From 518a78c9d231a9873c756b7edf1a06990bd0f6fb Mon Sep 17 00:00:00 2001
From: Jay Wren <jay.wren@slack-corp.com>
Date: Tue, 18 Nov 2025 14:19:05 -0500
Subject: [PATCH] preallocate nonce buffer

---
 inside.go    | 3 +--
 interface.go | 5 ++++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/inside.go b/inside.go
index 07f0418..5462709 100644
--- a/inside.go
+++ b/inside.go
@@ -21,10 +21,9 @@ import (
 // localCache: firewall conntrack cache
 // batchPackets: pre-allocated slice for accumulating encrypted packets
 // batchAddrs: pre-allocated slice for accumulating destination addresses
-func (f *Interface) consumeInsidePackets(packets [][]byte, sizes []int, count int, outs [][]byte, q int, localCache firewall.ConntrackCache, batchPackets *[][]byte, batchAddrs *[]netip.AddrPort) {
+func (f *Interface) consumeInsidePackets(packets [][]byte, sizes []int, count int, outs [][]byte, nb []byte, q int, localCache firewall.ConntrackCache, batchPackets *[][]byte, batchAddrs *[]netip.AddrPort) {
 	// Reusable per-packet state
 	fwPacket := &firewall.Packet{}
-	nb := make([]byte, 12, 12)
 
 	// Reset batch accumulation slices (reuse capacity)
 	*batchPackets = (*batchPackets)[:0]
diff --git a/interface.go b/interface.go
index d80a721..725a6dd 100644
--- a/interface.go
+++ b/interface.go
@@ -345,6 +345,9 @@ func (f *Interface) listenInBatch(reader io.ReadWriteCloser, batchReader BatchRe
 	batchPackets := make([][]byte, 0, batchSize)
 	batchAddrs := make([]netip.AddrPort, 0, batchSize)
 
+	// Pre-allocate nonce buffer (reused for all encryptions)
+	nb := make([]byte, 12, 12)
+
 	conntrackCache := firewall.NewConntrackCacheTicker(f.conntrackCacheTimeout)
 
 	tunBatchHist := metrics.GetOrRegisterHistogram("batch.tun_read_size", nil, metrics.NewUniformSample(1024))
@@ -364,7 +367,7 @@ func (f *Interface) listenInBatch(reader io.ReadWriteCloser, batchReader BatchRe
 		tunBatchHist.Update(int64(n))
 
 		// Process all packets in the batch at once
-		f.consumeInsidePackets(bufs, sizes, n, outs, i, conntrackCache.Get(f.l), &batchPackets, &batchAddrs)
+		f.consumeInsidePackets(bufs, sizes, n, outs, nb, i, conntrackCache.Get(f.l), &batchPackets, &batchAddrs)
 	}
 }