FAST_IPSEC and tunnelled packets processing
gnn at freebsd.org
gnn at freebsd.org
Fri Mar 10 11:37:03 UTC 2006
At Thu, 9 Mar 2006 15:53:03 +0100,
VANHULLEBUS Yvan wrote:
>
> On Wed, Mar 08, 2006 at 08:02:36PM -0800, Sam Leffler wrote:
> [.....]
> > If I recall the IPIP handling is different from KAME because there is
> > support for IPIP encapsulation independent of the IPsec protocols while
> > KAME only handles IPIP as part of the ESP tunnel configuration. As to
> > overhead, in practice, at least back in 4.x where this work was
> > originally done, the netisr dispatch was effectively shortcircuited
> > because the dispatch was done from the netisr thread so the net cost was
> > a enqueue+dequeue of the packet. I'm not sure about extraneous trips
> > through ip_input or not stripping headers; this stuff used to work right
> > but I've not looked at the code in years.
>
> There IS some code to remove the IPIP header, but it doesn't work.
>
> I just reported pr kern/94273 with a patch which solves it.
>
Bug taken by me :-) I'll try your patch and commit as necessary.
Later,
George
More information about the freebsd-net
mailing list