Shoichi Sakane wrote: > > While investigating a problem, I noticed that the IPSEC code > > is initializing the sp -- even when no one is using IPSEC. > > > It turns out that this really, really bloats the per socket > > memory requirements, with the only real result being a lot > > of extra processing that could be replaced by a pointer is > > not NULL check. > > > It seems to me that this could be handled in the TCP, UDP, > > and IP userreq code by only initializing the thing in the > > case that a policy has been set. Is there some reason why > > this can't be done? > > IPsec specification requires to consult the SPD with all of packets > in order to handling the packet. it defines RFC2401. > if a pointer to the entry of the SPD is NULL, it means the security > policy is not defined. so the kernel consults the system wide default. > it never means nothing to do.
So you are saying that I could establish a global default, and make the sp pointer NULL, and have that mean "use the global default", instead of copying identical policies all over the place, right? I think this would be the best approach, and it would get me all of the redundant "deep copy" memory back in the default case. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
