svn commit: r290028 - in head/sys: netinet netipsec

George V. Neville-Neil gnn at FreeBSD.org
Tue Oct 27 00:42:17 UTC 2015 

Author: gnn
Date: Tue Oct 27 00:42:15 2015
New Revision: 290028
URL: https://svnweb.freebsd.org/changeset/base/290028

Log:
  Turning on IPSEC used to introduce a slight amount of performance
  degradation (7%) for host host TCP connections over 10Gbps links,
  even when there were no secuirty policies in place. There is no
  change in performance on 1Gbps network links. Testing GENERIC vs.
  GENERIC-NOIPSEC vs. GENERIC with this change shows that the new
  code removes any overhead introduced by having IPSEC always in the
  kernel.
  
  Differential Revision:	D3993
  MFC after:	1 month
  Sponsored by:	Rubicon Communications (Netgate)

Modified:
  head/sys/netinet/ip_ipsec.c
  head/sys/netinet/tcp_subr.c
  head/sys/netipsec/ipsec.c

Modified: head/sys/netinet/ip_ipsec.c
==============================================================================
--- head/sys/netinet/ip_ipsec.c	Tue Oct 27 00:37:19 2015	(r290027)
+++ head/sys/netinet/ip_ipsec.c	Tue Oct 27 00:42:15 2015	(r290028)
@@ -158,6 +158,10 @@ int
 ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *error)
 {
 	struct secpolicy *sp;
+
+	if (!key_havesp(IPSEC_DIR_INBOUND))
+		return 0;
+
 	/*
 	 * Check the security policy (SP) for the packet and, if
 	 * required, do IPsec-related processing.  There are two

Modified: head/sys/netinet/tcp_subr.c
==============================================================================
--- head/sys/netinet/tcp_subr.c	Tue Oct 27 00:37:19 2015	(r290027)
+++ head/sys/netinet/tcp_subr.c	Tue Oct 27 00:42:15 2015	(r290028)
@@ -1972,7 +1972,8 @@ ipsec_hdrsiz_tcp(struct tcpcb *tp)
 #endif
 	struct tcphdr *th;
 
-	if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL))
+	if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL) ||
+		(!key_havesp(IPSEC_DIR_OUTBOUND)))
 		return (0);
 	m = m_gethdr(M_NOWAIT, MT_DATA);
 	if (!m)

Modified: head/sys/netipsec/ipsec.c
==============================================================================
--- head/sys/netipsec/ipsec.c	Tue Oct 27 00:37:19 2015	(r290027)
+++ head/sys/netipsec/ipsec.c	Tue Oct 27 00:42:15 2015	(r290028)
@@ -1276,6 +1276,9 @@ ipsec46_in_reject(struct mbuf *m, struct
 	int error;
 	int result;
 
+	if (!key_havesp(IPSEC_DIR_INBOUND))
+		return 0;
+
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
 
 	/* Get SP for this packet. */
@@ -1403,6 +1406,9 @@ ipsec_hdrsiz(struct mbuf *m, u_int dir, 
 	int error;
 	size_t size;
 
+	if (!key_havesp(dir))
+		return 0;
+
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
 
 	/* Get SP for this packet. */

More information about the svn-src-head mailing list