From c1fc5e96016e21b74432999ab6ec4a72d4a0b60c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ermal=20Lu=C3=A7i?= Date: Fri, 3 Jul 2015 15:31:56 +0000 Subject: [PATCH] Reduce overhead of IPSEC for traffic generated from host When IPSEC is enabled on the kernel the forwarding path has an optimization to not enter the code paths for checking security policies but first checks if there is any security policy active at all. The patch introduces the same optimization but for traffic generated from the host itself. This reduces the overhead by 50% on my tests for generated host traffic without and SP active. Differential Revision: https://reviews.freebsd.org/D2980 Reviewed by: ae, gnn Approved by: gnn(mentor) --- sys/netipsec/ipsec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 266f6d00d5a..2ac87ab5523 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -334,6 +334,12 @@ ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error) IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, ("invalid direction %u", dir)); + if (!key_havesp(dir)) { + /* No SP found, use system default. */ + sp = KEY_ALLOCSP_DEFAULT(); + return (sp); + } + /* Set spidx in pcb. */ *error = ipsec_setspidx_inpcb(m, inp); if (*error)