From ac9759a53270bfdb26ff73226209ee290320c4d5 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 21 Sep 2016 10:16:00 +0200 Subject: kernel-netlink: Support configuring XFRM policy hashing thresholds If the number of flows over a gateway exceeds the flow cache size of the Linux kernel, policy lookup gets very expensive. Policies covering more than a single address don't get hash-indexed by default, which results in wasting most of the cycles in xfrm_policy_lookup_bytype() and its xfrm_policy_match() use. Starting with several hundred policies the overhead gets inacceptable. Starting with Linux 3.18, Linux can hash the first n-bit of a policy subnet to perform indexed lookup. With correctly chosen netbits, this can completely eliminate the performance impact of policy lookups, freeing the resources for ESP crypto. WARNING: Due to a bug in kernels 3.19 through 4.7, the kernel crashes with a NULL pointer dereference if a socket policy is installed while hash thresholds are changed. And because the hashtable rebuild triggered by the threshold change that causes this is scheduled it might also happen if the socket policies are seemingly installed after setting the thresholds. The fix for this bug - 6916fb3b10b3 ("xfrm: Ignore socket policies when rebuilding hash tables") - is included since 4.8 (and might get backported). As a workaround `charon.plugins.kernel-netlink.port_bypass` may be enabled to replace the socket policies that allow IKE traffic with port specific bypass policies. --- conf/plugins/kernel-netlink.opt | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'conf') diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index 0d465f607..77ba6ea97 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -51,6 +51,35 @@ charon.plugins.kernel-netlink.set_proto_port_transport_sa = no traffic, it also prevents the use of a single IPsec SA by more than one traffic selector. +charon.plugins.kernel-netlink.spdh_thresh {} + XFRM policy hashing threshold configuration for IPv4 and IPv6. + + XFRM policy hashing threshold configuration for IPv4 and IPv6. + + The section defines hashing thresholds to configure in the kernel during + daemon startup. Each address family takes a threshold for the local subnet + of an IPsec policy (src in out-policies, dst in in- and forward-policies) + and the remote subnet (dst in out-policies, src in in- and + forward-policies). + + If the subnet has more or equal net bits than the threshold, the first + threshold bits are used to calculate a hash to lookup the policy. + + Policy hashing thresholds are not supported before Linux 3.18 and might + conflict with socket policies before Linux 4.8. + +charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits = 32 + Local subnet XFRM policy hashing threshold for IPv4. + +charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits = 32 + Remote subnet XFRM policy hashing threshold for IPv4. + +charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits = 128 + Local subnet XFRM policy hashing threshold for IPv6. + +charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits = 128 + Remote subnet XFRM policy hashing threshold for IPv6. + charon.plugins.kernel-netlink.retries = 0 Number of Netlink message retransmissions to send on timeout. -- cgit v1.2.3