-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
High Memory usage per TCP connection #16
Comments
Can you please share the command you used to make the 88k TCP connections? Was it nmap/masscan? Command and args would be helpful, thanks! Edit: It would also be helpful to know if you're running the |
I'm using
The Exit Node is x86_64. I'm running wiretap v0.2.0 as root (change the keys etc):
(effectively it starts wiretap with On the origin server (segfault) I scan a 'black hole' of the Internet by executing:
I then check on the Exit Node the RSS of wiretap and the number of TCP sockets and compare the delta. The OOM kicks in after a few seconds (depending on the host memory). |
Super research. Is removing gVisor an option? gVisor is falling apart left right and centre and seems to be the culprit of a lot of pain (including #18) The forwarding connection object (WT TCP to target) could record "Origin-2-WT" [syn/ack/src-ip/src-port]. The whole thing can be done in 14 bytes per forwarding TCP connection. |
Getting away from gVisor entirely is probably not going to happen. It would be a ton of work to reimplement the features that Wiretap needs. However, we may be able to move away from gVisor's DNAT rule in favor of some other transparent proxy mechanism. Something that has been on my todo list for some time is looking at how Tailscale is handling their "Subnet Routing" feature that is very similar to what Wiretap does: https://github.com/tailscale/tailscale/blob/62130e6b68f629ecf41176330eb70dfc7c9d58e2/wgengine/netstack/netstack.go |
When iptables isn't used, connections aren't tracked. This branch doesn't use iptables so memory usage should be greatly reduced when running a scan: |
Good work. The command to try is:
The OOM still kills it but only after 60 seconds (>3GB RSS) rather ten 2-3 seconds. |
You can try playing with GOGC, it allows you to make garbage collection more frequent with a value less than 100: High memory usage is a known issue: tailscale/tailscale#7272 and WireGuard/wireguard-go#69. EDIT: Forgot to mention that |
Testing results, 4GB server and running
Odd. Less memory is used when not setting GOGC. I'm unclear why it would consume 3.4GB of memory in the first place when there are only 10,000 connections (10,000 new connections every second and conn-timeout is set to 1second). Feels like is leaking somewhere. Memory consumption should be not steadily increase given the parameters. |
I haven't been able to replicate this 🙁 With I think having you profile might help track this down. Can you please pull the |
Couldn't replicate latest OOM, so closing. If this is still an issue feel free to reopen. |
Wiretap seems to use around 14MBytes of memory (rss) for each new tcp connection. That's without kernel memory and without TCP buffers (which reside inside the kernel; not userland).
The problem is that this causes wiretap to fail (and exit; or killed by the OOM).
The problem can be re-created when establishing 88k TCP connections when wiretap is running on a Linux system with 2GBytes of RAM (sending 88k TCP SYN).
It seems odd that the userland wiretap allocates 14MBytes of memory before the TCP connection has exchanged any data.
The desirable solution would be any of these two:
The text was updated successfully, but these errors were encountered: