[Swan-dev] remove pfkey checks from pluto and startup scripts

Antony Antony antony at phenome.org
Fri May 3 17:32:26 UTC 2019

On Fri, May 03, 2019 at 01:12:10PM -0400, D. Hugh Redelmeier wrote:
> | From: Antony Antony <antony at phenome.org>
> | Since it is not necessary we could remove it from pluto.  Also tests by 
> | Steffen noticed compiling kernel with pfkey use quite a bit extra cpu.
> Are you saying the
> 	compiling the kernel with pfkey uses more CPU (unlikely)  
> 	running a kernel compiled with pfkey enabled uses more CPU?

second case and pluto is running. Pluto is using netlink/xfrm to add/delete 
SA and a bit of pfkey for bypass policy and interface management.

> | His observation was pfkey_send_new_mapping use "3.69% of my cpu cycles".  
> So | I think it is worth removing pfkey completely.  e.g this could happen 
> when | the NAT mappings for ESP change, pfkey_send_new_mapping is wasted 
> cpu | cycles.
> What is pfkey_send_new_mapping doing?  Is it correlated with anything
> libreswan is actually doing?

as I understand pfkey_send_new_mapping is called when kernel notice changes, 
eg cheange ESP port, or limit exceeded something like that, the kernel want 
to broadcat the changes as message(s) to user land -- including ip xfrm 
monitor. There are two systems pfkey and netlink/xfrm to broadcast. When 
both pfkey and netlink/xfrm is compiled and running kernel would prepare  x 
the message twice, probably there no pfkey subscriber(s)? Or possibly pluto 
wrongly subscribed via pfkey socket too.  

Any case the goal is to run on a kernel with no pf compiled. It seems if it 
is a module some other modules may drag it in. So had make sure .config had

# CONFIG_NET_KEY is not set 

You probably herd that  pfkey is being deprecated by kernel maintainers
They are trying to kill it ASAP. So after the b248daa35 we thought pfkey is 
not necessary anymore. Around the same time strongswan also stopped using 
pfkey. Now testing shows pluto still need pfkey. Lets remove those 
> If libreswan isn't really using pfkey, and nobody else is, it's
> surprising that it would eat CPU.

pluto is using it, see my follow up e-mail with the patch 0004-pfkey.patch


More information about the Swan-dev mailing list