diff options
author | Renato Botelho <renato@netgate.com> | 2015-08-17 13:53:28 -0300 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2015-08-17 13:53:28 -0300 |
commit | 9ed545f35cdf6da23726dadeb0e999d0d81e62eb (patch) | |
tree | 9eecf2fcc864b8614fce635542f12c0587594d7c | |
parent | d3b775b3db2819bebcac765dca33db7f8f5143c7 (diff) | |
download | FreeBSD-src-9ed545f35cdf6da23726dadeb0e999d0d81e62eb.zip FreeBSD-src-9ed545f35cdf6da23726dadeb0e999d0d81e62eb.tar.gz |
Importing pfSense patch ipsec_direct_dispatch.diff
-rw-r--r-- | sys/netipsec/ipsec.c | 4 | ||||
-rw-r--r-- | sys/netipsec/ipsec.h | 2 | ||||
-rw-r--r-- | sys/netipsec/ipsec_input.c | 5 | ||||
-rw-r--r-- | sys/netipsec/xform_ipip.c | 8 |
4 files changed, 17 insertions, 2 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index f27019d..da75107 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -110,6 +110,7 @@ VNET_PCPUSTAT_SYSINIT(ipsec4stat); VNET_PCPUSTAT_SYSUNINIT(ipsec4stat); #endif /* VIMAGE */ +VNET_DEFINE(int, ipsec_direct_dispatch) = 1; VNET_DEFINE(int, ip4_ah_offsetmask) = 0; /* maybe IP_DF? */ /* DF bit on encap. 0: clear 1: set 2: copy */ VNET_DEFINE(int, ip4_ipsec_dfbit) = 0; @@ -157,6 +158,9 @@ SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "If set clear type-of-service field when doing AH computation."); +SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, directdispatch, + CTLFLAG_RW, &VNET_NAME(ipsec_direct_dispatch), 0, + "Use direct dispatching for incoming packets"); SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask, CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0, "If not set clear offset field mask when doing AH computation."); diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index e50c401..39c4f6b 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -299,6 +299,7 @@ VNET_DECLARE(int, ip4_esp_trans_deflev); VNET_DECLARE(int, ip4_esp_net_deflev); VNET_DECLARE(int, ip4_ah_trans_deflev); VNET_DECLARE(int, ip4_ah_net_deflev); +VNET_DECLARE(int, ipsec_direct_dispatch); VNET_DECLARE(int, ip4_ah_offsetmask); VNET_DECLARE(int, ip4_ipsec_dfbit); VNET_DECLARE(int, ip4_ipsec_ecn); @@ -312,6 +313,7 @@ VNET_DECLARE(int, crypto_support); #define V_ip4_esp_net_deflev VNET(ip4_esp_net_deflev) #define V_ip4_ah_trans_deflev VNET(ip4_ah_trans_deflev) #define V_ip4_ah_net_deflev VNET(ip4_ah_net_deflev) +#define V_ipsec_direct_dispatch VNET(ipsec_direct_dispatch) #define V_ip4_ah_offsetmask VNET(ip4_ah_offsetmask) #define V_ip4_ipsec_dfbit VNET(ip4_ipsec_dfbit) #define V_ip4_ipsec_ecn VNET(ip4_ipsec_ecn) diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 18a9b0c..c906d91 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -525,7 +525,10 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, goto bad; } - error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); + if (V_ipsec_direct_dispatch) + error = netisr_dispatch_src(isr_prot, (uintptr_t)sav->spi, m); + else + error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); if (error) { IPSEC_ISTAT(sproto, qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index 9585eef..85f0642 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -330,7 +330,13 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) panic("%s: bogus ip version %u", __func__, v>>4); } - if (netisr_queue(isr, m)) { /* (0) on success. */ + if (V_ipsec_direct_dispatch) { + if (netisr_dispatch(isr, m)) { /* (0) on success. */ + IPIPSTAT_INC(ipips_qfull); + DPRINTF(("%s: packet dropped because of full queue\n", + __func__)); + } + } else if (netisr_queue(isr, m)) { /* (0) on success. */ IPIPSTAT_INC(ipips_qfull); DPRINTF(("%s: packet dropped because of full queue\n", __func__)); |