Page MenuHomeFreeBSD
Differential D35763

ipsec: replace SECASVAR mtx by rmlock
ClosedPublic
Actions

Authored by kp on Jul 10 2022, 11:26 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Jan 17, 3:49 AM
Unknown Object (File)
Dec 18 2024, 9:29 AM
Unknown Object (File)
Dec 8 2024, 1:24 PM
Unknown Object (File)
Nov 25 2024, 11:24 AM
Unknown Object (File)
Nov 25 2024, 11:24 AM
Unknown Object (File)
Nov 24 2024, 6:50 AM
Unknown Object (File)
Nov 22 2024, 7:11 PM
Unknown Object (File)
Nov 20 2024, 3:22 PM
View All 78 Files
Subscribers
ae
glebius
imp
melifaro
mjg
zlei

Details

Reviewers
None
Group Reviewers
network
Commits
rG1243360b1a02: ipsec: replace SECASVAR mtx by rmlock
rG0361f165f219: ipsec: replace SECASVAR mtx by rmlock
Summary

This mutex is a significant point of contention in the ipsec code, and
can be relatively trivially replaced by a read-mostly lock.
It does require a separate lock for the replay protection, which we do
here by adding a separate mutex.

This improves throughput (without replay protection) by 10-15%.

Sponsored by: Orange Business Services

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 46348
Build 43237: arc lint + arc unit

Event Timeline

kp created this revision.Jul 10 2022, 11:26 AM
Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptJul 10 2022, 11:26 AM
kp requested review of this revision.Jul 10 2022, 11:26 AM
Harbormaster completed remote builds in B46348: Diff 107975.Jul 10 2022, 11:26 AM
kp added a comment.Jul 10 2022, 11:28 AM

This is a largely mechanical substitution, there's going to be room for further improvement, but it's a somewhat significant gain already so it's worth doing anyway.

There are some places where the current locking looks odd to me, but I've not yet been able to dig further. This change doesn't improve that, but also doesn't make it any worse.

zlei added a subscriber: zlei.Jul 11 2022, 2:03 AM
mjg added a subscriber: mjg.Jul 11 2022, 11:17 AM
mjg added inline comments.
sys/netipsec/xform_ah.c
966

this is an example why the patch in the current form does not work: replay count gets bumped without the lock by many cpus at the same time. all places of the sort will need to be coverted to use atomics. Specifically this one will unfortunately need to be a fcmpset loop to make sure you don't bump across the limit.

i was looking at replacing this lock myself and my general idea was to use sequence counters. it would avoid degeneration from IPIs on write locking (although I don't know how frequently that's needed) and be faster single-threaded at least on amd64. However, it may happen to be slower on arm64 as it requires 2 load fences.

kp updated this revision to Diff 108048.Jul 12 2022, 9:05 AM

Ensure that all uses of 'replay' are protected by the replay mutex.

Harbormaster completed remote builds in B46378: Diff 108048.Jul 12 2022, 9:05 AM
This revision was not accepted when it landed; it landed in state Needs Review.Jul 19 2022, 3:28 AM
Closed by commit rG0361f165f219: ipsec: replace SECASVAR mtx by rmlock (authored by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.
kp added a commit: rG0361f165f219: ipsec: replace SECASVAR mtx by rmlock.
kp added a commit: rG1243360b1a02: ipsec: replace SECASVAR mtx by rmlock.Aug 9 2022, 1:47 PM

Revision Contents
Changeset List

PathSize
sys/
netipsec/
64 lines
49 lines
18 lines
24 lines
22 lines
16 lines

Diff 107975

View Options

sys/netipsec/ipsec.c

Loading...
View Options

sys/netipsec/key.c

Loading...
View Options

sys/netipsec/keydb.h

Loading...
View Options

sys/netipsec/xform_ah.c

Loading...
View Options

sys/netipsec/xform_esp.c

Loading...
View Options

sys/netipsec/xform_ipcomp.c

Loading...