Page MenuHomeFreeBSD
Differential D3045

IPSEC forwarding performance improvement
AbandonedPublic
Actions

Authored by eri on Jul 10 2015, 7:31 AM.
Tags
Referenced Files
Unknown Object (File)
Dec 15 2023, 7:39 AM
Unknown Object (File)
Jul 31 2023, 2:59 PM
Unknown Object (File)
Jun 24 2023, 6:53 PM
Unknown Object (File)
May 5 2023, 6:43 AM
Unknown Object (File)
Feb 22 2023, 12:36 AM
Unknown Object (File)
Feb 15 2023, 9:23 PM
Unknown Object (File)
Jan 13 2023, 6:59 AM
Unknown Object (File)
Jan 10 2023, 9:51 AM
View All 45 Files
Subscribers
imp
loos
melifaro
network

Details

Reviewers
melifaro
ae
gnn
Summary

During forwarding skip another route lookup which is not needed if IPSEC policies will consume the packet.
This is limited to IPv4 for now to keep the changes small.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

eri updated this revision to Diff 6839.Jul 10 2015, 7:31 AM
eri retitled this revision from to IPSEC forwarding performance improvement.
eri updated this object.
eri edited the test plan for this revision. (Show Details)
eri added reviewers: ae, gnn.
eri set the repository for this revision to rS FreeBSD src repository - subversion.
eri added a project: network.
eri added a subscriber: network.
Herald added a subscriber: imp. · View Herald TranscriptJul 10 2015, 7:31 AM
ae edited edge metadata.Jul 10 2015, 2:33 PM

I could be wrong, but it seems after this optimization we lose ability to receive ICMP_UNREACH messages from IPSEC gateway.

gnn edited edge metadata.Jul 27 2015, 3:11 PM

Bump. What do you think about the ICMP issue?

eri added a comment.Aug 4 2015, 3:34 PM

I do not see why the receiving of the ICMP_UNREACH is impacted by this?

ae added a comment.Aug 10 2015, 8:59 AM

Yes, I was wrong. Now I see that you removed #ifndef IPSEC from ip_forward. Seems correct to me. Can you fix the comment?

sys/netinet/ip_input.c
964

This comment became stale.

melifaro requested changes to this revision.Aug 10 2015, 9:05 AM
melifaro added a reviewer: melifaro.
melifaro added a subscriber: melifaro.

It would be great if we could eliminate those ugly cases.
The only difference between returning -1 and 1 is in calling m_freem() in caller.
We can do m_freem() in ip_ipsec_output() and return either 0 or nonzero value.

This revision now requires changes to proceed.Aug 10 2015, 9:05 AM
gnn requested changes to this revision.Aug 29 2015, 2:48 PM
gnn edited edge metadata.

This will also need an Obtained from: credit.

eri added a comment.Aug 30 2015, 10:58 AM

Sure gnn@ i can write Obtained from eri at al.
What have you been smoking lately? Can you clarify where this obtained from should contain and you reasoning behind?

gnn added a comment.Aug 30 2015, 11:43 AM

I believe that while these are not the exact same patch, this is based on work that was committed here first:

https://github.com/pfsense/pfsense-tools/blob/RELENG_2_2/patches/releng/10.1/IPSEC_sysctl.RELENG_10.diff

eri added a comment.Aug 30 2015, 12:01 PM

While that is not an open available link but clearly the target is different.
That patch is about IPSec not impacting forwarding path when its not in use at all
while this patch is about avoiding a routing lookup when IPSec is in use more in relation with the commit in FreeBSD removing redundant routing table lookups in forwarding path.

If you think they are related well i do not share the same opinion on the arguments above.

Also that patch is based on work of OpenBSD project and duly attributed on pfSense closed source repository.
Please consult with me before having to make this into a public review system for development purpose!

gnn edited edge metadata.Oct 28 2015, 6:09 PM
gnn added a subscriber: loos.
eri abandoned this revision.Feb 20 2017, 11:43 PM

Revision Contents
Changeset List

PathSize
sys/
netinet/
22 lines
40 lines
1 line

Diff 6839

View Options

sys/netinet/ip_input.c

Loading...
View Options

sys/netinet/ip_output.c

Loading...
View Options

sys/netinet/ip_var.h

Loading...