During forwarding skip another route lookup which is not needed if IPSEC policies will consume the packet.
This is limited to IPv4 for now to keep the changes small.
Details
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Skipped - Unit
Tests Skipped
Event Timeline
I could be wrong, but it seems after this optimization we lose ability to receive ICMP_UNREACH messages from IPSEC gateway.
Yes, I was wrong. Now I see that you removed #ifndef IPSEC from ip_forward. Seems correct to me. Can you fix the comment?
sys/netinet/ip_input.c | ||
---|---|---|
964 | This comment became stale. |
It would be great if we could eliminate those ugly cases.
The only difference between returning -1 and 1 is in calling m_freem() in caller.
We can do m_freem() in ip_ipsec_output() and return either 0 or nonzero value.
Sure gnn@ i can write Obtained from eri at al.
What have you been smoking lately? Can you clarify where this obtained from should contain and you reasoning behind?
I believe that while these are not the exact same patch, this is based on work that was committed here first:
While that is not an open available link but clearly the target is different.
That patch is about IPSec not impacting forwarding path when its not in use at all
while this patch is about avoiding a routing lookup when IPSec is in use more in relation with the commit in FreeBSD removing redundant routing table lookups in forwarding path.
If you think they are related well i do not share the same opinion on the arguments above.
Also that patch is based on work of OpenBSD project and duly attributed on pfSense closed source repository.
Please consult with me before having to make this into a public review system for development purpose!