Hi, When sending packets, we spend 2.2% doing IPsec lookups, even if no IPsec is configured.
Serach for ipsp_spd_lookup here: http://bluhm.genua.de/perform/results/2022-03-03T23:17:19Z/2022-03-03T00%3A00%3A00Z/btrace/iperf3_-c10.3.45.35_-w1m_-t10-btrace-kstack.0.svg Usually we check ipsec_in_use as shortcut, but that does not work when coming from tcp_output() as inp != NULL. This seems to be done to block packets from sockets with options in inp_seclevel. But instead of doing the route lookup, we can go directly to ipsp_spd_inp() where the socket policy checks are done. Calling rtable_l2() before the shortcut also costs a bit. With that we gain 7% TCP througput without IPsec. http://bluhm.genua.de/perform/results/2022-03-03T23:17:19Z/perform.html ok? bluhm Index: netinet/ip_spd.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_spd.c,v retrieving revision 1.112 diff -u -p -r1.112 ip_spd.c --- netinet/ip_spd.c 22 Feb 2022 01:15:02 -0000 1.112 +++ netinet/ip_spd.c 4 Mar 2022 20:55:34 -0000 @@ -160,7 +160,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, struct ipsec_policy *ipo; struct ipsec_ids *ids = NULL; int error, signore = 0, dignore = 0; - u_int rdomain = rtable_l2(m->m_pkthdr.ph_rtableid); + u_int rdomain; NET_ASSERT_LOCKED(); @@ -168,11 +168,8 @@ ipsp_spd_lookup(struct mbuf *m, int af, * If there are no flows in place, there's no point * continuing with the SPD lookup. */ - if (!ipsec_in_use && inp == NULL) { - if (tdbout != NULL) - *tdbout = NULL; - return 0; - } + if (!ipsec_in_use) + return ipsp_spd_inp(m, inp, NULL, tdbout); /* * If an input packet is destined to a BYPASS socket, just accept it. @@ -302,6 +299,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, } /* Actual SPD lookup. */ + rdomain = rtable_l2(m->m_pkthdr.ph_rtableid); if ((rnh = spd_table_get(rdomain)) == NULL || (rn = rn_match((caddr_t)&dst, rnh)) == NULL) { /*
