Date: Fri, 24 Apr 2015 02:55:26 +0200 From: Sydney Meyer <meyer.sydney@googlemail.com> To: freebsd-net@freebsd.org Subject: Re: IPSec Performance under Xen Message-ID: <079851FA-50AC-47E8-B4BE-D97DE4C185B5@gmail.com> In-Reply-To: <55397FB3.6080702@yandex.ru> References: <CF189888-FD6B-4407-8360-56206D49DD6D@gmail.com> <55397FB3.6080702@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrey,
with your patch applied the performance drop while using the =
IPSEC-enabled kernel without doing actual IPSec traffic seems to be =
gone.
I haven't tested IPSec itself yet, as i had to start from scratch with =
new VM's but i will set up a IPSec connection and report back.
S.
> On Apr 24, 2015, at 01:26, Andrey V. Elsukov <bu7cher@yandex.ru> =
wrote:
>=20
> On 24.04.2015 01:00, Sydney Meyer wrote:
>> Hello,
>>=20
>> I have set up 2 VM's under Xen running each one IPSec-Endpoint.
>> Everything seems to work fine, but (measured with benchmarks/iperf)
>> the performance drops from ~10 Gb/s on a non-IPSec-Kernel to ~200
>> Mb/s with IPSec compiled in, regardless of whether actually using
>> IPSec or not.
>=20
> Can you test this patch to see the difference? It isn't a fix. It is
> just to see how will help avoiding of PCB check.
>=20
> --- ip_output.c (revision 281867)
> +++ ip_output.c (working copy)
> @@ -482,7 +482,7 @@ again:
>=20
> sendit:
> #ifdef IPSEC
> - switch(ip_ipsec_output(&m, inp, &flags, &error)) {
> + switch(ip_ipsec_output(&m, NULL, &flags, &error)) {
> case 1:
> goto bad;
> case -1:
>=20
>=20
> --=20
> WBR, Andrey V. Elsukov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?079851FA-50AC-47E8-B4BE-D97DE4C185B5>