Turning on IPSEC used to introduce a slight amount of performance

degradation (7%) for host host TCP connections over 10Gbps links, even when there were no secuirty policies in place. There is no change in performance on 1Gbps network links. Testing GENERIC vs. GENERIC-NOIPSEC vs. GENERIC with this change shows that the new code removes any overhead introduced by having IPSEC always in the kernel. Differential Revision: D3993 MFC after: 1 month Sponsored by: Rubicon Communications (Netgate)
author: gnn <gnn@FreeBSD.org> 2015-10-27 00:42:15 +0000
committer: gnn <gnn@FreeBSD.org> 2015-10-27 00:42:15 +0000
commit: 99f73cc3ee03799c8c6f5ff11fdfaa4e22a4c9f0 (patch)
tree: 9855b9677205615c2be8a1db40ff0ea6ae06a564 /sys/netipsec
parent: 603987badef4368d8e3674eac851370345d56533 (diff)
download: FreeBSD-src-99f73cc3ee03799c8c6f5ff11fdfaa4e22a4c9f0.zip
FreeBSD-src-99f73cc3ee03799c8c6f5ff11fdfaa4e22a4c9f0.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 2ac87ab..9172347 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -1276,6 +1276,9 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp)
 	int error;
 	int result;
 
+	if (!key_havesp(IPSEC_DIR_INBOUND))
+		return 0;
+
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
 
 	/* Get SP for this packet. */
@@ -1403,6 +1406,9 @@ ipsec_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
 	int error;
 	size_t size;
 
+	if (!key_havesp(dir))
+		return 0;
+
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
 
 	/* Get SP for this packet. */
author	gnn <gnn@FreeBSD.org>	2015-10-27 00:42:15 +0000
committer	gnn <gnn@FreeBSD.org>	2015-10-27 00:42:15 +0000
commit	99f73cc3ee03799c8c6f5ff11fdfaa4e22a4c9f0 (patch)
tree	9855b9677205615c2be8a1db40ff0ea6ae06a564 /sys/netipsec
parent	603987badef4368d8e3674eac851370345d56533 (diff)
download	FreeBSD-src-99f73cc3ee03799c8c6f5ff11fdfaa4e22a4c9f0.zip FreeBSD-src-99f73cc3ee03799c8c6f5ff11fdfaa4e22a4c9f0.tar.gz