From: Florian Westphal <f...@strlen.de> Date: Tue, 27 Sep 2016 18:05:20 +0200
> Please do not apply these patches. To be honest, I really want to :-) > These are part of tests I made for the ipsec workshop at upcoming > netdev 1.2 and I wanted to post these before the conference. > > Short version is that there appear to be no major scalability issues > anymore without flow cache. Performance hit can be up to 30% > in my tests (with 64 byte packets), however without flow cache we > also avoid some undesirable effects when flow cache is constantly > overloaded. > > Seems most of the extra cost is mainly because of extra xfrm dst > init/destruction (and not e.g. due to policy lookup). Yes, if you have to allocate/destroy a dst every lookup then it will hurt a lot. Perhaps we can have a pre-cooked dst hung off of some existing object as a first level strategy to avoid this. > Lets discuss more at the workshop. Indeed.