diff options
| author |   tobhe <tobhe@openbsd.org> | 2019-12-06 14:43:14 +0000 |
|---|---|---|
| committer | tobhe <tobhe@openbsd.org> | 2019-12-06 14:43:14 +0000 |
| commit | 08ae2611a7fae0a892ed4426463fbc2b97add279 (patch) | |
| tree | 11ec12646e5fcd941962a390beada933e5f127a2 /sys/netinet/tcp_input.c | |
| parent | Various cleanup tweaks. 'return' is not a function. KNF. Whitespace, (diff) | |
| download | wireguard-openbsd-08ae2611a7fae0a892ed4426463fbc2b97add279.tar.xz wireguard-openbsd-08ae2611a7fae0a892ed4426463fbc2b97add279.zip | |
Checking the IPsec policy is expensive. Check only when IPsec is used.
ok bluhm@
Diffstat (limited to 'sys/netinet/tcp_input.c')
| -rw-r--r-- | sys/netinet/tcp_input.c | 30 |
1 files changed, 16 insertions, 14 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 8371910c9df..5da77b915ae 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.363 2019/11/29 22:06:19 tobhe Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.364 2019/12/06 14:43:14 tobhe Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -570,19 +570,21 @@ findpcb: */ } #ifdef IPSEC - /* Find most recent IPsec tag */ - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); - if (mtag != NULL) { - tdbi = (struct tdb_ident *)(mtag + 1); - tdb = gettdb(tdbi->rdomain, tdbi->spi, - &tdbi->dst, tdbi->proto); - } else - tdb = NULL; - ipsp_spd_lookup(m, af, iphlen, &error, IPSP_DIRECTION_IN, - tdb, inp, 0); - if (error) { - tcpstat_inc(tcps_rcvnosec); - goto drop; + if (ipsec_in_use) { + /* Find most recent IPsec tag */ + mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); + if (mtag != NULL) { + tdbi = (struct tdb_ident *)(mtag + 1); + tdb = gettdb(tdbi->rdomain, tdbi->spi, + &tdbi->dst, tdbi->proto); + } else + tdb = NULL; + ipsp_spd_lookup(m, af, iphlen, &error, IPSP_DIRECTION_IN, + tdb, inp, 0); + if (error) { + tcpstat_inc(tcps_rcvnosec); + goto drop; + } } #endif /* IPSEC */ |