diff options
author | gnn <gnn@FreeBSD.org> | 2015-10-27 00:42:15 +0000 |
---|---|---|
committer | gnn <gnn@FreeBSD.org> | 2015-10-27 00:42:15 +0000 |
commit | 99f73cc3ee03799c8c6f5ff11fdfaa4e22a4c9f0 (patch) | |
tree | 9855b9677205615c2be8a1db40ff0ea6ae06a564 /sys/netipsec | |
parent | 603987badef4368d8e3674eac851370345d56533 (diff) | |
download | FreeBSD-src-99f73cc3ee03799c8c6f5ff11fdfaa4e22a4c9f0.zip FreeBSD-src-99f73cc3ee03799c8c6f5ff11fdfaa4e22a4c9f0.tar.gz |
Turning on IPSEC used to introduce a slight amount of performance
degradation (7%) for host host TCP connections over 10Gbps links,
even when there were no secuirty policies in place. There is no
change in performance on 1Gbps network links. Testing GENERIC vs.
GENERIC-NOIPSEC vs. GENERIC with this change shows that the new
code removes any overhead introduced by having IPSEC always in the
kernel.
Differential Revision: D3993
MFC after: 1 month
Sponsored by: Rubicon Communications (Netgate)
Diffstat (limited to 'sys/netipsec')
-rw-r--r-- | sys/netipsec/ipsec.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 2ac87ab..9172347 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -1276,6 +1276,9 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp) int error; int result; + if (!key_havesp(IPSEC_DIR_INBOUND)) + return 0; + IPSEC_ASSERT(m != NULL, ("null mbuf")); /* Get SP for this packet. */ @@ -1403,6 +1406,9 @@ ipsec_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp) int error; size_t size; + if (!key_havesp(dir)) + return 0; + IPSEC_ASSERT(m != NULL, ("null mbuf")); /* Get SP for this packet. */ |