Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels
From: Wolfgang Walter
Date: Thu Oct 25 2018 - 05:38:23 EST
there is now a new 4.19 which still has the big performance regression when
many ipsec tunnels are configured (throughput and latency get worse by 10 to
50 times) which makes any kernel > 4.9 unusable for our routers.
I still don't understand why a revert of the flow cache removal at least for
the longterm kernels is that a bad option (maybe as a compile time option),
especially as there is no workaround available.
We use linux in that scenario since more than 10 years so I'm really rather
unhappy if not to say despaired that we will be stucked with 4.9 for an
We would have detected and reported that performance regression much earlier
if not another bug in ipsec had prevented us from running 4.14 and later until
end of august 2018 (See kernels > v4.12 oops/crash with ipsec-traffic:
bisected to b838d5e1c5b6e57b10ec8af2268824041e3ea911: ipv4: mark DST_NOGC and
remove the operation of dst_free()).
Am Donnerstag, 4. Oktober 2018, 15:57:52 schrieb Wolfgang Walter:
> Am Dienstag, 2. Oktober 2018, 23:35:36 schrieb Florian Westphal:
> > Well, I'm not going to send a revert of the flowcache removal.
> > I'm willing to experiment with alternatives to a full iteration of the
> > inexact list but thats it.
> If this brings performance back to pre-removal, I'm fine with that. I'm even
> fine if it is slower by a factor of 2.
> I think it is a serious regression, and there is no workaround, and therefor
> it cannot stay like that.
> So I still hope that reverting is an option if no acceptable solution can be
> > > correctly done, as it still would have to obey the original order of the
> > > rules (their priority).
> > Except that neither the priority or the order in which it was added
> > matters in case the selector doesn't match.
> To match a packet one has to find all matching rules and chose that one with
> the lowest priority.
> "indexing" by dst will not help much if you have a ruleset where a lot of
> rules sharing a dst. You also have to replicate rules with dsts that have a
> prefix oft another dst as they may habe a higher priority even if they are
> less specific.
> Every such entry may again have such an "indexing" by dst. Only then this
> would be efficient.
> I wonder why there is no such thing for netfilter or the rules list in
> routing. nf does not have such a thing, either. This is the reason why I
> think that this is not that easy and for longterm kernel 4.14 the best
> solution will be a revert anyway.
Anstalt des öffentlichen Rechts