Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 May 2019 15:44:58 +0300
From:      Slawa Olhovchenkov <slw@zxy.spb.ru>
To:        Andrew Gallatin <gallatin@FreeBSD.org>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r347410 - in head: . sys/amd64/conf sys/arm/conf sys/arm64/conf sys/i386/conf sys/powerpc/conf sys/riscv/conf sys/sparc64/conf
Message-ID:  <20190510124458.GB65054@zxy.spb.ru>
In-Reply-To: <201905092238.x49McFCO015665@repo.freebsd.org>
References:  <201905092238.x49McFCO015665@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, May 09, 2019 at 10:38:15PM +0000, Andrew Gallatin wrote:

> Author: gallatin
> Date: Thu May  9 22:38:15 2019
> New Revision: 347410
> URL: https://svnweb.freebsd.org/changeset/base/347410
> 
> Log:
>   Remove IPSEC from GENERIC due to performance issues
>   
>   Having IPSEC compiled into the kernel imposes a non-trivial
>   performance penalty on multi-threaded workloads due to IPSEC
>   refcounting. In my benchmarks of multi-threaded UDP
>   transmit (connected sockets), I've seen a roughly 20% performance
>   penalty when the IPSEC option is included in the kernel (16.8Mpps
>   vs 13.8Mpps with 32 senders on a 14 core / 28 HTT Xeon
>   2697v3)). This is largely due to key_addref() incrementing and
>   decrementing an atomic reference count on the default
>   policy. This cause all CPUs to stall on the same cacheline, as it
>   bounces between different CPUs.
>   
>   Given that relatively few users use ipsec, and that it can be
>   loaded as a module, it seems reasonable to ask those users to
>   load the ipsec module so as to avoid imposing this penalty on the
>   GENERIC kernel. Its my hope that this will make FreeBSD look
>   better in "out of the box" benchmark comparisons with other
>   operating systems.
>   
>   Many thanks to ae for fixing auto-loading of ipsec.ko when
>   ifconfig tries to configure ipsec, and to cy for volunteering
>   to ensure the the racoon ports will load the ipsec.ko module
>   
>   Reviewed by:	cem, cy, delphij, gnn, jhb, jpaetzel
>   Differential Revision:	https://reviews.freebsd.org/D20163

pf have ifdef for IPSEC, but don't have support IPSEC_SUPPORT
(netpfil/pf/if_pfsync.c).

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190510124458.GB65054>