From 5aba7ffcfb97d9b6f4ce464de77b02ad4d7b8ad3 Mon Sep 17 00:00:00 2001
From: Luiz Otavio O Souza <luiz@netgate.com>
Date: Mon, 26 Oct 2015 13:15:22 -0500
Subject: Optimize the case where we have IPSEC enabled but do not have
 security policies.

TAG:		tryforward
Differential Revision:	https://reviews.freebsd.org/D3993
---
 sys/netipsec/ipsec.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'sys/netipsec')

diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index f01f0fe..bf02f93 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -1275,6 +1275,9 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp)
 	int error;
 	int result;
 
+	if (!key_havesp(IPSEC_DIR_INBOUND))
+		return 0;
+
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
 
 	/* Get SP for this packet. */
@@ -1402,6 +1405,9 @@ ipsec_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
 	int error;
 	size_t size;
 
+	if (!key_havesp(dir))
+		return 0;
+
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
 
 	/* Get SP for this packet. */
-- 
cgit v1.1