diff options
author | Andrew Yourtchenko <ayourtch@gmail.com> | 2017-07-03 12:32:44 +0200 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2017-07-04 11:59:14 +0000 |
commit | a016216753c955683bda76ed250daa540ff35107 (patch) | |
tree | c17c9608f77da004a34f9a7d946bada75f222de7 /src/vnet/ipsec/ipsec_if_out.c | |
parent | c86e592f9a65e5098c9a70c38ee228252dbd32ce (diff) |
acl-plugin: VPP-897: applying of large number of ACEs is slow
When applying ACEs, in the new hash-based scheme, for each ACE
the lookup in the hash table is done, and either that ACE is added
to the end of the existing list if there is a match,
or a new list is created if there is no match.
Usually ACEs do not overlap, so this operation is fast, however,
the fragment-permit entries in case of a large number of ACLs
create a huge list which needs to be traversed for every other
ACE being added, slowing down the process dramatically.
The solution is to add an explicit flag to denote the first
element of the chain, and use the "prev" index of that
element to point to the tail element. The "next" field
of the last element is still ~0 and if we touch that
one, we do the linear search to find the first one,
but that is a relatively infrequent operation.
Change-Id: I352a3becd7854cf39aae65f0950afad7d18a70aa
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 204cf74aed51ca07933df7c606754abb4b26fd82)
Diffstat (limited to 'src/vnet/ipsec/ipsec_if_out.c')
0 files changed, 0 insertions, 0 deletions