Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels

From: Christophe Gouault
Date: Fri Sep 14 2018 - 04:01:47 EST

Next message: Nayna Jain: "[PATCH v2 0/6] Add support for architecture specific IMA policies"
Previous message: Kristian Evensen: "Re: [PATCH] option: Improve Quectel EP06 detection"
In reply to: Steffen Klassert: "Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels"
Next in thread: Wolfgang Walter: "Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le ven. 14 sept. 2018 Ã 08:01, Steffen Klassert
<steffen.klassert@xxxxxxxxxxx> a Ãcrit :
> > > The hash threshold can be configured like this:
> > >
> > > ip x p set hthresh4 0 0
> > >
> > > This sets the hash threshold to local /0 and remote /0 netmasks.
> > > With this configuration, all policies should go to the hashtable.
> >
> > Yes, but won't they all be hashed to same bucket?
> >
> > [ jhash(addr & 0, addr & 0) ] ?
>
> Hm, yes. Maybe something between /0 and /32 makes more sense.

Indeed, hash thresholds not only determine which policies will be
hashed, but also the number of bits of the local and remote address
that will be used to calculate the hash key. Big thresholds mean
potentially fewer hashed policies, but better distribution in the hash
table, and vice versa.

A good trade off must be found depending on the prefix lengths used in
your policies.

Best regards,
Christophe

Next message: Nayna Jain: "[PATCH v2 0/6] Add support for architecture specific IMA policies"
Previous message: Kristian Evensen: "Re: [PATCH] option: Improve Quectel EP06 detection"
In reply to: Steffen Klassert: "Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels"
Next in thread: Wolfgang Walter: "Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]