| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 May 2007 10:16:59 -0700
From: Mark Huth <mhuth@...sta.com>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: davem@...emloft.net, netdev@...r.kernel.org
Subject: Re: [PATCH][af_key]pfkey_add: Optimize SA adds and algorithm probes
Herbert Xu wrote:
> Mark Huth <mhuth@...sta.com> wrote:
>
>> This patch provides a performance optimization in the pfkey_add path.
>> Prior versions have a serious performance problem when adding a large
>> number of SAs to a node. For example, if a backup node needs to be
>> loaded with the SAs previously held by a failed active node, thousands
>> of SAs may need to be added as rapidly as possible. Tests show that
>> without this patch, such additions may take several minutes. The
>> cause is that the available algorithm modules are probed each time
>> instead of only when needed. This patch changes the unconditional
>> call to xfrm_probe_algs() to only be done when it may be needed.
>>
>
> Thanks for the patch!
>
>
>> static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct
>> sadb_msg *hdr, void **ext_hdrs)
>> {
>> struct xfrm_state *x;
>> - int err;
>> + int err, probe_done = 0;
>> struct km_event c;
>>
>> - xfrm_probe_algs();
>> -
>> x = pfkey_msg2xfrm_state(hdr, ext_hdrs);
>> if (IS_ERR(x))
>> return PTR_ERR(x);
>>
>
> I don't think it works when then algorithm isn't loaded though :)
> If the algorithm isn't present pfkey_msg2xfrm_state will return
> -ENOSYS so we need to do the probe here.
>
Okay. I tested with the algorithms not loaded, and they were all loaded
after the test, but I'm sure you understand this much better than I do.
> Actually, I think we should just probe for the specific algorithm
> requested rather than everything. See patch below.
>
> [IPSEC] pfkey: Load specific algorithm in pfkey_add rather than all
>
> This is a natural extension of the changeset
>
> [XFRM]: Probe selected algorithm only.
>
> which only removed the probe call for xfrm_user. This patch does exactly
> the same thing for af_key. In other words, we load the algorithm requested
> by the user rather than everything when adding xfrm states in af_key.
>
> Signed-off-by: Herbert Xu <herbert@...dor.apana.org.au>
>
> Cheers,
>
Thanks for the patch. I'll try it later today and confirm that it fixes
our problem.
Mark Huth
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists