Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels

From: Florian Westphal
Date: Thu Sep 13 2018 - 17:03:33 EST

Next message: Rob Herring: "Re: [PATCH] ARC: Get rid of toolchain check"
Previous message: Kees Cook: "Re: [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock"
In reply to: David Miller: "Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels"
Next in thread: David Miller: "Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Miller <davem@xxxxxxxxxxxxx> wrote:
> From: Florian Westphal <fw@xxxxxxxxx>
> Date: Thu, 13 Sep 2018 18:38:48 +0200
>
> > Wolfgang Walter <linux@xxxxxxx> wrote:
> >> What I can say is that it depends mainly on number of policy rules and SA.
> >
> > Thats already a good hint, I guess we're hitting long hash chains in
> > xfrm_policy_lookup_bytype().
>
> I don't really see how recent changes can influence that.

I don't think there is a recent change that did this.

Walter says < 4.14 is ok, so this is likely related to flow cache removal.

F.e. it looks like all prefixed policies end up in a linked list
(net->xfrm.policy_inexact) and are not even in a hash table.

I am staring at b58555f1767c9f4e330fcf168e4e753d2d9196e0
but can't figure out how to configure that away from the
'no hashing for prefixed policies' default or why we even have
policy_inexact in first place :/

I'll look at this again tomorrow.

Next message: Rob Herring: "Re: [PATCH] ARC: Get rid of toolchain check"
Previous message: Kees Cook: "Re: [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock"
In reply to: David Miller: "Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels"
Next in thread: David Miller: "Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]