diff mbox series

IPsec: Disable XFRM policy lookup for VTI devices

Message ID	20210114185403.8839-1-michael.tremer@ipfire.org
State	Accepted
Commit	0de7cc50ac420b3a635a342197a0174d5eeb4e1d
Headers	From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] IPsec: Disable XFRM policy lookup for VTI devices Date: Thu, 14 Jan 2021 18:54:03 +0000 Message-Id: <20210114185403.8839-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Cc: Michael Tremer <michael.tremer@ipfire.org> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	IPsec: Disable XFRM policy lookup for VTI devices \| IPsec: Disable XFRM policy lookup for VTI devices

Commit Message

Michael Tremer Jan. 14, 2021, 6:54 p.m. UTC

  This speeds up throughput slightly

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/scripts/ipsec-interfaces | 5 +++++
 1 file changed, 5 insertions(+)

diff mbox series

Patch

diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces
index 2546f8927..f0983dbdc 100644
--- a/src/scripts/ipsec-interfaces
+++ b/src/scripts/ipsec-interfaces
@@ -228,6 +228,11 @@  main() {
 			ip addr flush dev "${intf}"
 			ip addr add "${interface_address}" dev "${intf}"
 
+			# Disable IPsec policy lookup for VTI
+			if [ "${interface_mode}" = "vti" ]; then
+				sysctl -qw "net.ipv4.conf.${intf}.disable_policy=1"
+			fi
+
 			# Set MTU
 			ip link set dev "${intf}" mtu "${interface_mtu}"