On 2022/04/28 0:10, Pablo Neira Ayuso wrote:> On Tue, Apr 26, 2022 at 09:28:13PM +0900, Ritaro Takenaka wrote: >> Thanks for your reply. >> >>> In 5.4, this check is only enabled for xfrm. >> Packet loss occurs with xmit (xfrm is not confirmed). >> I also experienced packet loss with 5.10, which runs dst_check periodically. >> Route GC and flowtable GC are not synchronized, so it is >> necessary to check each packet. >> >>> dst_check() should deal with this. >> When dst_check is used, the performance degradation is not negligible. >> From 900 Mbps to 700 Mbps with QCA9563 simple firewall. > > You mention 5.10 above. > > Starting 5.12, dst_check() uses INDIRECT_CALL_INET. > > Is dst_check() still slow with >= 5.12? > > Asking this because my understanding (at this stage) is that this > check for blackhole_netdev is a faster way to check for stale cached > routes. I did the performance tests with 5.15, confirmed dst_check() is not slower than checking for blackhole_netdev. Good, dst_check() can be used. Then, stale routes check should be moved from nf_flow_offload_gc_step() to nf_flow_offload(_ipv6)_hook(). Is it correct?
