On Sun, May 01, 2022 at 02:23:55AM +0900, Ritaro Takenaka wrote: > On 2022/04/28 0:10, Pablo Neira Ayuso wrote:> On Tue, Apr 26, 2022 at 09:28:13PM +0900, Ritaro Takenaka wrote: > >> Thanks for your reply. > >> > >>> In 5.4, this check is only enabled for xfrm. > >> Packet loss occurs with xmit (xfrm is not confirmed). > >> I also experienced packet loss with 5.10, which runs dst_check periodically. > >> Route GC and flowtable GC are not synchronized, so it is > >> necessary to check each packet. > >> > >>> dst_check() should deal with this. > >> When dst_check is used, the performance degradation is not negligible. > >> From 900 Mbps to 700 Mbps with QCA9563 simple firewall. > > > > You mention 5.10 above. > > > > Starting 5.12, dst_check() uses INDIRECT_CALL_INET. > > > > Is dst_check() still slow with >= 5.12? > > > > Asking this because my understanding (at this stage) is that this > > check for blackhole_netdev is a faster way to check for stale cached > > routes. > > I did the performance tests with 5.15, confirmed dst_check() is not slower > than checking for blackhole_netdev. > > Good, dst_check() can be used. > > Then, stale routes check should be moved from nf_flow_offload_gc_step() to > nf_flow_offload(_ipv6)_hook(). Is it correct? Then, the check from packet path needs to be restored.
