Remove IPSEC from GENERIC due to performance issues
Having IPSEC compiled into the kernel imposes a non-trivial performance penalty on multi-threaded workloads due to IPSEC refcounting. In my benchmarks of multi-threaded UDP transmit (connected sockets), I've seen a roughly 20% performance penalty when the IPSEC option is included in the kernel (16.8Mpps vs 13.8Mpps with 32 senders on a 14 core / 28 HTT Xeon 2697v3)). This is largely due to key_addref() incrementing and decrementing an atomic reference count on the default policy. This cause all CPUs to stall on the same cacheline, as it bounces between different CPUs. Given that relatively few users use ipsec, and that it can be loaded as a module, it seems reasonable to ask those users to load the ipsec module so as to avoid imposing this penalty on the GENERIC kernel. Its my hope that this will make FreeBSD look better in "out of the box" benchmark comparisons with other operating systems. Many thanks to ae for fixing auto-loading of ipsec.ko when ifconfig tries to configure ipsec, and to cy for volunteering to ensure the the racoon ports will load the ipsec.ko module Reviewed by: cem, cy, delphij, gnn, jhb, jpaetzel Differential Revision: https://reviews.freebsd.org/D20163
This commit is contained in:
parent
6e6b09f5c1
commit
d0514c0542
4
UPDATING
4
UPDATING
@ -31,6 +31,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 13.x IS SLOW:
|
||||
disable the most expensive debugging functionality run
|
||||
"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
|
||||
|
||||
20190507:
|
||||
The IPSEC option has been removed from GENERIC. Users requiring
|
||||
ipsec(4) must now load the ipsec(4) kernel module.
|
||||
|
||||
20190507:
|
||||
The tap(4) driver has been folded into tun(4), and the module has been
|
||||
renamed to tuntap. You should update any kld_load="if_tap" or
|
||||
|
@ -30,7 +30,6 @@ options PREEMPTION # Enable kernel thread preemption
|
||||
options VIMAGE # Subsystem virtualization, e.g. VNET
|
||||
options INET # InterNETworking
|
||||
options INET6 # IPv6 communications protocols
|
||||
options IPSEC # IP (v4/v6) security
|
||||
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
|
||||
options TCP_OFFLOAD # TCP offload
|
||||
options TCP_BLACKBOX # Enhanced TCP event logging
|
||||
|
@ -11,7 +11,7 @@ options INET # InterNETworking
|
||||
options INET6 # IPv6 communications protocols
|
||||
options TCP_HHOOK # hhook(9) framework for TCP
|
||||
device crypto # core crypto support
|
||||
options IPSEC # IP (v4/v6) security
|
||||
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
|
||||
options SCTP # Stream Control Transmission Protocol
|
||||
options FFS # Berkeley Fast Filesystem
|
||||
options SOFTUPDATES # Enable FFS soft updates support
|
||||
|
@ -11,7 +11,7 @@ options INET # InterNETworking
|
||||
options INET6 # IPv6 communications protocols
|
||||
options TCP_HHOOK # hhook(9) framework for TCP
|
||||
device crypto # core crypto support
|
||||
options IPSEC # IP (v4/v6) security
|
||||
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
|
||||
options SCTP # Stream Control Transmission Protocol
|
||||
options FFS # Berkeley Fast Filesystem
|
||||
options SOFTUPDATES # Enable FFS soft updates support
|
||||
|
@ -29,7 +29,6 @@ options PREEMPTION # Enable kernel thread preemption
|
||||
options VIMAGE # Subsystem virtualization, e.g. VNET
|
||||
options INET # InterNETworking
|
||||
options INET6 # IPv6 communications protocols
|
||||
options IPSEC # IP (v4/v6) security
|
||||
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
|
||||
options TCP_HHOOK # hhook(9) framework for TCP
|
||||
options TCP_OFFLOAD # TCP offload
|
||||
|
@ -31,7 +31,6 @@ options PREEMPTION # Enable kernel thread preemption
|
||||
options VIMAGE # Subsystem virtualization, e.g. VNET
|
||||
options INET # InterNETworking
|
||||
options INET6 # IPv6 communications protocols
|
||||
options IPSEC # IP (v4/v6) security
|
||||
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
|
||||
options TCP_HHOOK # hhook(9) framework for TCP
|
||||
options TCP_OFFLOAD # TCP offload
|
||||
|
@ -38,7 +38,6 @@ options PREEMPTION #Enable kernel thread preemption
|
||||
options VIMAGE # Subsystem virtualization, e.g. VNET
|
||||
options INET #InterNETworking
|
||||
options INET6 #IPv6 communications protocols
|
||||
options IPSEC # IP (v4/v6) security
|
||||
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
|
||||
options TCP_HHOOK # hhook(9) framework for TCP
|
||||
options TCP_RFC7413 # TCP Fast Open
|
||||
|
@ -40,7 +40,6 @@ options PREEMPTION #Enable kernel thread preemption
|
||||
options VIMAGE # Subsystem virtualization, e.g. VNET
|
||||
options INET #InterNETworking
|
||||
options INET6 #IPv6 communications protocols
|
||||
options IPSEC # IP (v4/v6) security
|
||||
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
|
||||
options TCP_OFFLOAD # TCP offload
|
||||
options TCP_BLACKBOX # Enhanced TCP event logging
|
||||
|
@ -34,7 +34,6 @@ options VIMAGE # Subsystem virtualization, e.g. VNET
|
||||
options INET # InterNETworking
|
||||
options INET6 # IPv6 communications protocols
|
||||
options TCP_HHOOK # hhook(9) framework for TCP
|
||||
options IPSEC # IP (v4/v6) security
|
||||
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
|
||||
options TCP_OFFLOAD # TCP offload
|
||||
options SCTP # Stream Control Transmission Protocol
|
||||
|
@ -31,7 +31,6 @@ options PREEMPTION # Enable kernel thread preemption
|
||||
options VIMAGE # Subsystem virtualization, e.g. VNET
|
||||
options INET # InterNETworking
|
||||
options INET6 # IPv6 communications protocols
|
||||
options IPSEC # IP (v4/v6) security
|
||||
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
|
||||
options TCP_HHOOK # hhook(9) framework for TCP
|
||||
options SCTP # Stream Control Transmission Protocol
|
||||
|
Loading…
Reference in New Issue
Block a user