MFC 290028:

Turning on IPSEC used to introduce a slight amount of performance degradation (7%) for host host TCP connections over 10Gbps links, even when there were no secuirty policies in place. There is no change in performance on 1Gbps network links. Testing GENERIC vs. GENERIC-NOIPSEC vs. GENERIC with this change shows that the new code removes any overhead introduced by having IPSEC always in the kernel. Differential Revision: D3993 Sponsored by: Rubicon Communications (Netgate)
author: gnn <gnn@FreeBSD.org> 2015-11-26 02:24:45 +0000
committer: gnn <gnn@FreeBSD.org> 2015-11-26 02:24:45 +0000
commit: 3b2535b45232e039141c67195f6a32ebe2f304de (patch)
tree: 5aae32e4d6098b0ba78b6b51a5e0be098f324d6f /sys/netinet/tcp_subr.c
parent: e417a2afca4460ab6e2534391fbd3466072e4089 (diff)
download: FreeBSD-src-3b2535b45232e039141c67195f6a32ebe2f304de.zip
FreeBSD-src-3b2535b45232e039141c67195f6a32ebe2f304de.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index ba2d834..7bdd573 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1947,7 +1947,8 @@ ipsec_hdrsiz_tcp(struct tcpcb *tp)
 #endif
 	struct tcphdr *th;
 
-	if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL))
+	if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL) ||
+		(!key_havesp(IPSEC_DIR_OUTBOUND)))
 		return (0);
 	m = m_gethdr(M_NOWAIT, MT_DATA);
 	if (!m)
author	gnn <gnn@FreeBSD.org>	2015-11-26 02:24:45 +0000
committer	gnn <gnn@FreeBSD.org>	2015-11-26 02:24:45 +0000
commit	3b2535b45232e039141c67195f6a32ebe2f304de (patch)
tree	5aae32e4d6098b0ba78b6b51a5e0be098f324d6f /sys/netinet/tcp_subr.c
parent	e417a2afca4460ab6e2534391fbd3466072e4089 (diff)
download	FreeBSD-src-3b2535b45232e039141c67195f6a32ebe2f304de.zip FreeBSD-src-3b2535b45232e039141c67195f6a32ebe2f304de.tar.gz