From owner-svn-src-head@freebsd.org Tue Oct 27 00:42:17 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 391A3845F; Tue, 27 Oct 2015 00:42:17 +0000 (UTC) (envelope-from gnn@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D65EA186B; Tue, 27 Oct 2015 00:42:16 +0000 (UTC) (envelope-from gnn@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t9R0gF9g081195; Tue, 27 Oct 2015 00:42:15 GMT (envelope-from gnn@FreeBSD.org) Received: (from gnn@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t9R0gFID081191; Tue, 27 Oct 2015 00:42:15 GMT (envelope-from gnn@FreeBSD.org) Message-Id: <201510270042.t9R0gFID081191@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gnn set sender to gnn@FreeBSD.org using -f From: "George V. Neville-Neil" Date: Tue, 27 Oct 2015 00:42:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r290028 - in head/sys: netinet netipsec X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2015 00:42:17 -0000 Author: gnn Date: Tue Oct 27 00:42:15 2015 New Revision: 290028 URL: https://svnweb.freebsd.org/changeset/base/290028 Log: Turning on IPSEC used to introduce a slight amount of performance degradation (7%) for host host TCP connections over 10Gbps links, even when there were no secuirty policies in place. There is no change in performance on 1Gbps network links. Testing GENERIC vs. GENERIC-NOIPSEC vs. GENERIC with this change shows that the new code removes any overhead introduced by having IPSEC always in the kernel. Differential Revision: D3993 MFC after: 1 month Sponsored by: Rubicon Communications (Netgate) Modified: head/sys/netinet/ip_ipsec.c head/sys/netinet/tcp_subr.c head/sys/netipsec/ipsec.c Modified: head/sys/netinet/ip_ipsec.c ============================================================================== --- head/sys/netinet/ip_ipsec.c Tue Oct 27 00:37:19 2015 (r290027) +++ head/sys/netinet/ip_ipsec.c Tue Oct 27 00:42:15 2015 (r290028) @@ -158,6 +158,10 @@ int ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *error) { struct secpolicy *sp; + + if (!key_havesp(IPSEC_DIR_INBOUND)) + return 0; + /* * Check the security policy (SP) for the packet and, if * required, do IPsec-related processing. There are two Modified: head/sys/netinet/tcp_subr.c ============================================================================== --- head/sys/netinet/tcp_subr.c Tue Oct 27 00:37:19 2015 (r290027) +++ head/sys/netinet/tcp_subr.c Tue Oct 27 00:42:15 2015 (r290028) @@ -1972,7 +1972,8 @@ ipsec_hdrsiz_tcp(struct tcpcb *tp) #endif struct tcphdr *th; - if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL)) + if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL) || + (!key_havesp(IPSEC_DIR_OUTBOUND))) return (0); m = m_gethdr(M_NOWAIT, MT_DATA); if (!m) Modified: head/sys/netipsec/ipsec.c ============================================================================== --- head/sys/netipsec/ipsec.c Tue Oct 27 00:37:19 2015 (r290027) +++ head/sys/netipsec/ipsec.c Tue Oct 27 00:42:15 2015 (r290028) @@ -1276,6 +1276,9 @@ ipsec46_in_reject(struct mbuf *m, struct int error; int result; + if (!key_havesp(IPSEC_DIR_INBOUND)) + return 0; + IPSEC_ASSERT(m != NULL, ("null mbuf")); /* Get SP for this packet. */ @@ -1403,6 +1406,9 @@ ipsec_hdrsiz(struct mbuf *m, u_int dir, int error; size_t size; + if (!key_havesp(dir)) + return 0; + IPSEC_ASSERT(m != NULL, ("null mbuf")); /* Get SP for this packet. */