On Sat, Jul 17, 2021 at 06:32:59PM +0200, Hrvoje Popovski wrote: > with this diff i'm getting very stable traffic over tunnel and it's > little faster.
This is expected. Too much queueing creates oscilating behavior and suboptimal throughput. > Even with your last diff on tech@ > https://marc.info/?l=openbsd-tech&m=162645141414262&w=2 > i'm seeing traffic drops, less frequent, but i'm seeing it... There is another reason for traffic drops. iked(8) is not clever when rekeying. The idea is to have SAs with old key and new key simultaneously. After both machines have new SA, the old should be removed. But currently we have a window when sender uses new SA, but receiver only has old SA and cannot decrypt the packets. This is a temproray problem, I see drops for a short time. tobhe@ wants to fix this. I think you use isakmpd(8), I don't know how rekeying works there. > Do you want me to test this diff combined with your ipsec diff > on tech@ ? I have commited the replay diff. This fixes permanent packet drop. Do you see permanent traffic stalls with current? Temporary drops are still possible. The rekey problem is known. The crypto queuing problem is known. You could disable iked lifetime bytes rekeying and try my no crypto queue diff. Do you see traffic drops with that? > And this diff with parallel forwarding? Parallel forwarding still crashes with IPsec. We must commit fixes step by step until we get it stable. Of course you can try it, but currently I can reproduce problems myself. Like this one. We sould only run one softnet thread when IPsec is enabled. root@ot14:.../~# uvm_fault(0xffffffff8225c808, 0xffffffffffffffff, 0, 2) -> e kernel: page fault trap, code=0 Stopped at ipsp_spd_lookup+0x9c4: movq %rax,0(%rcx) TID PID UID PRFLAGS PFLAGS CPU COMMAND 502713 11928 0 0x14000 0x200 2 crypto 112707 35427 0 0x14000 0x200 1 softnet 296509 86272 0 0x14000 0x200 3 softnet *484019 88695 0 0x14000 0x200 0 softnet ipsp_spd_lookup(fffffd809afb1600,2,14,ffff8000246ae21c,2,0) at ipsp_spd_lookup+ 0x9c4 ip_output_ipsec_lookup(fffffd809afb1600,14,ffff8000246ae21c,0,0) at ip_output_i psec_lookup+0x4d ip_output(fffffd809afb1600,0,ffff8000246ae3a8,1,0,0) at ip_output+0x42a ip_forward(fffffd809afb1600,ffff800000111048,fffffd8120481240,0) at ip_forward+ 0x26a ip_input_if(ffff8000246ae4e8,ffff8000246ae4f4,4,0,ffff800000111048) at ip_input _if+0x365 ipv4_input(ffff800000111048,fffffd809afb1600) at ipv4_input+0x39 if_input_process(ffff800000111048,ffff8000246ae568) at if_input_process+0x6f ifiq_process(ffff800000110d00) at ifiq_process+0x69 taskq_thread(ffff80000002e080) at taskq_thread+0x81 end trace frame: 0x0, count: 6 Thenks for testing our diffs. bluhm
