On Thu, May 09, 2019 at 10:38:15PM +0000, Andrew Gallatin wrote: > Author: gallatin > Date: Thu May 9 22:38:15 2019 > New Revision: 347410 > URL: https://svnweb.freebsd.org/changeset/base/347410 > > Log: > Remove IPSEC from GENERIC due to performance issues > > Having IPSEC compiled into the kernel imposes a non-trivial > performance penalty on multi-threaded workloads due to IPSEC > refcounting. In my benchmarks of multi-threaded UDP > transmit (connected sockets), I've seen a roughly 20% performance > penalty when the IPSEC option is included in the kernel (16.8Mpps > vs 13.8Mpps with 32 senders on a 14 core / 28 HTT Xeon > 2697v3)). This is largely due to key_addref() incrementing and > decrementing an atomic reference count on the default > policy. This cause all CPUs to stall on the same cacheline, as it > bounces between different CPUs. > > Given that relatively few users use ipsec, and that it can be > loaded as a module, it seems reasonable to ask those users to > load the ipsec module so as to avoid imposing this penalty on the > GENERIC kernel. Its my hope that this will make FreeBSD look > better in "out of the box" benchmark comparisons with other > operating systems. > > Many thanks to ae for fixing auto-loading of ipsec.ko when > ifconfig tries to configure ipsec, and to cy for volunteering > to ensure the the racoon ports will load the ipsec.ko module > > Reviewed by: cem, cy, delphij, gnn, jhb, jpaetzel > Differential Revision: https://reviews.freebsd.org/D20163
pf have ifdef for IPSEC, but don't have support IPSEC_SUPPORT (netpfil/pf/if_pfsync.c). _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"