On 07.12.2018 18:02, Lev Serebryakov wrote: >> (I'm not sure, that it is exactly "bug" or "defect" and want to > ... discuss it here before filing PR. > >> Now I'm throwing IPsec into mix. All incoming traffic is tunneled with >> IPsec policy, with aes-128-gcm encryption. And with IPsec tx_abdicate >> makes thing much worse and much more unstable. > I could say, that it doesn't matter, if I using IPsec with "tunnel" > policy to encrypt and tunnel transit traffic or if I add "gif" into mix > and encrypt GIF traffic in "transport" mode. In both cases tx_abdicate > makes PPS much lower. And one more datapoint: if I'm using "null" cipher (so, IPsec is in play, but no real encryption is performed) losses in packet rate are about 50% from turning on tx_abdicate. It is worst-case scenario.
And if I have outbound traffic (traffic is received without IPsec processing and sent with IPsec processing on other interface) I have noticeable gains, up to 15% in packets per second and bandwidth. So, lookslike tx_abdicate works well when it is applied to non-IPsec-processed traffic. -- // Lev Serebryakov
Description: OpenPGP digital signature