Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp2172507ima;
        Thu, 25 Oct 2018 10:35:46 -0700 (PDT)
X-Google-Smtp-Source: AJdET5c/llWHY8P3h7y6pGWlV6pbLlpUbAk2TdZs5ru3g7CI9Pkmc8/WqZ+xwzwKm0DtH+Mf2mZY
X-Received: by 2002:a62:fb04:: with SMTP id x4-v6mr153695pfm.210.1540488946845;
        Thu, 25 Oct 2018 10:35:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540488946; cv=none;
        d=google.com; s=arc-20160816;
        b=a5fVKxO09FI0U/bvBjRtE2/52K3YqOLQkOE1crQ4kupGNUc7eaoNDPWkX3EQhsayrT
         dtlRP3DwUY3qtkPPdGjhqftKHrAXWo5BG+Ctryo2ZlPUEoQT8wGYmFSfbaJVLVQUFRV+
         ASOi+3ohJDkHn6gI1M/kSTzjUaKpEa7ZKu6X72pJ+EO0LrfwIQ4JGMnznq6zEcf4Acs0
         iPsP2I7UBvCSgiQS1+lb52DqwQzNSj4ifW1F9two8ULqbIOu4rWS9EPMJ7ZaNaOEPShR
         4ToSZucGKbJsIKqW00+ZN5quu/aX31mUvnMs6amB4bmsR8RKFiCIm290uQMchUF6ZUC6
         bcNw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:from:subject:cc:to:message-id:date;
        bh=osq3HxlnXS03LI6qKyRwEwzuCRrI5ar9X0wkeby0PhY=;
        b=CGQuejaGEMSsgsjAZDVaB7BLz40e730Y6rilpHS9OKyTioPGrpSS6B1CaNSKhaV1q+
         jCTDHDyFObrG7H6wuFLdaKuwMPV69/BR2fzVvpr9qkP2S626YQdBMYbj0JYF0Z2648ub
         c9lTtcKLz10snGYkwva7eVmLU85uu3opPchk7yzW4hOTH+mzykXSh82LnLx7m2WhXkgY
         zfnvsSk1eyczcl1a27vIL8bjM4XDu7+9fXffjSiwtgB6jGPTgEUpaw+iMrD5WZpazd7+
         EcaI+cGTkqnEr7equ6PwsxqsBEZKq5w1KnV2Mys3UnCjzNMcmMI5SeITwmlVPJvHLJ7t
         weNQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 1-v6si4818502plv.205.2018.10.25.10.35.31;
        Thu, 25 Oct 2018 10:35:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727604AbeJZCIi (ORCPT <rfc822;plaguedbypenguins@gmail.com>
        + 99 others); Thu, 25 Oct 2018 22:08:38 -0400
Received: from shards.monkeyblade.net ([23.128.96.9]:55320 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727455AbeJZCIh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 25 Oct 2018 22:08:37 -0400
Received: from localhost (unknown [IPv6:2601:601:9f80:35cd::cf9])
        (using TLSv1 with cipher AES256-SHA (256/256 bits))
        (Client did not present a certificate)
        (Authenticated sender: davem-davemloft)
        by shards.monkeyblade.net (Postfix) with ESMTPSA id 9E90114786F34;
        Thu, 25 Oct 2018 10:34:52 -0700 (PDT)
Date:   Thu, 25 Oct 2018 10:34:50 -0700 (PDT)
Message-Id: <20181025.103450.1966639999117342457.davem@davemloft.net>
To:     linux@stwm.de
Cc:     netdev@vger.kernel.org, fw@strlen.de, steffen.klassert@secunet.com,
        linux-kernel@vger.kernel.org, torvalds@linux-foundation.org,
        christophe.gouault@6wind.com, gregkh@linuxfoundation.org
Subject: Re: Regression: kernel 4.14 an later very slow with many ipsec
 tunnels
From:   David Miller <davem@davemloft.net>
In-Reply-To: <2766296.15tpkxTHJV@stwm.de>
References: <20181002213536.sgjansduqenps2md@breakpoint.cc>
        <1729915.dWWxddREcQ@stwm.de>
        <2766296.15tpkxTHJV@stwm.de>
X-Mailer: Mew version 6.7 on Emacs 26 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Thu, 25 Oct 2018 10:34:52 -0700 (PDT)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Wolfgang Walter <linux@stwm.de>
Date: Thu, 25 Oct 2018 11:38:19 +0200

> there is now a new 4.19 which still has the big performance regression when 
> many ipsec tunnels are configured (throughput and latency get worse by 10 to 
> 50 times) which makes any kernel > 4.9 unusable for our routers.
> 
> I still don't understand why a revert of the flow cache removal at least for 
> the longterm kernels is that a bad option (maybe as a compile time option), 
> especially as there is no workaround available.

You do know that the flow cache is DDoS targettable, right?

That's why we removed it, we did not make the change lightly.

Adding a DDoS vector back into the kernel is not an option sorry.

Please work diligently with Florian and others to try and find ways to
soften the performance hit.

Thank you.