diff options
| author | Andrew Gallatin <gallatin@FreeBSD.org> | 2019-05-09 22:38:15 +0000 |
|---|---|---|
| committer | Andrew Gallatin <gallatin@FreeBSD.org> | 2019-05-09 22:38:15 +0000 |
| commit | 542970fa2d3fb42af9addef22eb9e80d26b4c508 (patch) | |
| tree | f93889921a4834755e0223e0bf2624a89e1f936e | |
| parent | 9bee6a6083228d0e6abfb991fdbb4edf020fd438 (diff) | |
| download | src-542970fa2d3fb42af9addef22eb9e80d26b4c508.tar.gz src-542970fa2d3fb42af9addef22eb9e80d26b4c508.zip | |
Remove IPSEC from GENERIC due to performance issues
Having IPSEC compiled into the kernel imposes a non-trivial
performance penalty on multi-threaded workloads due to IPSEC
refcounting. In my benchmarks of multi-threaded UDP
transmit (connected sockets), I've seen a roughly 20% performance
penalty when the IPSEC option is included in the kernel (16.8Mpps
vs 13.8Mpps with 32 senders on a 14 core / 28 HTT Xeon
2697v3)). This is largely due to key_addref() incrementing and
decrementing an atomic reference count on the default
policy. This cause all CPUs to stall on the same cacheline, as it
bounces between different CPUs.
Given that relatively few users use ipsec, and that it can be
loaded as a module, it seems reasonable to ask those users to
load the ipsec module so as to avoid imposing this penalty on the
GENERIC kernel. Its my hope that this will make FreeBSD look
better in "out of the box" benchmark comparisons with other
operating systems.
Many thanks to ae for fixing auto-loading of ipsec.ko when
ifconfig tries to configure ipsec, and to cy for volunteering
to ensure the the racoon ports will load the ipsec.ko module
Reviewed by: cem, cy, delphij, gnn, jhb, jpaetzel
Differential Revision: https://reviews.freebsd.org/D20163
Notes
Notes:
svn path=/head/; revision=347410
| -rw-r--r-- | UPDATING | 4 | ||||
| -rw-r--r-- | sys/amd64/conf/GENERIC | 1 | ||||
| -rw-r--r-- | sys/arm/conf/std.armv6 | 2 | ||||
| -rw-r--r-- | sys/arm/conf/std.armv7 | 2 | ||||
| -rw-r--r-- | sys/arm64/conf/GENERIC | 1 | ||||
| -rw-r--r-- | sys/i386/conf/GENERIC | 1 | ||||
| -rw-r--r-- | sys/powerpc/conf/GENERIC | 1 | ||||
| -rw-r--r-- | sys/powerpc/conf/GENERIC64 | 1 | ||||
| -rw-r--r-- | sys/riscv/conf/GENERIC | 1 | ||||
| -rw-r--r-- | sys/sparc64/conf/GENERIC | 1 |
10 files changed, 6 insertions, 9 deletions
@@ -32,6 +32,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 13.x IS SLOW: "ln -s 'abort:false,junk:false' /etc/malloc.conf".) 20190507: + The IPSEC option has been removed from GENERIC. Users requiring + ipsec(4) must now load the ipsec(4) kernel module. + +20190507: The tap(4) driver has been folded into tun(4), and the module has been renamed to tuntap. You should update any kld_load="if_tap" or kld_load="if_tun" entries in /etc/rc.conf, if_tap_load="YES" or diff --git a/sys/amd64/conf/GENERIC b/sys/amd64/conf/GENERIC index 9dc14700a16c..8f71e3ce560b 100644 --- a/sys/amd64/conf/GENERIC +++ b/sys/amd64/conf/GENERIC @@ -30,7 +30,6 @@ options PREEMPTION # Enable kernel thread preemption options VIMAGE # Subsystem virtualization, e.g. VNET options INET # InterNETworking options INET6 # IPv6 communications protocols -options IPSEC # IP (v4/v6) security options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 options TCP_OFFLOAD # TCP offload options TCP_BLACKBOX # Enhanced TCP event logging diff --git a/sys/arm/conf/std.armv6 b/sys/arm/conf/std.armv6 index ceaca977ff06..18f15edaf19b 100644 --- a/sys/arm/conf/std.armv6 +++ b/sys/arm/conf/std.armv6 @@ -11,7 +11,7 @@ options INET # InterNETworking options INET6 # IPv6 communications protocols options TCP_HHOOK # hhook(9) framework for TCP device crypto # core crypto support -options IPSEC # IP (v4/v6) security +options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 options SCTP # Stream Control Transmission Protocol options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support diff --git a/sys/arm/conf/std.armv7 b/sys/arm/conf/std.armv7 index bbb54e812895..af090d398f8a 100644 --- a/sys/arm/conf/std.armv7 +++ b/sys/arm/conf/std.armv7 @@ -11,7 +11,7 @@ options INET # InterNETworking options INET6 # IPv6 communications protocols options TCP_HHOOK # hhook(9) framework for TCP device crypto # core crypto support -options IPSEC # IP (v4/v6) security +options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 options SCTP # Stream Control Transmission Protocol options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support diff --git a/sys/arm64/conf/GENERIC b/sys/arm64/conf/GENERIC index c83f9771b4aa..b1018a742508 100644 --- a/sys/arm64/conf/GENERIC +++ b/sys/arm64/conf/GENERIC @@ -29,7 +29,6 @@ options PREEMPTION # Enable kernel thread preemption options VIMAGE # Subsystem virtualization, e.g. VNET options INET # InterNETworking options INET6 # IPv6 communications protocols -options IPSEC # IP (v4/v6) security options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 options TCP_HHOOK # hhook(9) framework for TCP options TCP_OFFLOAD # TCP offload diff --git a/sys/i386/conf/GENERIC b/sys/i386/conf/GENERIC index be1b5e45bdc1..cc9da10f008c 100644 --- a/sys/i386/conf/GENERIC +++ b/sys/i386/conf/GENERIC @@ -31,7 +31,6 @@ options PREEMPTION # Enable kernel thread preemption options VIMAGE # Subsystem virtualization, e.g. VNET options INET # InterNETworking options INET6 # IPv6 communications protocols -options IPSEC # IP (v4/v6) security options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 options TCP_HHOOK # hhook(9) framework for TCP options TCP_OFFLOAD # TCP offload diff --git a/sys/powerpc/conf/GENERIC b/sys/powerpc/conf/GENERIC index 35e5880a2605..9e8294d394d0 100644 --- a/sys/powerpc/conf/GENERIC +++ b/sys/powerpc/conf/GENERIC @@ -38,7 +38,6 @@ options PREEMPTION #Enable kernel thread preemption options VIMAGE # Subsystem virtualization, e.g. VNET options INET #InterNETworking options INET6 #IPv6 communications protocols -options IPSEC # IP (v4/v6) security options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 options TCP_HHOOK # hhook(9) framework for TCP options TCP_RFC7413 # TCP Fast Open diff --git a/sys/powerpc/conf/GENERIC64 b/sys/powerpc/conf/GENERIC64 index 7bc22c8e5545..3fb6ad124558 100644 --- a/sys/powerpc/conf/GENERIC64 +++ b/sys/powerpc/conf/GENERIC64 @@ -40,7 +40,6 @@ options PREEMPTION #Enable kernel thread preemption options VIMAGE # Subsystem virtualization, e.g. VNET options INET #InterNETworking options INET6 #IPv6 communications protocols -options IPSEC # IP (v4/v6) security options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 options TCP_OFFLOAD # TCP offload options TCP_BLACKBOX # Enhanced TCP event logging diff --git a/sys/riscv/conf/GENERIC b/sys/riscv/conf/GENERIC index 4b692415a194..7c2571f4783b 100644 --- a/sys/riscv/conf/GENERIC +++ b/sys/riscv/conf/GENERIC @@ -34,7 +34,6 @@ options VIMAGE # Subsystem virtualization, e.g. VNET options INET # InterNETworking options INET6 # IPv6 communications protocols options TCP_HHOOK # hhook(9) framework for TCP -options IPSEC # IP (v4/v6) security options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 options TCP_OFFLOAD # TCP offload options SCTP # Stream Control Transmission Protocol diff --git a/sys/sparc64/conf/GENERIC b/sys/sparc64/conf/GENERIC index 4ccd401fb9ad..5019e71d6125 100644 --- a/sys/sparc64/conf/GENERIC +++ b/sys/sparc64/conf/GENERIC @@ -31,7 +31,6 @@ options PREEMPTION # Enable kernel thread preemption options VIMAGE # Subsystem virtualization, e.g. VNET options INET # InterNETworking options INET6 # IPv6 communications protocols -options IPSEC # IP (v4/v6) security options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 options TCP_HHOOK # hhook(9) framework for TCP options SCTP # Stream Control Transmission Protocol |