Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp2172507ima; Thu, 25 Oct 2018 10:35:46 -0700 (PDT) X-Google-Smtp-Source: AJdET5c/llWHY8P3h7y6pGWlV6pbLlpUbAk2TdZs5ru3g7CI9Pkmc8/WqZ+xwzwKm0DtH+Mf2mZY X-Received: by 2002:a62:fb04:: with SMTP id x4-v6mr153695pfm.210.1540488946845; Thu, 25 Oct 2018 10:35:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540488946; cv=none; d=google.com; s=arc-20160816; b=a5fVKxO09FI0U/bvBjRtE2/52K3YqOLQkOE1crQ4kupGNUc7eaoNDPWkX3EQhsayrT dtlRP3DwUY3qtkPPdGjhqftKHrAXWo5BG+Ctryo2ZlPUEoQT8wGYmFSfbaJVLVQUFRV+ ASOi+3ohJDkHn6gI1M/kSTzjUaKpEa7ZKu6X72pJ+EO0LrfwIQ4JGMnznq6zEcf4Acs0 iPsP2I7UBvCSgiQS1+lb52DqwQzNSj4ifW1F9two8ULqbIOu4rWS9EPMJ7ZaNaOEPShR 4ToSZucGKbJsIKqW00+ZN5quu/aX31mUvnMs6amB4bmsR8RKFiCIm290uQMchUF6ZUC6 bcNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=osq3HxlnXS03LI6qKyRwEwzuCRrI5ar9X0wkeby0PhY=; b=CGQuejaGEMSsgsjAZDVaB7BLz40e730Y6rilpHS9OKyTioPGrpSS6B1CaNSKhaV1q+ jCTDHDyFObrG7H6wuFLdaKuwMPV69/BR2fzVvpr9qkP2S626YQdBMYbj0JYF0Z2648ub c9lTtcKLz10snGYkwva7eVmLU85uu3opPchk7yzW4hOTH+mzykXSh82LnLx7m2WhXkgY zfnvsSk1eyczcl1a27vIL8bjM4XDu7+9fXffjSiwtgB6jGPTgEUpaw+iMrD5WZpazd7+ EcaI+cGTkqnEr7equ6PwsxqsBEZKq5w1KnV2Mys3UnCjzNMcmMI5SeITwmlVPJvHLJ7t weNQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si4818502plv.205.2018.10.25.10.35.31; Thu, 25 Oct 2018 10:35:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727604AbeJZCIi (ORCPT + 99 others); Thu, 25 Oct 2018 22:08:38 -0400 Received: from shards.monkeyblade.net ([23.128.96.9]:55320 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727455AbeJZCIh (ORCPT ); Thu, 25 Oct 2018 22:08:37 -0400 Received: from localhost (unknown [IPv6:2601:601:9f80:35cd::cf9]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 9E90114786F34; Thu, 25 Oct 2018 10:34:52 -0700 (PDT) Date: Thu, 25 Oct 2018 10:34:50 -0700 (PDT) Message-Id: <20181025.103450.1966639999117342457.davem@davemloft.net> To: linux@stwm.de Cc: netdev@vger.kernel.org, fw@strlen.de, steffen.klassert@secunet.com, linux-kernel@vger.kernel.org, torvalds@linux-foundation.org, christophe.gouault@6wind.com, gregkh@linuxfoundation.org Subject: Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels From: David Miller In-Reply-To: <2766296.15tpkxTHJV@stwm.de> References: <20181002213536.sgjansduqenps2md@breakpoint.cc> <1729915.dWWxddREcQ@stwm.de> <2766296.15tpkxTHJV@stwm.de> X-Mailer: Mew version 6.7 on Emacs 26 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Thu, 25 Oct 2018 10:34:52 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wolfgang Walter Date: Thu, 25 Oct 2018 11:38:19 +0200 > there is now a new 4.19 which still has the big performance regression when > many ipsec tunnels are configured (throughput and latency get worse by 10 to > 50 times) which makes any kernel > 4.9 unusable for our routers. > > I still don't understand why a revert of the flow cache removal at least for > the longterm kernels is that a bad option (maybe as a compile time option), > especially as there is no workaround available. You do know that the flow cache is DDoS targettable, right? That's why we removed it, we did not make the change lightly. Adding a DDoS vector back into the kernel is not an option sorry. Please work diligently with Florian and others to try and find ways to soften the performance hit. Thank you.