From: Florian Westphal <fw@strlen.de>
To: Wolfgang Walter <linux@stwm.de>
Cc: Florian Westphal <fw@strlen.de>,
Steffen Klassert <steffen.klassert@secunet.com>,
David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
torvalds@linux-foundation.org, christophe.gouault@6wind.com
Subject: Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels
Date: Tue, 2 Oct 2018 23:35:36 +0200 [thread overview]
Message-ID: <20181002213536.sgjansduqenps2md@breakpoint.cc> (raw)
In-Reply-To: <4327972.7bla238zOs@stwm.de>
Wolfgang Walter <linux@stwm.de> wrote:
> Am Dienstag, 2. Oktober 2018, 16:56:16 schrieb Florian Westphal:
> > I'm experimenting with per-dst inexact lists in an rbtree but
> > this will take time.
>
> Hmm, I doubt that this is worth the effort. And certainly not that easy
Well, I'm not going to send a revert of the flowcache removal.
I'm willing to experiment with alternatives to a full iteration of the
inexact list but thats it.
> correctly done, as it still would have to obey the original order of the rules
> (their priority).
Except that neither the priority or the order in which it was added
matters in case the selector doesn't match.
I see no reason why we can't have inexact lists done per dst<->src pairs.
> You may have a lot of rules of the form say
>
> 10.0.0.0/16 <=> 10.1.0.0/29 encrypt ....
> 10.0.0.0/16 <=> 10.1.0.8/29 encrypt ....
Sure.
> Also, you get something like that
>
> 10.0.1.0/24 <=> 10.0.2.0/29 allow
> 10.0.0.0/16 <=> 10.0.2.0/24 encrypt
> 0.0.0.0 <=> 10.0.2.0/16 block
>
> And people may use source port and/or destination port or protocol
> (tcp/udp/imcp) to further tailor there ruleset.
Yes. 0.0.0.0/0 handling will require some extra consideration.
So far I have not seen a show-stopper however.
next prev parent reply other threads:[~2018-10-02 21:35 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-13 11:30 Regression: kernel 4.14 an later very slow with many ipsec tunnels Wolfgang Walter
2018-09-13 13:58 ` Florian Westphal
2018-09-13 15:46 ` Wolfgang Walter
2018-09-13 16:38 ` Florian Westphal
2018-09-13 17:23 ` David Miller
2018-09-13 21:03 ` Florian Westphal
2018-09-13 21:12 ` David Miller
2018-09-14 5:06 ` Steffen Klassert
2018-09-14 5:54 ` Florian Westphal
2018-09-14 6:01 ` Steffen Klassert
2018-09-14 8:01 ` Christophe Gouault
2018-09-14 11:49 ` Wolfgang Walter
2018-10-02 14:45 ` Wolfgang Walter
2018-10-02 14:56 ` Florian Westphal
2018-10-02 17:34 ` Wolfgang Walter
2018-10-02 21:35 ` Florian Westphal [this message]
2018-10-04 13:57 ` Wolfgang Walter
2018-10-25 9:38 ` Wolfgang Walter
2018-10-25 17:34 ` David Miller
2018-10-25 19:24 ` Florian Westphal
2018-10-26 12:18 ` Wolfgang Walter
2018-10-25 22:45 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181002213536.sgjansduqenps2md@breakpoint.cc \
--to=fw@strlen.de \
--cc=christophe.gouault@6wind.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@stwm.de \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).