On Wed, Apr 21, 2021 at 10:50:40PM +0200, Alexander Bluhm wrote:
> > 1108 pfkeyv2_send(struct socket *so, void *message, int len)
> > 1109 {
> > ....
> > 2013 ipsec_in_use++;
> > 2014 /*
> > 2015 * XXXSMP IPsec data structures are not ready to be
> > 2016 * accessed by multiple Network threads in
> > parallel,
> > 2017 * so force all packets to be processed by the
> > first
> > 2018 * one.
> > 2019 */
> > 2020 extern int nettaskqs;
> > 2021 nettaskqs = 1;
>
> What an evil hack! I will remove this and we will see if it crashes.
> The problematic call seems to be ipsec_forward_check(), the other
> parts of IPsec are under exclusive netlock.
I removed this code and ran the test again. Now we have a middle
column without nettaskqs = 1.
http://bluhm.genua.de/perform/results/2021-04-21T10%3A50%3A37Z/gnuplot/forward.png
Everything works fine, but I think this hack is neccessary.
ip_input_if() calls ipsec_forward_check() which does ipsp_spd_lookup().
For a simple lookup a read lock would be sufficent. But it also
modifes the TAILQ &ipo->ipo_tdb->tdb_policy_head as a chache.
bluhm
