From owner-freebsd-net@freebsd.org  Sun May  2 13:08:25 2021
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 04B75625222
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Sun,  2 May 2021 13:08:25 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from forward101j.mail.yandex.net (forward101j.mail.yandex.net
 [5.45.198.241])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FY5yH4wMwz4fyj;
 Sun,  2 May 2021 13:08:23 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from forward102q.mail.yandex.net (forward102q.mail.yandex.net
 [IPv6:2a02:6b8:c0e:1ba:0:640:516:4e7d])
 by forward101j.mail.yandex.net (Yandex) with ESMTP id C7DB11BE12F4;
 Sun,  2 May 2021 16:08:19 +0300 (MSK)
Received: from vla1-b5449b1c7de5.qloud-c.yandex.net
 (vla1-b5449b1c7de5.qloud-c.yandex.net
 [IPv6:2a02:6b8:c0d:3915:0:640:b544:9b1c])
 by forward102q.mail.yandex.net (Yandex) with ESMTP id A242A3A20002;
 Sun,  2 May 2021 16:08:19 +0300 (MSK)
Received: from vla1-719694b86d9e.qloud-c.yandex.net
 (vla1-719694b86d9e.qloud-c.yandex.net [2a02:6b8:c0d:3495:0:640:7196:94b8])
 by vla1-b5449b1c7de5.qloud-c.yandex.net (mxback/Yandex) with ESMTP id
 gRAY2SSjBl-8JI4bYKJ; Sun, 02 May 2021 16:08:19 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1619960899; bh=egq3P1l8JamcgNtO4gawcclULuSOJTEBTjZ4a+qPZx4=;
 h=In-Reply-To:Subject:From:Date:References:To:Message-ID:Cc;
 b=A8yrc9fpgvNASbM+5JXNa8DS9DJ3FK+8kjLFcnIy1dh2MHL2mPwb4AhiWUV9L3HNZ
 4bSVUqetO7shNEL3noucLhsVbUTCn8/q8t+w8ms3FGCgTV0Dx52OjzCW9U/ZMLFbbm
 lqAu63Axa1NGtY6utYGrv6PHRUo33bpM//VQJWS8=
Received: by vla1-719694b86d9e.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA
 id 0Zj7yJgjoc-8JLGDjYB; Sun, 02 May 2021 16:08:19 +0300
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
 (Client certificate not present)
To: Mark Johnston <markj@freebsd.org>, =?UTF-8?Q?=c3=96zkan_KIRIK?=
 <ozkan.kirik@gmail.com>
Cc: FreeBSD Net <freebsd-net@freebsd.org>
References: <CAAcX-AF=0s5tueCuanFKkoALNkRnWJ-8QrzfCqSu=ReoWvqMug@mail.gmail.com>
 <YIxpdL9b6v8+N+Lg@nuc>
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Subject: Re: IPsec performace - netisr hits %100
Message-ID: <50cfc0e6-5cc6-7004-2566-bc06428d4394@yandex.ru>
Date: Sun, 2 May 2021 16:08:18 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101
 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <YIxpdL9b6v8+N+Lg@nuc>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="NSOW9Ri3VPfy3up6qZQwXjwHxiszOoES5"
X-Rspamd-Queue-Id: 4FY5yH4wMwz4fyj
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=yandex.ru header.s=mail header.b=A8yrc9fp;
 dmarc=pass (policy=none) header.from=yandex.ru;
 spf=pass (mx1.freebsd.org: domain of bu7cher@yandex.ru designates 5.45.198.241
 as permitted sender) smtp.mailfrom=bu7cher@yandex.ru
X-Spamd-Result: default: False [-5.21 / 15.00]; FREEMAIL_FROM(0.00)[yandex.ru];
 R_SPF_ALLOW(-0.20)[+ip4:5.45.192.0/19]; HAS_ATTACHMENT(0.00)[];
 RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[];
 DKIM_TRACE(0.00)[yandex.ru:+];
 DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none];
 NEURAL_HAM_SHORT(-0.30)[-0.298]; SIGNED_PGP(-2.00)[];
 FREEMAIL_TO(0.00)[freebsd.org,gmail.com];
 RCVD_IN_DNSWL_LOW(-0.10)[5.45.198.241:from];
 RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~];
 FREEMAIL_ENVFROM(0.00)[yandex.ru]; MID_RHS_MATCH_FROM(0.00)[];
 RBL_DBL_DONT_QUERY_IPS(0.00)[5.45.198.241:from];
 ASN(0.00)[asn:13238, ipnet:5.45.192.0/18, country:RU];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.71)[-0.709];
 R_DKIM_ALLOW(-0.20)[yandex.ru:s=mail]; FROM_EQ_ENVFROM(0.00)[];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 NEURAL_HAM_LONG(-1.00)[-1.000]; TAGGED_RCPT(0.00)[];
 MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain];
 SPAMHAUS_ZRD(0.00)[5.45.198.241:from:127.0.2.255];
 DWL_DNSWL_NONE(0.00)[yandex.ru:dkim];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 RWL_MAILSPIKE_POSSIBLE(0.00)[5.45.198.241:from];
 MAILMAN_DEST(0.00)[freebsd-net]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 02 May 2021 13:08:25 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--NSOW9Ri3VPfy3up6qZQwXjwHxiszOoES5
Content-Type: multipart/mixed; boundary="6gJvw4Rnr7QpXaiyFsxtb5WniHvp3jCZA";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Mark Johnston <markj@freebsd.org>, =?UTF-8?Q?=c3=96zkan_KIRIK?=
 <ozkan.kirik@gmail.com>
Cc: FreeBSD Net <freebsd-net@freebsd.org>
Message-ID: <50cfc0e6-5cc6-7004-2566-bc06428d4394@yandex.ru>
Subject: Re: IPsec performace - netisr hits %100
References: <CAAcX-AF=0s5tueCuanFKkoALNkRnWJ-8QrzfCqSu=ReoWvqMug@mail.gmail.com>
 <YIxpdL9b6v8+N+Lg@nuc>
In-Reply-To: <YIxpdL9b6v8+N+Lg@nuc>

--6gJvw4Rnr7QpXaiyFsxtb5WniHvp3jCZA
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

30.04.2021 23:32, Mark Johnston =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
> Second, netipsec unconditionally hands rx processing off to netisr
> threads for some reason, that's why changing the dispatch policy doesn'=
t
> help.  Maybe it's to help avoid running out of kernel stack space or to=

> somehow avoid packet reordering in some case that is not clear to me.  =
I
> tried a patch (see below) which eliminates this and it helped somewhat.=

> If anyone can provide an explanation for the current behaviour I'd
> appreciate it.

Previously we have reports about kernel stack overflow during IPsec
processing. In your example there is only one IPsec transform is
configured, but it is possible to configure several in the bundle,
AFAIR, it is limited to 4 transforms. E.g. if you configure ESP+AH - it
is bundle of two transforms and this will grow kernel stack requirements.=


--=20
WBR, Andrey V. Elsukov


--6gJvw4Rnr7QpXaiyFsxtb5WniHvp3jCZA--

--NSOW9Ri3VPfy3up6qZQwXjwHxiszOoES5
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAmCOpEIFAwAAAAAACgkQAcXqBBDIoXr0
HAgAqLOzhXvJFhDtmv7a+jQKxSZk0r3Fzxwl4n1RB9zLwkNTva0/8iCRE5oyCki/v7v8yxaoIVq5
bz8ptqtKC5UrUcP21RMrCQkGt9Tv3lyvz8U/vGx4wPPMrQVVeOEBN1Tn6/M4cj6+U2Kqe8DcDqNT
05Eb0v7rT3WX+tGIxc1sjNIWgN/CR3AOqitNBKL6yJ/Nnr/lVx8lz3DeTZaCKLVn/sKNlYNqmoWa
RxyHFv45/oZvYA8L1mQgtd0rpZE2k1QB69OZnhXzGfrNY5YY46mzTz/M3dX+CCThpyU9911Z5CMd
EOz0eWMZJgIhUn5/EjO2aVPgJ3zHyxqyHFpURGg54w==
=BM6w
-----END PGP SIGNATURE-----

--NSOW9Ri3VPfy3up6qZQwXjwHxiszOoES5--