Support Wireguard NAPI threading for high packet per second clusters

[jrcichra]

Expected Behavior

No packets are dropped if a node receives > ~180kpps.

Current Behavior

In our environment we see dropped packets at around ~180kpps coming over the wireguard interface. A single core will be at 100% CPU usage for wireguard.

Possible Solution

Support NAPI threading by setting /sys/class/net/wireguard.cali/threaded to 1. This will spread the load across many cores.

Steps to Reproduce (for bugs)

1. Send enough pps of about ~1400 bytes to a wireguard node running a server where the traffic goes through the pod network
2. Observe the cpu of the node and see 50% sortirq and 50% wireguard kernel threads using a core.
3. Observe metrics for dropped receive packets such as container_network_receive_packets_dropped_total.
4. echo 1 > /sys/class/net/wireguard.cali/threaded to resolve the issue.

Context

Kubernetes cluster with wireguard encryption cannot sustain the packets per second and is causing all tenants on a machine to experience high packet loss.

Your Environment

• Calico version: v3.27.3
• Orchestrator version (e.g. kubernetes, mesos, rkt): Kubernetes 1.30.1
• Operating System and version: Debian Bookworm
• Link to your project (optional):