summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_if_out.c
diff options
context:
space:
mode:
authorAndrew Yourtchenko <ayourtch@gmail.com>2017-07-03 12:32:44 +0200
committerOle Trøan <otroan@employees.org>2017-07-04 11:59:14 +0000
commita016216753c955683bda76ed250daa540ff35107 (patch)
treec17c9608f77da004a34f9a7d946bada75f222de7 /src/vnet/ipsec/ipsec_if_out.c
parentc86e592f9a65e5098c9a70c38ee228252dbd32ce (diff)
acl-plugin: VPP-897: applying of large number of ACEs is slow
When applying ACEs, in the new hash-based scheme, for each ACE the lookup in the hash table is done, and either that ACE is added to the end of the existing list if there is a match, or a new list is created if there is no match. Usually ACEs do not overlap, so this operation is fast, however, the fragment-permit entries in case of a large number of ACLs create a huge list which needs to be traversed for every other ACE being added, slowing down the process dramatically. The solution is to add an explicit flag to denote the first element of the chain, and use the "prev" index of that element to point to the tail element. The "next" field of the last element is still ~0 and if we touch that one, we do the linear search to find the first one, but that is a relatively infrequent operation. Change-Id: I352a3becd7854cf39aae65f0950afad7d18a70aa Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 204cf74aed51ca07933df7c606754abb4b26fd82)
Diffstat (limited to 'src/vnet/ipsec/ipsec_if_out.c')
0 files changed, 0 insertions, 0 deletions