Date: Fri, 24 Apr 2015 02:05:55 +0200 From: Sydney Meyer <meyer.sydney@googlemail.com> To: freebsd-net@freebsd.org Subject: Re: IPSec Performance under Xen Message-ID: <CF8C7FDE-21EB-4530-9B0B-1D69B76B9D4F@gmail.com> In-Reply-To: <55397FB3.6080702@yandex.ru> References: <CF189888-FD6B-4407-8360-56206D49DD6D@gmail.com> <55397FB3.6080702@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Andrey, first off, thank you for your explanation. As for your Hint, i am not a C Programmer but i think i have a better = understanding of the issue now. I believe this is a know issue and the reason why IPSEC isn't in = GENERIC, afaik from this discussion = (https://lists.freebsd.org/pipermail/freebsd-hackers/2009-April/028364.htm= l). I have compiled the patched kernel and am installing on the vm's now.. = will get back to you. S. > On Apr 24, 2015, at 01:26, Andrey V. Elsukov <bu7cher@yandex.ru> = wrote: >=20 > On 24.04.2015 01:00, Sydney Meyer wrote: >> Hello, >>=20 >> I have set up 2 VM's under Xen running each one IPSec-Endpoint. >> Everything seems to work fine, but (measured with benchmarks/iperf) >> the performance drops from ~10 Gb/s on a non-IPSec-Kernel to ~200 >> Mb/s with IPSec compiled in, regardless of whether actually using >> IPSec or not. >=20 > Can you test this patch to see the difference? It isn't a fix. It is > just to see how will help avoiding of PCB check. >=20 > --- ip_output.c (revision 281867) > +++ ip_output.c (working copy) > @@ -482,7 +482,7 @@ again: >=20 > sendit: > #ifdef IPSEC > - switch(ip_ipsec_output(&m, inp, &flags, &error)) { > + switch(ip_ipsec_output(&m, NULL, &flags, &error)) { > case 1: > goto bad; > case -1: >=20 >=20 > --=20 > WBR, Andrey V. Elsukov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CF8C7FDE-21EB-4530-9B0B-1D69B76B9D4F>