IPsec: Disable XFRM policy lookup for VTI devices

This speeds up throughput slightly Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-20 07:53:01 +02:00 · 2021-01-14 18:54:03 +00:00
parent 37ff8e005d
commit 0de7cc50ac
1 changed files with 5 additions and 0 deletions
--- a/src/scripts/ipsec-interfaces
+++ b/src/scripts/ipsec-interfaces
@@ -228,6 +228,11 @@ main() {
 			ip addr flush dev "${intf}"
 			ip addr add "${interface_address}" dev "${intf}"

+			# Disable IPsec policy lookup for VTI
+			if [ "${interface_mode}" = "vti" ]; then
+				sysctl -qw "net.ipv4.conf.${intf}.disable_policy=1"
+			fi
+
 			# Set MTU
 			ip link set dev "${intf}" mtu "${interface_mtu}"