_CB_OK)
 		return ret;
-	if (interface.name && interface.is_wireguard)
+	if (interface.name)
 		ret = string_list_add(list, interface.name);
 	if (ret < 0)
 		return ret;
-- 
2.51.0

Re: [PATCH wireguard-tools v3 0/3] ipc: linux: kernel-side netdevice filtering

[Jason A. Donenfeld]

On Fri, Jan 30, 2026 at 07:10:52PM +0000, Asbjørn Sloth Tønnesen wrote:
> Move device filtering to the kernel, thereby reducing netlink traffic.
> 
> The first patch request kernel-side filtering.
> 
> The second patch requests that the kernel doesn't include statistics
> in netdevice dumps.
> 
> The third patch removes the old filtering code, as an
> additional step, which breaks on earlier than Linux v4.6.
> 
> I assume that a dependency on Linux v4.6+ is acceptable for wg-tools
> now, as wireguard-linux-compat haven't been updated for 3 years.

Interesting series. If I'm going to apply this, I'm going to apply it,
and so the ifdefs you've added won't matter much; this will still break
wireguard-linux-compat. But maybe it's time to do so. So if you're up
for sending a v4, just do it like there's no yesterday.

Also, does this filtering need to also be added to the embeddable c
library contrib code?

Thanks for this patch. I'll start thinking seriously about
wireguard-linux-compat sunsetting.

Jason