Hello Andrey, first off, thank you for your explanation.
As for your Hint, i am not a C Programmer but i think i have a better understanding of the issue now. I believe this is a know issue and the reason why IPSEC isn't in GENERIC, afaik from this discussion (https://lists.freebsd.org/pipermail/freebsd-hackers/2009-April/028364.html). I have compiled the patched kernel and am installing on the vm's now.. will get back to you. S. > On Apr 24, 2015, at 01:26, Andrey V. Elsukov <bu7c...@yandex.ru> wrote: > > On 24.04.2015 01:00, Sydney Meyer wrote: >> Hello, >> >> I have set up 2 VM's under Xen running each one IPSec-Endpoint. >> Everything seems to work fine, but (measured with benchmarks/iperf) >> the performance drops from ~10 Gb/s on a non-IPSec-Kernel to ~200 >> Mb/s with IPSec compiled in, regardless of whether actually using >> IPSec or not. > > Can you test this patch to see the difference? It isn't a fix. It is > just to see how will help avoiding of PCB check. > > --- ip_output.c (revision 281867) > +++ ip_output.c (working copy) > @@ -482,7 +482,7 @@ again: > > sendit: > #ifdef IPSEC > - switch(ip_ipsec_output(&m, inp, &flags, &error)) { > + switch(ip_ipsec_output(&m, NULL, &flags, &error)) { > case 1: > goto bad; > case -1: > > > -- > WBR, Andrey V. Elsukov _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
