Importing pfSense patch ipsec_direct_dispatch.diff

4 files changed, 18 insertions, 2 deletions

diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 84534f8..a785292 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -111,6 +111,7 @@ VNET_PCPUSTAT_SYSINIT(ipsec4stat);
 VNET_PCPUSTAT_SYSUNINIT(ipsec4stat);
 #endif /* VIMAGE */
 
+VNET_DEFINE(int, ipsec_direct_dispatch) = 1;
 VNET_DEFINE(int, ip4_ah_offsetmask) = 0;	/* maybe IP_DF? */
 /* DF bit on encap. 0: clear 1: set 2: copy */
 VNET_DEFINE(int, ip4_ipsec_dfbit) = 0;
@@ -158,6 +159,9 @@ SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
 SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos,
 	CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0,
 	"If set clear type-of-service field when doing AH computation.");
+SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, directdispatch,
+	CTLFLAG_RW, &VNET_NAME(ipsec_direct_dispatch), 0,
+	"Use direct dispatching for incoming packets");
 SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask,
 	CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0,
 	"If not set clear offset field mask when doing AH computation.");
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index 836a040..b001e76 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -295,6 +295,7 @@ VNET_DECLARE(int, ip4_esp_trans_deflev);
 VNET_DECLARE(int, ip4_esp_net_deflev);
 VNET_DECLARE(int, ip4_ah_trans_deflev);
 VNET_DECLARE(int, ip4_ah_net_deflev);
+VNET_DECLARE(int, ipsec_direct_dispatch);
 VNET_DECLARE(int, ip4_ah_offsetmask);
 VNET_DECLARE(int, ip4_ipsec_dfbit);
 VNET_DECLARE(int, ip4_ipsec_ecn);
@@ -308,6 +309,7 @@ VNET_DECLARE(int, crypto_support);
 #define	V_ip4_esp_net_deflev	VNET(ip4_esp_net_deflev)
 #define	V_ip4_ah_trans_deflev	VNET(ip4_ah_trans_deflev)
 #define	V_ip4_ah_net_deflev	VNET(ip4_ah_net_deflev)
+#define	V_ipsec_direct_dispatch	VNET(ipsec_direct_dispatch)
 #define	V_ip4_ah_offsetmask	VNET(ip4_ah_offsetmask)
 #define	V_ip4_ipsec_dfbit	VNET(ip4_ipsec_dfbit)
 #define	V_ip4_ipsec_ecn		VNET(ip4_ipsec_ecn)
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index 72884ad..7d463d2 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -483,7 +483,11 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 	/*
 	 * Re-dispatch via software interrupt.
 	 */
-	if ((error = netisr_queue_src(NETISR_IP, (uintptr_t)sav->spi, m))) {
+	if (V_ipsec_direct_dispatch)
+		error = netisr_dispatch_src(NETISR_IP, (uintptr_t)sav->spi, m);
+	else
+		error = netisr_queue_src(NETISR_IP, (uintptr_t)sav->spi, m);
+	if (error) {
 		IPSEC_ISTAT(sproto, qfull);
 		DPRINTF(("%s: queue full; proto %u packet dropped\n",
 			__func__, sproto));
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index 1c09e0f..3cfaf64 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -351,7 +351,13 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
 		panic("%s: bogus ip version %u", __func__, v>>4);
 	}
 
-	if (netisr_queue(isr, m)) {	/* (0) on success. */
+	if (V_ipsec_direct_dispatch) {
+		if (netisr_dispatch(isr, m)) {	/* (0) on success. */
+			IPIPSTAT_INC(ipips_qfull);
+			DPRINTF(("%s: packet dropped because of full queue\n",
+				__func__));
+		}
+	} else if (netisr_queue(isr, m)) {	/* (0) on success. */
 		IPIPSTAT_INC(ipips_qfull);
 		DPRINTF(("%s: packet dropped because of full queue\n",
 			__func__));