svn commit: r347410 - in head: . sys/amd64/conf sys/arm/conf sys/arm64/conf sys/i386/conf sys/powerpc/conf sys/riscv/conf sys/sparc64/conf
Slawa Olhovchenkov
slw at zxy.spb.ru
Fri May 10 12:45:12 UTC 2019
On Thu, May 09, 2019 at 10:38:15PM +0000, Andrew Gallatin wrote:
> Author: gallatin
> Date: Thu May 9 22:38:15 2019
> New Revision: 347410
> URL: https://svnweb.freebsd.org/changeset/base/347410
>
> Log:
> Remove IPSEC from GENERIC due to performance issues
>
> Having IPSEC compiled into the kernel imposes a non-trivial
> performance penalty on multi-threaded workloads due to IPSEC
> refcounting. In my benchmarks of multi-threaded UDP
> transmit (connected sockets), I've seen a roughly 20% performance
> penalty when the IPSEC option is included in the kernel (16.8Mpps
> vs 13.8Mpps with 32 senders on a 14 core / 28 HTT Xeon
> 2697v3)). This is largely due to key_addref() incrementing and
> decrementing an atomic reference count on the default
> policy. This cause all CPUs to stall on the same cacheline, as it
> bounces between different CPUs.
>
> Given that relatively few users use ipsec, and that it can be
> loaded as a module, it seems reasonable to ask those users to
> load the ipsec module so as to avoid imposing this penalty on the
> GENERIC kernel. Its my hope that this will make FreeBSD look
> better in "out of the box" benchmark comparisons with other
> operating systems.
>
> Many thanks to ae for fixing auto-loading of ipsec.ko when
> ifconfig tries to configure ipsec, and to cy for volunteering
> to ensure the the racoon ports will load the ipsec.ko module
>
> Reviewed by: cem, cy, delphij, gnn, jhb, jpaetzel
> Differential Revision: https://reviews.freebsd.org/D20163
pf have ifdef for IPSEC, but don't have support IPSEC_SUPPORT
(netpfil/pf/if_pfsync.c).
More information about the svn-src-all
mailing list