ipsec key_havesp changes
ClosedPublic
Actions

Authored by mjg on Sep 7 2022, 8:40 PM.

Details

Reviewers

Commits

rGc1bfe8c593f9: ipsec: add key_havesp_any
rG86104d3ebb35: ipsec: prohibit unknown directions in key_havesp

Summary

commit fe05dca7774e98adfeb1faefe8b98d6b398eae53 (HEAD -> ipsec)
Author: Mateusz Guzik <mjg@FreeBSD.org>
Date:   Wed Sep 7 22:05:38 2022 +0200

    ipsec: add key_havesp_any
    
    Saves on work in a common case of checking both directions.
    
    Note further work in the area is impending to elide these in the common
    case to begin with.
    
    Reviewed by:
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:

commit bec3c2d77d20bcc76a92f86f7340d1008b6e847d
Author: Mateusz Guzik <mjg@FreeBSD.org>
Date:   Wed Sep 7 22:27:15 2022 +0200

    ipsec: prohibit unknown directions in key_havesp
    
    Eliminates a branch checking for its validity.
    
    Reviewed by:
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:

compiled in but disabled ipsec shows up on profiles, see https://github.com/ocochard/netbenches/blob/master/Xeon_E5-2697Av4_16Cores-Mellanox_ConnectX-4/firewalls/results/fbsd14-n277887-IPSEC/README.md

the above is an initial step towards fixing that problem

later I'm going to create a combined var recalculated on each V_forwarding + key_havesp_any change so that no function calls will be issued to begin with.

this in ip_input:

        if (V_ipforwarding != 0
#if defined(IPSEC) || defined(IPSEC_SUPPORT)
            && (!IPSEC_ENABLED(ipv4) ||
            IPSEC_CAPS(ipv4, m, IPSEC_CAP_OPERABLE) == 0)
#endif
            ) {

will collapse into