diff options
author | Matt Smith <mgsmith@netgate.com> | 2015-11-18 10:31:10 -0600 |
---|---|---|
committer | Matt Smith <mgsmith@netgate.com> | 2015-11-18 10:31:10 -0600 |
commit | eb5f5eba05394f8400a4e5a598bbee16c65724c9 (patch) | |
tree | b4579276ac10291ce1ba4ea73c4c75b969e23807 | |
parent | c1175cbf5395ed38605ca10bbcff1a545092aea0 (diff) | |
download | FreeBSD-src-eb5f5eba05394f8400a4e5a598bbee16c65724c9.zip FreeBSD-src-eb5f5eba05394f8400a4e5a598bbee16c65724c9.tar.gz |
Importing pfSense patch ipsec_direct_dispatch.diff
-rw-r--r-- | sys/netipsec/ipsec.c | 4 | ||||
-rw-r--r-- | sys/netipsec/ipsec.h | 2 | ||||
-rw-r--r-- | sys/netipsec/ipsec_input.c | 6 | ||||
-rw-r--r-- | sys/netipsec/xform_ipip.c | 8 |
4 files changed, 18 insertions, 2 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 84534f8..a785292 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -111,6 +111,7 @@ VNET_PCPUSTAT_SYSINIT(ipsec4stat); VNET_PCPUSTAT_SYSUNINIT(ipsec4stat); #endif /* VIMAGE */ +VNET_DEFINE(int, ipsec_direct_dispatch) = 1; VNET_DEFINE(int, ip4_ah_offsetmask) = 0; /* maybe IP_DF? */ /* DF bit on encap. 0: clear 1: set 2: copy */ VNET_DEFINE(int, ip4_ipsec_dfbit) = 0; @@ -158,6 +159,9 @@ SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "If set clear type-of-service field when doing AH computation."); +SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, directdispatch, + CTLFLAG_RW, &VNET_NAME(ipsec_direct_dispatch), 0, + "Use direct dispatching for incoming packets"); SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask, CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0, "If not set clear offset field mask when doing AH computation."); diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index 836a040..b001e76 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -295,6 +295,7 @@ VNET_DECLARE(int, ip4_esp_trans_deflev); VNET_DECLARE(int, ip4_esp_net_deflev); VNET_DECLARE(int, ip4_ah_trans_deflev); VNET_DECLARE(int, ip4_ah_net_deflev); +VNET_DECLARE(int, ipsec_direct_dispatch); VNET_DECLARE(int, ip4_ah_offsetmask); VNET_DECLARE(int, ip4_ipsec_dfbit); VNET_DECLARE(int, ip4_ipsec_ecn); @@ -308,6 +309,7 @@ VNET_DECLARE(int, crypto_support); #define V_ip4_esp_net_deflev VNET(ip4_esp_net_deflev) #define V_ip4_ah_trans_deflev VNET(ip4_ah_trans_deflev) #define V_ip4_ah_net_deflev VNET(ip4_ah_net_deflev) +#define V_ipsec_direct_dispatch VNET(ipsec_direct_dispatch) #define V_ip4_ah_offsetmask VNET(ip4_ah_offsetmask) #define V_ip4_ipsec_dfbit VNET(ip4_ipsec_dfbit) #define V_ip4_ipsec_ecn VNET(ip4_ipsec_ecn) diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 72884ad..7d463d2 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -483,7 +483,11 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, /* * Re-dispatch via software interrupt. */ - if ((error = netisr_queue_src(NETISR_IP, (uintptr_t)sav->spi, m))) { + if (V_ipsec_direct_dispatch) + error = netisr_dispatch_src(NETISR_IP, (uintptr_t)sav->spi, m); + else + error = netisr_queue_src(NETISR_IP, (uintptr_t)sav->spi, m); + if (error) { IPSEC_ISTAT(sproto, qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", __func__, sproto)); diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index 1c09e0f..3cfaf64 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -351,7 +351,13 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) panic("%s: bogus ip version %u", __func__, v>>4); } - if (netisr_queue(isr, m)) { /* (0) on success. */ + if (V_ipsec_direct_dispatch) { + if (netisr_dispatch(isr, m)) { /* (0) on success. */ + IPIPSTAT_INC(ipips_qfull); + DPRINTF(("%s: packet dropped because of full queue\n", + __func__)); + } + } else if (netisr_queue(isr, m)) { /* (0) on success. */ IPIPSTAT_INC(ipips_qfull); DPRINTF(("%s: packet dropped because of full queue\n", __func__)); |