Skip to content

SYSTEM Cited by 1 source

Linux Netlink

Netlink is the Linux kernel's user-space-to-kernel RPC primitive. "[Netlink is] basically a way to create a userland socket to talk to a kernel service." (Source: sources/2024-03-12-flyio-jit-wireguard-peers)

A userland process opens a AF_NETLINK socket with a family specifier (e.g. NETLINK_ROUTE, NETLINK_GENERIC) and message-passes structured requests and responses to a corresponding kernel subsystem. Documentation: userspace-api/netlink/intro. A summary as a C API is available in wg-dynamic/netlink.h.

WireGuard configuration surface

Netlink is the only supported way to configure an in-kernel WireGuard interface. The Go reference library is wgctrl-go.

Operations Fly.io exercises via Netlink in the Fly gateway stack:

  • Install / remove peers (per peer: public key, allowed IPs, optional persistent keepalive, optional pre-shared key).
  • Read the interface's private key from a privileged process. This is load-bearing for Fly's JIT peer provisioning — the gateway needs the interface private key to run the Noise handshake unwrap that identifies the initiator. (Source: sources/2024-03-12-flyio-jit-wireguard-peers)

What it doesn't expose: a subscription API for "handshake-initiation-received" events. "Note that there's no API call to subscribe for 'incoming connection attempt' events." (Source: sources/2024-03-12-flyio-jit-wireguard-peers) — which is precisely why Fly generates those events themselves with a BPF filter on the data plane.

Seen in

Last updated · 200 distilled / 1,178 read