Importing pfSense patch ipsec_direct_dispatch.diff

4 files changed, 17 insertions, 2 deletions

diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index f27019d..da75107 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -110,6 +110,7 @@ VNET_PCPUSTAT_SYSINIT(ipsec4stat);
 VNET_PCPUSTAT_SYSUNINIT(ipsec4stat);
 #endif /* VIMAGE */
 
+VNET_DEFINE(int, ipsec_direct_dispatch) = 1;
 VNET_DEFINE(int, ip4_ah_offsetmask) = 0;	/* maybe IP_DF? */
 /* DF bit on encap. 0: clear 1: set 2: copy */
 VNET_DEFINE(int, ip4_ipsec_dfbit) = 0;
@@ -157,6 +158,9 @@ SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
 SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos,
 	CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0,
 	"If set clear type-of-service field when doing AH computation.");
+SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, directdispatch,
+	CTLFLAG_RW, &VNET_NAME(ipsec_direct_dispatch), 0,
+	"Use direct dispatching for incoming packets");
 SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask,
 	CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0,
 	"If not set clear offset field mask when doing AH computation.");
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index e50c401..39c4f6b 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -299,6 +299,7 @@ VNET_DECLARE(int, ip4_esp_trans_deflev);
 VNET_DECLARE(int, ip4_esp_net_deflev);
 VNET_DECLARE(int, ip4_ah_trans_deflev);
 VNET_DECLARE(int, ip4_ah_net_deflev);
+VNET_DECLARE(int, ipsec_direct_dispatch);
 VNET_DECLARE(int, ip4_ah_offsetmask);
 VNET_DECLARE(int, ip4_ipsec_dfbit);
 VNET_DECLARE(int, ip4_ipsec_ecn);
@@ -312,6 +313,7 @@ VNET_DECLARE(int, crypto_support);
 #define	V_ip4_esp_net_deflev	VNET(ip4_esp_net_deflev)
 #define	V_ip4_ah_trans_deflev	VNET(ip4_ah_trans_deflev)
 #define	V_ip4_ah_net_deflev	VNET(ip4_ah_net_deflev)
+#define	V_ipsec_direct_dispatch	VNET(ipsec_direct_dispatch)
 #define	V_ip4_ah_offsetmask	VNET(ip4_ah_offsetmask)
 #define	V_ip4_ipsec_dfbit	VNET(ip4_ipsec_dfbit)
 #define	V_ip4_ipsec_ecn		VNET(ip4_ipsec_ecn)
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index 18a9b0c..c906d91 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -525,7 +525,10 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 		goto bad;
 	}
 
-	error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
+	if (V_ipsec_direct_dispatch)
+		error = netisr_dispatch_src(isr_prot, (uintptr_t)sav->spi, m);
+	else
+		error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
 	if (error) {
 		IPSEC_ISTAT(sproto, qfull);
 		DPRINTF(("%s: queue full; proto %u packet dropped\n",
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index 9585eef..85f0642 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -330,7 +330,13 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
 		panic("%s: bogus ip version %u", __func__, v>>4);
 	}
 
-	if (netisr_queue(isr, m)) {	/* (0) on success. */
+	if (V_ipsec_direct_dispatch) {
+		if (netisr_dispatch(isr, m)) {	/* (0) on success. */
+			IPIPSTAT_INC(ipips_qfull);
+			DPRINTF(("%s: packet dropped because of full queue\n",
+				__func__));
+		}
+	} else if (netisr_queue(isr, m)) {	/* (0) on success. */
 		IPIPSTAT_INC(ipips_qfull);
 		DPRINTF(("%s: packet dropped because of full queue\n",
 			__func__));