Vakul Garg <vakul.g...@nxp.com> wrote: > > Vakul Garg <vakul.g...@nxp.com> wrote: > > > > Do you use xfrm interfaces? > > > > > > I don't think so. I use setkey to create policies/SAs. > > > Can you please give me some hint about it? > > > > Then you're not using ipsec interfaces. > > > Instead of creating policies/SA using setkey, I shifted to using 'ip xfrm' > commands. > With this, I get good performance improvement (20% better in one case). > Now xfrm_state_find() function is not taking much cpu.
Thats very strange, I have no explanation for this. It would be good to find the cause, PF_KEY and 'ip xfrm' are just different control plane frontends, they should have no impact on data path performance. > Is this what you meant by 'xfrm interfaces'? No, i meant the xfrm network interfaces that were added recently, see net/xfrm/xfrm_interface.c > > I have no further suggestions. I don't know yet when I will have time to > > look > > into refcnt optimizations. > > > > Idea would be to make them same as dev_hold/put. > > I will try to address it. Can you provide some guidance? Thanks. I will try to make ugly POC hack tomorrow that should illustrate the general idea (and caveats/bugs that need fixing).
