From: Wolfgang Walter <linux@stwm.de>
To: Florian Westphal <fw@strlen.de>
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
torvalds@linux-foundation.org, christophe.gouault@6wind.com
Subject: Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels
Date: Tue, 02 Oct 2018 19:34 +0200 [thread overview]
Message-ID: <4327972.7bla238zOs@stwm.de> (raw)
In-Reply-To: <20181002145616.pwdhbmafgsihbxvm@breakpoint.cc>
Am Dienstag, 2. Oktober 2018, 16:56:16 schrieb Florian Westphal:
> Wolfgang Walter <linux@stwm.de> wrote:
> > Since my last reply to this message I didn't get a reply: is there any
> > progress how to fix this performance regression I missed?
>
> Did you test/experiment with hthresh config option?
I did. It did not improve the situation.
I suppose that is because our masks range from /16 to /30 and excpecially have
for example /16 <=> /8 and vice versa.
When forwarding, every policy A => B also implies that you add a policy B =>
A.
I'm not familiar when the policy database is consulted, but I think it now has
to for every not encrypted paket, and for those all rules have to be
consulted. And unencrypted traffic is a large part of the traffic on that
router.
That is: for unencrypted traffic neither the buckets of the hash nor the
inexact list may be large.
>
> > Or are we stuck here with longterm kernel 4.9 for a long time?
>
> I'm experimenting with per-dst inexact lists in an rbtree but
> this will take time.
Hmm, I doubt that this is worth the effort. And certainly not that easy
correctly done, as it still would have to obey the original order of the rules
(their priority).
You may have a lot of rules of the form say
10.0.0.0/16 <=> 10.1.0.0/29 encrypt ....
10.0.0.0/16 <=> 10.1.0.8/29 encrypt ....
....
And things like that.
Also, you get something like that
10.0.1.0/24 <=> 10.0.2.0/29 allow
10.0.0.0/16 <=> 10.0.2.0/24 encrypt
0.0.0.0 <=> 10.0.2.0/16 block
And people may use source port and/or destination port or protocol
(tcp/udp/imcp) to further tailor there ruleset.
Here is the approach HiPAC took for packet classification
https://pdfs.semanticscholar.org/a0bb/9d31e2499fb659c9e0d9544072d2f3c25079.pdf
https://pdfs.semanticscholar.org/0dea/8ee87f596f200de2722cbe9480610dd1a0db.pdf
Regards,
--
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts
next prev parent reply other threads:[~2018-10-02 17:34 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-13 11:30 Regression: kernel 4.14 an later very slow with many ipsec tunnels Wolfgang Walter
2018-09-13 13:58 ` Florian Westphal
2018-09-13 15:46 ` Wolfgang Walter
2018-09-13 16:38 ` Florian Westphal
2018-09-13 17:23 ` David Miller
2018-09-13 21:03 ` Florian Westphal
2018-09-13 21:12 ` David Miller
2018-09-14 5:06 ` Steffen Klassert
2018-09-14 5:54 ` Florian Westphal
2018-09-14 6:01 ` Steffen Klassert
2018-09-14 8:01 ` Christophe Gouault
2018-09-14 11:49 ` Wolfgang Walter
2018-10-02 14:45 ` Wolfgang Walter
2018-10-02 14:56 ` Florian Westphal
2018-10-02 17:34 ` Wolfgang Walter [this message]
2018-10-02 21:35 ` Florian Westphal
2018-10-04 13:57 ` Wolfgang Walter
2018-10-25 9:38 ` Wolfgang Walter
2018-10-25 17:34 ` David Miller
2018-10-25 19:24 ` Florian Westphal
2018-10-26 12:18 ` Wolfgang Walter
2018-10-25 22:45 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4327972.7bla238zOs@stwm.de \
--to=linux@stwm.de \
--cc=christophe.gouault@6wind.com \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).