'Re: [Ipsec-tools-devel] some profiling results and a simple suggestion for improvement'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec-tools-devel
Subject:    Re: [Ipsec-tools-devel] some profiling results and a simple suggestion for improvement
From:       Rainer Weikusat <rweikusat () mobileactivedefense ! com>
Date:       2014-11-13 16:28:01
Message-ID: 877fyz2hgu.fsf () doppelsaurus ! mobileactivedefense ! com
[Download RAW message or body]

Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
> Below is an excerpt from profiling data gathered via (Linux) OProfile
> during a couple of hours on an installion with about 4,500 users using a
> VPN via 'iDevices' (iPhones and iPads):

[...]


> The inssp-code looks like this (0.8.0):
>
> void
> inssp(new)
>         struct secpolicy *new;
> {
> #ifdef HAVE_PFKEY_POLICY_PRIORITY
>         struct secpolicy *p;
>
>         TAILQ_FOREACH(p, &sptree, chain) {
>                 if (new->spidx.priority < p->spidx.priority) {
>                         TAILQ_INSERT_BEFORE(p, new, chain);
>                         return;
>                 }
>         }
>         if (p == NULL)
> #endif
>                 TAILQ_INSERT_TAIL(&sptree, new, chain);
>
>         return;
> }

[...]

> It should be possible to improve this by using
>
> if (new->spidx.priority <= p->spidx.priority) {

For the sake of completeness: The code I'm actually using right now
looks like this:

----------------
void
inssp(new)
struct secpolicy *new;
{
	struct _sptree *spt;
	u_int32_t new_prio;

	spt = sptree + new->spidx.dir - 1;
    
#ifdef HAVE_PFKEY_POLICY_PRIORITY
	struct secpolicy *p;

	new_prio = new->spidx.priority;

	TAILQ_FOREACH_REVERSE(p, spt, _sptree, chain) {
		if (new_prio >= p->spidx.priority) {
			TAILQ_INSERT_AFTER(spt, p, new, chain);
			goto out;
			
		}
	}
	if (p == NULL)
#endif
		TAILQ_INSERT_HEAD(spt, new, chain);

out:
	spidx_hash_insert(new);
	return;
}
----------------

This contains some unrelated changes because I've also introduced
direction-separated lists and hashing for 'exact match' policy
searches. The 'search policy list from the back' change alone has
reduced the relative amount of time the daemon spends in inssp from
22.37% to 0.14% (compared to the code just using separated lists and
spidx hashing).

Minor error in my original mail: A generated policy doesn't use a
priority of 0 but the 'default priority' of 0x80000000/ 2147483648 (1 <<
31).

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic