Author: eri
Date: Fri Jul  3 15:31:56 2015
New Revision: 285096
URL: https://svnweb.freebsd.org/changeset/base/285096

Log:
  Reduce overhead of IPSEC for traffic generated from host
  
  When IPSEC is enabled on the kernel the forwarding path has an optimization 
to not enter the code paths
  for checking security policies but first checks if there is any security 
policy active at all.
  
  The patch introduces the same optimization but for traffic generated from the 
host itself.
  This reduces the overhead by 50% on my tests for generated host traffic 
without and SP active.
  
  Differential Revision:        https://reviews.freebsd.org/D2980
  Reviewed by:  ae, gnn
  Approved by:  gnn(mentor)

Modified:
  head/sys/netipsec/ipsec.c

Modified: head/sys/netipsec/ipsec.c
==============================================================================
--- head/sys/netipsec/ipsec.c   Fri Jul  3 14:46:57 2015        (r285095)
+++ head/sys/netipsec/ipsec.c   Fri Jul  3 15:31:56 2015        (r285096)
@@ -334,6 +334,12 @@ ipsec_getpolicybysock(struct mbuf *m, u_
        IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
                ("invalid direction %u", dir));
 
+       if (!key_havesp(dir)) {
+               /* No SP found, use system default. */
+               sp = KEY_ALLOCSP_DEFAULT();
+               return (sp);
+       }
+
        /* Set spidx in pcb. */
        *error = ipsec_setspidx_inpcb(m, inp);
        if (*error)
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to