CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2021/12/23 05:21:48
Modified files:
sys/net : if_bridge.c
sys/netinet : ip_ah.c ip_esp.c ip_ipcomp.c ip_output.c
ipsec_input.c ipsec_output.c
sys/netinet6 : ip6_output.c
Log message:
IPsec is not MP safe yet. To allow forwarding in parallel without
dirty hacks, it is better to protect IPsec input and output with
kernel lock. Not much is lost as crypto needs the kernel lock
anyway. From here we can refine the lock later.
Note that there is no kernel lock in the SPD lockup path. Goal is
to keep that lock free to allow fast forwarding with non IPsec
traffic.
tested by Hrvoje Popovski; OK tobhe@
