svn commit: r347410 - in head: . sys/amd64/conf sys/arm/conf sys/arm64/conf sys/i386/conf sys/powerpc/conf sys/riscv/conf sys/sparc64/conf
Andrew Gallatin
gallatin at FreeBSD.org
Thu May 9 22:38:18 UTC 2019
Author: gallatin
Date: Thu May 9 22:38:15 2019
New Revision: 347410
URL: https://svnweb.freebsd.org/changeset/base/347410
Log:
Remove IPSEC from GENERIC due to performance issues
Having IPSEC compiled into the kernel imposes a non-trivial
performance penalty on multi-threaded workloads due to IPSEC
refcounting. In my benchmarks of multi-threaded UDP
transmit (connected sockets), I've seen a roughly 20% performance
penalty when the IPSEC option is included in the kernel (16.8Mpps
vs 13.8Mpps with 32 senders on a 14 core / 28 HTT Xeon
2697v3)). This is largely due to key_addref() incrementing and
decrementing an atomic reference count on the default
policy. This cause all CPUs to stall on the same cacheline, as it
bounces between different CPUs.
Given that relatively few users use ipsec, and that it can be
loaded as a module, it seems reasonable to ask those users to
load the ipsec module so as to avoid imposing this penalty on the
GENERIC kernel. Its my hope that this will make FreeBSD look
better in "out of the box" benchmark comparisons with other
operating systems.
Many thanks to ae for fixing auto-loading of ipsec.ko when
ifconfig tries to configure ipsec, and to cy for volunteering
to ensure the the racoon ports will load the ipsec.ko module
Reviewed by: cem, cy, delphij, gnn, jhb, jpaetzel
Differential Revision: https://reviews.freebsd.org/D20163
Modified:
head/UPDATING
head/sys/amd64/conf/GENERIC
head/sys/arm/conf/std.armv6
head/sys/arm/conf/std.armv7
head/sys/arm64/conf/GENERIC
head/sys/i386/conf/GENERIC
head/sys/powerpc/conf/GENERIC
head/sys/powerpc/conf/GENERIC64
head/sys/riscv/conf/GENERIC
head/sys/sparc64/conf/GENERIC
Modified: head/UPDATING
==============================================================================
--- head/UPDATING Thu May 9 22:31:47 2019 (r347409)
+++ head/UPDATING Thu May 9 22:38:15 2019 (r347410)
@@ -32,6 +32,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 13.x IS SLOW:
"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
20190507:
+ The IPSEC option has been removed from GENERIC. Users requiring
+ ipsec(4) must now load the ipsec(4) kernel module.
+
+20190507:
The tap(4) driver has been folded into tun(4), and the module has been
renamed to tuntap. You should update any kld_load="if_tap" or
kld_load="if_tun" entries in /etc/rc.conf, if_tap_load="YES" or
Modified: head/sys/amd64/conf/GENERIC
==============================================================================
--- head/sys/amd64/conf/GENERIC Thu May 9 22:31:47 2019 (r347409)
+++ head/sys/amd64/conf/GENERIC Thu May 9 22:38:15 2019 (r347410)
@@ -30,7 +30,6 @@ options PREEMPTION # Enable kernel thread preemption
options VIMAGE # Subsystem virtualization, e.g. VNET
options INET # InterNETworking
options INET6 # IPv6 communications protocols
-options IPSEC # IP (v4/v6) security
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
options TCP_OFFLOAD # TCP offload
options TCP_BLACKBOX # Enhanced TCP event logging
Modified: head/sys/arm/conf/std.armv6
==============================================================================
--- head/sys/arm/conf/std.armv6 Thu May 9 22:31:47 2019 (r347409)
+++ head/sys/arm/conf/std.armv6 Thu May 9 22:38:15 2019 (r347410)
@@ -11,7 +11,7 @@ options INET # InterNETworking
options INET6 # IPv6 communications protocols
options TCP_HHOOK # hhook(9) framework for TCP
device crypto # core crypto support
-options IPSEC # IP (v4/v6) security
+options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
Modified: head/sys/arm/conf/std.armv7
==============================================================================
--- head/sys/arm/conf/std.armv7 Thu May 9 22:31:47 2019 (r347409)
+++ head/sys/arm/conf/std.armv7 Thu May 9 22:38:15 2019 (r347410)
@@ -11,7 +11,7 @@ options INET # InterNETworking
options INET6 # IPv6 communications protocols
options TCP_HHOOK # hhook(9) framework for TCP
device crypto # core crypto support
-options IPSEC # IP (v4/v6) security
+options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
Modified: head/sys/arm64/conf/GENERIC
==============================================================================
--- head/sys/arm64/conf/GENERIC Thu May 9 22:31:47 2019 (r347409)
+++ head/sys/arm64/conf/GENERIC Thu May 9 22:38:15 2019 (r347410)
@@ -29,7 +29,6 @@ options PREEMPTION # Enable kernel thread preemption
options VIMAGE # Subsystem virtualization, e.g. VNET
options INET # InterNETworking
options INET6 # IPv6 communications protocols
-options IPSEC # IP (v4/v6) security
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
options TCP_HHOOK # hhook(9) framework for TCP
options TCP_OFFLOAD # TCP offload
Modified: head/sys/i386/conf/GENERIC
==============================================================================
--- head/sys/i386/conf/GENERIC Thu May 9 22:31:47 2019 (r347409)
+++ head/sys/i386/conf/GENERIC Thu May 9 22:38:15 2019 (r347410)
@@ -31,7 +31,6 @@ options PREEMPTION # Enable kernel thread preemption
options VIMAGE # Subsystem virtualization, e.g. VNET
options INET # InterNETworking
options INET6 # IPv6 communications protocols
-options IPSEC # IP (v4/v6) security
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
options TCP_HHOOK # hhook(9) framework for TCP
options TCP_OFFLOAD # TCP offload
Modified: head/sys/powerpc/conf/GENERIC
==============================================================================
--- head/sys/powerpc/conf/GENERIC Thu May 9 22:31:47 2019 (r347409)
+++ head/sys/powerpc/conf/GENERIC Thu May 9 22:38:15 2019 (r347410)
@@ -38,7 +38,6 @@ options PREEMPTION #Enable kernel thread preemption
options VIMAGE # Subsystem virtualization, e.g. VNET
options INET #InterNETworking
options INET6 #IPv6 communications protocols
-options IPSEC # IP (v4/v6) security
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
options TCP_HHOOK # hhook(9) framework for TCP
options TCP_RFC7413 # TCP Fast Open
Modified: head/sys/powerpc/conf/GENERIC64
==============================================================================
--- head/sys/powerpc/conf/GENERIC64 Thu May 9 22:31:47 2019 (r347409)
+++ head/sys/powerpc/conf/GENERIC64 Thu May 9 22:38:15 2019 (r347410)
@@ -40,7 +40,6 @@ options PREEMPTION #Enable kernel thread preemption
options VIMAGE # Subsystem virtualization, e.g. VNET
options INET #InterNETworking
options INET6 #IPv6 communications protocols
-options IPSEC # IP (v4/v6) security
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
options TCP_OFFLOAD # TCP offload
options TCP_BLACKBOX # Enhanced TCP event logging
Modified: head/sys/riscv/conf/GENERIC
==============================================================================
--- head/sys/riscv/conf/GENERIC Thu May 9 22:31:47 2019 (r347409)
+++ head/sys/riscv/conf/GENERIC Thu May 9 22:38:15 2019 (r347410)
@@ -34,7 +34,6 @@ options VIMAGE # Subsystem virtualization, e.g. VNE
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options TCP_HHOOK # hhook(9) framework for TCP
-options IPSEC # IP (v4/v6) security
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
options TCP_OFFLOAD # TCP offload
options SCTP # Stream Control Transmission Protocol
Modified: head/sys/sparc64/conf/GENERIC
==============================================================================
--- head/sys/sparc64/conf/GENERIC Thu May 9 22:31:47 2019 (r347409)
+++ head/sys/sparc64/conf/GENERIC Thu May 9 22:38:15 2019 (r347410)
@@ -31,7 +31,6 @@ options PREEMPTION # Enable kernel thread preemption
options VIMAGE # Subsystem virtualization, e.g. VNET
options INET # InterNETworking
options INET6 # IPv6 communications protocols
-options IPSEC # IP (v4/v6) security
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
options TCP_HHOOK # hhook(9) framework for TCP
options SCTP # Stream Control Transmission Protocol
More information about the svn-src-all
mailing list