From owner-svn-src-all@freebsd.org Thu Nov 26 02:24:47 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 867C1A36816; Thu, 26 Nov 2015 02:24:47 +0000 (UTC) (envelope-from gnn@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 31A051D61; Thu, 26 Nov 2015 02:24:47 +0000 (UTC) (envelope-from gnn@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tAQ2OkNW023026; Thu, 26 Nov 2015 02:24:46 GMT (envelope-from gnn@FreeBSD.org) Received: (from gnn@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id tAQ2Ok8T023023; Thu, 26 Nov 2015 02:24:46 GMT (envelope-from gnn@FreeBSD.org) Message-Id: <201511260224.tAQ2Ok8T023023@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gnn set sender to gnn@FreeBSD.org using -f From: "George V. Neville-Neil" Date: Thu, 26 Nov 2015 02:24:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r291355 - in stable/10/sys: netinet netipsec X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Nov 2015 02:24:47 -0000 Author: gnn Date: Thu Nov 26 02:24:45 2015 New Revision: 291355 URL: https://svnweb.freebsd.org/changeset/base/291355 Log: MFC 290028: Turning on IPSEC used to introduce a slight amount of performance degradation (7%) for host host TCP connections over 10Gbps links, even when there were no secuirty policies in place. There is no change in performance on 1Gbps network links. Testing GENERIC vs. GENERIC-NOIPSEC vs. GENERIC with this change shows that the new code removes any overhead introduced by having IPSEC always in the kernel. Differential Revision: D3993 Sponsored by: Rubicon Communications (Netgate) Modified: stable/10/sys/netinet/ip_ipsec.c stable/10/sys/netinet/tcp_subr.c stable/10/sys/netipsec/ipsec.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/netinet/ip_ipsec.c ============================================================================== --- stable/10/sys/netinet/ip_ipsec.c Thu Nov 26 02:16:25 2015 (r291354) +++ stable/10/sys/netinet/ip_ipsec.c Thu Nov 26 02:24:45 2015 (r291355) @@ -230,6 +230,10 @@ ip_ipsec_output(struct mbuf **m, struct struct secpolicy *sp = NULL; struct tdb_ident *tdbi; struct m_tag *mtag; + + if (!key_havesp(IPSEC_DIR_OUTBOUND)) + return 0; + /* * Check the security policy (SP) for the packet and, if * required, do IPsec-related processing. There are two Modified: stable/10/sys/netinet/tcp_subr.c ============================================================================== --- stable/10/sys/netinet/tcp_subr.c Thu Nov 26 02:16:25 2015 (r291354) +++ stable/10/sys/netinet/tcp_subr.c Thu Nov 26 02:24:45 2015 (r291355) @@ -1947,7 +1947,8 @@ ipsec_hdrsiz_tcp(struct tcpcb *tp) #endif struct tcphdr *th; - if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL)) + if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL) || + (!key_havesp(IPSEC_DIR_OUTBOUND))) return (0); m = m_gethdr(M_NOWAIT, MT_DATA); if (!m) Modified: stable/10/sys/netipsec/ipsec.c ============================================================================== --- stable/10/sys/netipsec/ipsec.c Thu Nov 26 02:16:25 2015 (r291354) +++ stable/10/sys/netipsec/ipsec.c Thu Nov 26 02:24:45 2015 (r291355) @@ -1273,6 +1273,9 @@ ipsec46_in_reject(struct mbuf *m, struct int error; int result; + if (!key_havesp(IPSEC_DIR_INBOUND)) + return 0; + IPSEC_ASSERT(m != NULL, ("null mbuf")); /* @@ -1405,6 +1408,9 @@ ipsec_hdrsiz(struct mbuf *m, u_int dir, int error; size_t size; + if (!key_havesp(dir)) + return 0; + IPSEC_ASSERT(m != NULL, ("null mbuf")); /* Get SP for this packet.