Very often the number of file-descriptors is limited quite low by default. Consequently, kresd's uncached QPS may be unnecessarily limited by that (lots of SERVFAILs), at least by default.
The limits I often see on Linux: 1024 soft + 4096 hard, which seems ridiculous for typical resources of nowadays machines. We open a new FD for every UDP packet upstream in order to maximize entropy from port randomization. I expect the problem is partially mitigated by the fact that these limits apply per-process, but even so – it seems easy to improve the defaults at least a bit.
What we can do:
- document it somewhere
ulimit()or similar to let kresd increase it – just moving from 1024 to 4096 seems quite a substantial improvement, and 4096 even seems OK-ish for some cases I tested
(possibly, in future) in case of plaintext forwarding, automatically prefer TCP when QPS gets high and/or getting problems like
EMFILEerrors. Users behind some NATs are also severely limited in terms of "concurrent connection count".