diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2007-05-29 17:46:25 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2007-05-29 17:46:25 +0000 |
| commit | 0fe9ea93a5f63f7cb864484bf05b41d9acba69d4 (patch) | |
| tree | b9961f1cc526ebe495ec11982b875b08d9ca8221 /sys | |
| parent | 52d300b4d130e194746bc0a970363cb33e8bf086 (diff) | |
gain another 5+% in ip forwarding performance.
boring details:
skip looking for ipsec tags and descending into ip_spd_lookup if there
are no ipsec flows, except in one case in ip_output (spotted by markus)
where we have to if we have a pcb. ip_spd_lookup has the shortcut already,
but there is enough work done before so that skipping that gains us about
5%. ok theo, markus
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/ip_input.c | 16 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 13 |
2 files changed, 21 insertions, 8 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 529d271fbea..082e813889e 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.149 2007/05/28 17:16:39 henning Exp $ */ +/* $OpenBSD: ip_input.c,v 1.150 2007/05/29 17:46:24 henning Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -90,6 +90,9 @@ int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; char ipsec_def_enc[20]; char ipsec_def_auth[20]; char ipsec_def_comp[20]; +#ifdef IPSEC +extern int ipsec_in_use; +#endif /* IPSEC */ /* values controllable via sysctl */ int ipforwarding = 0; @@ -491,8 +494,10 @@ ipv4_input(m) if (ipforwarding == 0) { ipstat.ips_cantforward++; m_freem(m); - } else { + return; + } #ifdef IPSEC + if (ipsec_in_use) { /* * IPsec policy check for forwarded packets. Look at * inner-most IPsec SA used. @@ -519,10 +524,10 @@ ipv4_input(m) * Fall through, forward packet. Outbound IPsec policy * checking will occur in ip_output(). */ + } #endif /* IPSEC */ - ip_forward(m, pfrdr); - } + ip_forward(m, pfrdr); return; ours: @@ -617,6 +622,9 @@ found: } #ifdef IPSEC + if (!ipsec_in_use) + goto skipipsec; + /* * If it's a protected packet for us, skip the policy check. * That's because we really only care about the properties of diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index d41a11c4b45..c23e55f4683 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.185 2007/05/27 20:15:48 dlg Exp $ */ +/* $OpenBSD: ip_output.c,v 1.186 2007/05/29 17:46:24 henning Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -78,6 +78,7 @@ extern int ipsec_esp_trans_default_level; extern int ipsec_esp_network_default_level; extern int ipsec_ipcomp_default_level; extern int ipforwarding; +extern int ipsec_in_use; #endif /* IPSEC */ #ifdef MROUTING @@ -243,6 +244,9 @@ ip_output(struct mbuf *m0, ...) } #ifdef IPSEC + if (!ipsec_in_use && inp == NULL) + goto done_spd; + /* * splnet is chosen over spltdb because we are not allowed to * lower the level, and udp_output calls us in splnet(). @@ -655,8 +659,9 @@ sendit: * If deferred crypto processing is needed, check that the * interface supports it. */ - if ((mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) - != NULL && (ifp->if_capabilities & IFCAP_IPSEC) == 0) { + if (ipsec_in_use && (mtag = m_tag_find(m, + PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) != NULL && + (ifp->if_capabilities & IFCAP_IPSEC) == 0) { /* Notify IPsec to do its own crypto. */ ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); m_freem(m); @@ -697,7 +702,7 @@ sendit: #endif #ifdef IPSEC - if ((flags & IP_FORWARDING) && (ipforwarding == 2) && + if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) && (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) { error = EHOSTUNREACH; m_freem(m); |