Date: Fri, 27 Nov 2015 07:20:59 -0200 From: Renato Botelho <garga@FreeBSD.org> To: "George V. Neville-Neil" <gnn@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: Re: svn commit: r291355 - in stable/10/sys: netinet netipsec Message-ID: <37232D6B-AEC9-4271-8DB7-0606C298B25F@FreeBSD.org> In-Reply-To: <201511260224.tAQ2Ok8T023023@repo.freebsd.org> References: <201511260224.tAQ2Ok8T023023@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Nov 26, 2015, at 00:24, George V. Neville-Neil <gnn@FreeBSD.org> = wrote: >=20 > Author: gnn > Date: Thu Nov 26 02:24:45 2015 > New Revision: 291355 > URL: https://svnweb.freebsd.org/changeset/base/291355 >=20 > Log: > MFC 290028: > Turning on IPSEC used to introduce a slight amount of performance > degradation (7%) for host host TCP connections over 10Gbps links, > even when there were no secuirty policies in place. There is no > change in performance on 1Gbps network links. Testing GENERIC vs. > GENERIC-NOIPSEC vs. GENERIC with this change shows that the new > code removes any overhead introduced by having IPSEC always in the > kernel. >=20 > Differential Revision: D3993 > Sponsored by: Rubicon Communications (Netgate) >=20 > Modified: > stable/10/sys/netinet/ip_ipsec.c > stable/10/sys/netinet/tcp_subr.c > stable/10/sys/netipsec/ipsec.c > Directory Properties: > stable/10/ (props changed) >=20 > Modified: stable/10/sys/netinet/ip_ipsec.c > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- stable/10/sys/netinet/ip_ipsec.c Thu Nov 26 02:16:25 2015 = (r291354) > +++ stable/10/sys/netinet/ip_ipsec.c Thu Nov 26 02:24:45 2015 = (r291355) > @@ -230,6 +230,10 @@ ip_ipsec_output(struct mbuf **m, struct=20 > struct secpolicy *sp =3D NULL; > struct tdb_ident *tdbi; > struct m_tag *mtag; > + > + if (!key_havesp(IPSEC_DIR_OUTBOUND)) > + return 0; > + > /* > * Check the security policy (SP) for the packet and, if > * required, do IPsec-related processing. There are two >=20 > Modified: stable/10/sys/netinet/tcp_subr.c > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- stable/10/sys/netinet/tcp_subr.c Thu Nov 26 02:16:25 2015 = (r291354) > +++ stable/10/sys/netinet/tcp_subr.c Thu Nov 26 02:24:45 2015 = (r291355) > @@ -1947,7 +1947,8 @@ ipsec_hdrsiz_tcp(struct tcpcb *tp) > #endif > struct tcphdr *th; >=20 > - if ((tp =3D=3D NULL) || ((inp =3D tp->t_inpcb) =3D=3D NULL)) > + if ((tp =3D=3D NULL) || ((inp =3D tp->t_inpcb) =3D=3D NULL) || > + (!key_havesp(IPSEC_DIR_OUTBOUND))) Looks like style is broken here ^ -- Renato Botelho
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37232D6B-AEC9-4271-8DB7-0606C298B25F>