Hello, On Tue, Jul 18, 2017 at 8:15 PM, David Miller <da...@davemloft.net> wrote: > Steffen, I know you have some level of trepidation about this because > there is obviously some performance cost immediately for removing this > DoS problem.
In a project I am involved in, we are running ipsec (Strongswan) on different mt7621-based routers. Each router is configured as an initiator and has around ~30 tunnels to different responders (running on misc. devices). Before the flow cache was removed (kernel 4.9), we got a combined throughput of around 70Mbit/s for all tunnels on one router. However, we recently switched to kernel 4.14 (4.14.48), and the total throughput is somewhere around 57Mbit/s (best-case). I.e., a drop of around 20%. Reverting the flow cache removal restores, as expected, performance levels to that of kernel 4.9. Carrying around a fairly large revert patch is not something we want, we are more interested in trying to fix at least some of the performance problems. However, we are not very experienced when it comes to profiling the kernel code or the xfrm-code itself. Are there any known areas we should take a special look at, or should we just read-up on different profiling tools and get started? Also, the revert went very smooth, which always makes me a bit nervous. Are there any parts of the flow cache removal that should or would require a bit of special care when reverted? Thanks in advance for any help. BR, Kristian
