From owner-svn-src-all@freebsd.org Fri Jul 3 15:31:57 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5AB789939B8; Fri, 3 Jul 2015 15:31:57 +0000 (UTC) (envelope-from eri@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 479CE163C; Fri, 3 Jul 2015 15:31:57 +0000 (UTC) (envelope-from eri@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t63FVvkU079114; Fri, 3 Jul 2015 15:31:57 GMT (envelope-from eri@FreeBSD.org) Received: (from eri@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t63FVvek079113; Fri, 3 Jul 2015 15:31:57 GMT (envelope-from eri@FreeBSD.org) Message-Id: <201507031531.t63FVvek079113@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: eri set sender to eri@FreeBSD.org using -f From: Ermal Luçi Date: Fri, 3 Jul 2015 15:31:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r285096 - head/sys/netipsec X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2015 15:31:57 -0000 Author: eri Date: Fri Jul 3 15:31:56 2015 New Revision: 285096 URL: https://svnweb.freebsd.org/changeset/base/285096 Log: Reduce overhead of IPSEC for traffic generated from host When IPSEC is enabled on the kernel the forwarding path has an optimization to not enter the code paths for checking security policies but first checks if there is any security policy active at all. The patch introduces the same optimization but for traffic generated from the host itself. This reduces the overhead by 50% on my tests for generated host traffic without and SP active. Differential Revision: https://reviews.freebsd.org/D2980 Reviewed by: ae, gnn Approved by: gnn(mentor) Modified: head/sys/netipsec/ipsec.c Modified: head/sys/netipsec/ipsec.c ============================================================================== --- head/sys/netipsec/ipsec.c Fri Jul 3 14:46:57 2015 (r285095) +++ head/sys/netipsec/ipsec.c Fri Jul 3 15:31:56 2015 (r285096) @@ -334,6 +334,12 @@ ipsec_getpolicybysock(struct mbuf *m, u_ IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, ("invalid direction %u", dir)); + if (!key_havesp(dir)) { + /* No SP found, use system default. */ + sp = KEY_ALLOCSP_DEFAULT(); + return (sp); + } + /* Set spidx in pcb. */ *error = ipsec_setspidx_inpcb(m, inp); if (*error)