On Tue, Jul 18, 2017 at 8:15 PM, David Miller <da...@davemloft.net> wrote:
> Steffen, I know you have some level of trepidation about this because
> there is obviously some performance cost immediately for removing this
> DoS problem.
In a project I am involved in, we are running ipsec (Strongswan) on
different mt7621-based routers. Each router is configured as an
initiator and has around ~30 tunnels to different responders (running
on misc. devices). Before the flow cache was removed (kernel 4.9), we
got a combined throughput of around 70Mbit/s for all tunnels on one
router. However, we recently switched to kernel 4.14 (4.14.48), and
the total throughput is somewhere around 57Mbit/s (best-case). I.e., a
drop of around 20%. Reverting the flow cache removal restores, as
expected, performance levels to that of kernel 4.9.
Carrying around a fairly large revert patch is not something we want,
we are more interested in trying to fix at least some of the
performance problems. However, we are not very experienced when it
comes to profiling the kernel code or the xfrm-code itself. Are there
any known areas we should take a special look at, or should we just
read-up on different profiling tools and get started?
Also, the revert went very smooth, which always makes me a bit
nervous. Are there any parts of the flow cache removal that should or
would require a bit of special care when reverted?
Thanks in advance for any help.