[Openswan dev] Small optimisation for lots of interfaces

David McCullough davidm at snapgear.com
Wed Nov 23 22:11:26 CET 2005


Jivin D. Hugh Redelmeier lays it down ...
> | From: David McCullough <davidm at snapgear.com>
> | 
> | If you have a box with 100's of interfaces,  processing ifconfig
> | output to find the configured ipsec interfaces is a little expensive,
> | so this patch changes it to use /proc/net/ipsec_tncfg.
> 
> This surprises me.  Is the ifconfig command slow, or is the time spent
> somewhere else?  How bad does it actually get?

Firstly,  it not a PC,  its a 533MHz ARM Xscale router,  so that may be why
it surprises you :-)

It seems the ifconfig is the slow part (all kernel time too).  Adding the
sed only adds a few seconds to the total below.

> I would be interested in the output of
> 	time ifconfig >/dev/null

# time ifconfig > /dev/null

real    0m37.951s
user    0m1.860s
sys     0m35.950s

It has 4096 aliases configured.  A lot I know,  but it sure finds
any code that can't deal with it.  We have customers running up to
180 ipsec tunnels and some are looking at approaching 1000 GRE tunnels.

> 	time grep -sv NULL /proc/net/ipsec_tncfg >/dev/null

# time grep -sv NULL /proc/net/ipsec_tncfg >/dev/null

real    0m0.009s
user    0m0.000s
sys     0m0.000s

> I'd actually expect some of the code in Pluto for discovering
> interfaces to be a worse problem when there are a lot of interfaces.

Absolutely,  I am sure it does.

At the moment I was only running "ipsec setup stop",  and it was taking
forever even though ipsec wasn't running.  I figured I'd fix this simple
one and see if there is interest in addressing these kinds of issues before I
tackle anything that messes with serious code.

I would be interested in others experiences with large tunnel counts
using OpenSwan.  I have run over 1000 simple tunnels between two hosts
using freeswan (ie., single SA for all tunnels),  but pluto seems to get
unstable with much over 200 truly independant tunnels.  Has any one else
has this experience ?

Cheers,
Davidm

-- 
David McCullough, davidm at cyberguard.com.au, Custom Embedded Solutions + Security
Ph:+61 734352815 Fx:+61 738913630 http://www.uCdot.org http://www.cyberguard.com


More information about the Dev mailing list