* pull request (net-next): ipsec-next 2014-12-03
@ 2014-12-03 10:04 Steffen Klassert
2014-12-03 10:04 ` [PATCH 1/5] xfrm: fix set but not used warning in xfrm_policy_queue_process() Steffen Klassert
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Steffen Klassert @ 2014-12-03 10:04 UTC (permalink / raw
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
1) Fix a set but not used warning. From Fabian Frederick.
2) Currently we make sequence number values available to userspace
only if we use ESN. Make the sequence number values also available
for non ESN states. From Zhi Ding.
3) Remove socket policy hashing. We don't need it because socket
policies are always looked up via a linked list. From Herbert Xu.
4) After removing socket policy hashing, we can use __xfrm_policy_link
in xfrm_policy_insert. From Herbert Xu.
5) Add a lookup method for vti6 tunnels with wildcard endpoints.
I forgot this when I initially implemented vti6.
Please pull or let me know if there are problems.
Thanks!
The following changes since commit 49cc91f919e2a94df8c9f99aae9b405444e88624:
Merge branch 's390-next' (2014-10-26 22:21:45 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git master
for you to fetch changes up to fbe68ee87522f6eaa10f9076c0a7117e1613f2f7:
vti6: Add a lookup method for tunnels with wildcard endpoints. (2014-11-20 10:03:07 +0100)
----------------------------------------------------------------
Fabian Frederick (1):
xfrm: fix set but not used warning in xfrm_policy_queue_process()
Herbert Xu (2):
xfrm: Do not hash socket policies
xfrm: Use __xfrm_policy_link in xfrm_policy_insert
Steffen Klassert (1):
vti6: Add a lookup method for tunnels with wildcard endpoints.
dingzhi (1):
xfrm: add XFRMA_REPLAY_VAL attribute to SA messages
include/net/netns/xfrm.h | 4 ++--
net/ipv6/ip6_vti.c | 17 ++++++++++++++++
net/xfrm/xfrm_policy.c | 52 +++++++++++++++++++++++++++---------------------
net/xfrm/xfrm_user.c | 12 +++++++----
4 files changed, 56 insertions(+), 29 deletions(-)
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/5] xfrm: fix set but not used warning in xfrm_policy_queue_process()
2014-12-03 10:04 pull request (net-next): ipsec-next 2014-12-03 Steffen Klassert
@ 2014-12-03 10:04 ` Steffen Klassert
2014-12-03 10:04 ` [PATCH 2/5] xfrm: add XFRMA_REPLAY_VAL attribute to SA messages Steffen Klassert
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Steffen Klassert @ 2014-12-03 10:04 UTC (permalink / raw
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Fabian Frederick <fabf@skynet.be>
err was set but unused.
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_policy.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 4c4e457..dc65324 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1878,7 +1878,6 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
static void xfrm_policy_queue_process(unsigned long arg)
{
- int err = 0;
struct sk_buff *skb;
struct sock *sk;
struct dst_entry *dst;
@@ -1941,7 +1940,7 @@ static void xfrm_policy_queue_process(unsigned long arg)
skb_dst_drop(skb);
skb_dst_set(skb, dst);
- err = dst_output(skb);
+ dst_output(skb);
}
out:
--
1.9.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/5] xfrm: add XFRMA_REPLAY_VAL attribute to SA messages
2014-12-03 10:04 pull request (net-next): ipsec-next 2014-12-03 Steffen Klassert
2014-12-03 10:04 ` [PATCH 1/5] xfrm: fix set but not used warning in xfrm_policy_queue_process() Steffen Klassert
@ 2014-12-03 10:04 ` Steffen Klassert
2014-12-03 10:04 ` [PATCH 3/5] xfrm: Do not hash socket policies Steffen Klassert
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Steffen Klassert @ 2014-12-03 10:04 UTC (permalink / raw
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
From: dingzhi <zhi.ding@6wind.com>
After this commit, the attribute XFRMA_REPLAY_VAL is added when no ESN replay
value is defined. Thus sequence number values are always notified to userspace.
Signed-off-by: dingzhi <zhi.ding@6wind.com>
Signed-off-by: Adrien Mazarguil <adrien.mazarguil@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_user.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index e812e98..8128594 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -824,13 +824,15 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
ret = xfrm_mark_put(skb, &x->mark);
if (ret)
goto out;
- if (x->replay_esn) {
+ if (x->replay_esn)
ret = nla_put(skb, XFRMA_REPLAY_ESN_VAL,
xfrm_replay_state_esn_len(x->replay_esn),
x->replay_esn);
- if (ret)
- goto out;
- }
+ else
+ ret = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay),
+ &x->replay);
+ if (ret)
+ goto out;
if (x->security)
ret = copy_sec_ctx(x->security, skb);
out:
@@ -2569,6 +2571,8 @@ static inline size_t xfrm_sa_len(struct xfrm_state *x)
l += nla_total_size(sizeof(x->tfcpad));
if (x->replay_esn)
l += nla_total_size(xfrm_replay_state_esn_len(x->replay_esn));
+ else
+ l += nla_total_size(sizeof(struct xfrm_replay_state));
if (x->security)
l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) +
x->security->ctx_len);
--
1.9.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/5] xfrm: Do not hash socket policies
2014-12-03 10:04 pull request (net-next): ipsec-next 2014-12-03 Steffen Klassert
2014-12-03 10:04 ` [PATCH 1/5] xfrm: fix set but not used warning in xfrm_policy_queue_process() Steffen Klassert
2014-12-03 10:04 ` [PATCH 2/5] xfrm: add XFRMA_REPLAY_VAL attribute to SA messages Steffen Klassert
@ 2014-12-03 10:04 ` Steffen Klassert
2014-12-03 10:05 ` [PATCH 4/5] xfrm: Use __xfrm_policy_link in xfrm_policy_insert Steffen Klassert
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Steffen Klassert @ 2014-12-03 10:04 UTC (permalink / raw
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Herbert Xu <herbert@gondor.apana.org.au>
Back in 2003 when I added policy expiration, I half-heartedly
did a clean-up and renamed xfrm_sk_policy_link/xfrm_sk_policy_unlink
to __xfrm_policy_link/__xfrm_policy_unlink, because the latter
could be reused for all policies. I never actually got around
to using __xfrm_policy_link for non-socket policies.
Later on hashing was added to all xfrm policies, including socket
policies. In fact, we don't need hashing on socket policies at
all since they're always looked up via a linked list.
This patch restores xfrm_sk_policy_link/xfrm_sk_policy_unlink
as wrappers around __xfrm_policy_link/__xfrm_policy_unlink so
that it's obvious we're dealing with socket policies.
This patch also removes hashing from __xfrm_policy_link as for
now it's only used by socket policies which do not need to be
hashed. Ironically this will in fact allow us to use this helper
for non-socket policies which I shall do later.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
include/net/netns/xfrm.h | 4 ++--
net/xfrm/xfrm_policy.c | 44 ++++++++++++++++++++++++++------------------
2 files changed, 28 insertions(+), 20 deletions(-)
diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
index 9da7982..730d82a 100644
--- a/include/net/netns/xfrm.h
+++ b/include/net/netns/xfrm.h
@@ -50,8 +50,8 @@ struct netns_xfrm {
struct list_head policy_all;
struct hlist_head *policy_byidx;
unsigned int policy_idx_hmask;
- struct hlist_head policy_inexact[XFRM_POLICY_MAX * 2];
- struct xfrm_policy_hash policy_bydst[XFRM_POLICY_MAX * 2];
+ struct hlist_head policy_inexact[XFRM_POLICY_MAX];
+ struct xfrm_policy_hash policy_bydst[XFRM_POLICY_MAX];
unsigned int policy_count[XFRM_POLICY_MAX * 2];
struct work_struct policy_hash_work;
struct xfrm_policy_hthresh policy_hthresh;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index dc65324..f4d3a12 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -561,7 +561,7 @@ static void xfrm_hash_resize(struct work_struct *work)
mutex_lock(&hash_resize_mutex);
total = 0;
- for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
+ for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
if (xfrm_bydst_should_resize(net, dir, &total))
xfrm_bydst_resize(net, dir);
}
@@ -601,7 +601,7 @@ static void xfrm_hash_rebuild(struct work_struct *work)
write_lock_bh(&net->xfrm.xfrm_policy_lock);
/* reset the bydst and inexact table in all directions */
- for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
+ for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]);
hmask = net->xfrm.policy_bydst[dir].hmask;
odst = net->xfrm.policy_bydst[dir].table;
@@ -1247,17 +1247,10 @@ out:
static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
{
struct net *net = xp_net(pol);
- struct hlist_head *chain = policy_hash_bysel(net, &pol->selector,
- pol->family, dir);
list_add(&pol->walk.all, &net->xfrm.policy_all);
- hlist_add_head(&pol->bydst, chain);
- hlist_add_head(&pol->byidx, net->xfrm.policy_byidx+idx_hash(net, pol->index));
net->xfrm.policy_count[dir]++;
xfrm_pol_hold(pol);
-
- if (xfrm_bydst_should_resize(net, dir, NULL))
- schedule_work(&net->xfrm.policy_hash_work);
}
static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
@@ -1265,17 +1258,31 @@ static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
{
struct net *net = xp_net(pol);
- if (hlist_unhashed(&pol->bydst))
+ if (list_empty(&pol->walk.all))
return NULL;
- hlist_del_init(&pol->bydst);
- hlist_del(&pol->byidx);
- list_del(&pol->walk.all);
+ /* Socket policies are not hashed. */
+ if (!hlist_unhashed(&pol->bydst)) {
+ hlist_del(&pol->bydst);
+ hlist_del(&pol->byidx);
+ }
+
+ list_del_init(&pol->walk.all);
net->xfrm.policy_count[dir]--;
return pol;
}
+static void xfrm_sk_policy_link(struct xfrm_policy *pol, int dir)
+{
+ __xfrm_policy_link(pol, XFRM_POLICY_MAX + dir);
+}
+
+static void xfrm_sk_policy_unlink(struct xfrm_policy *pol, int dir)
+{
+ __xfrm_policy_unlink(pol, XFRM_POLICY_MAX + dir);
+}
+
int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
{
struct net *net = xp_net(pol);
@@ -1307,7 +1314,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
if (pol) {
pol->curlft.add_time = get_seconds();
pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir, 0);
- __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
+ xfrm_sk_policy_link(pol, dir);
}
if (old_pol) {
if (pol)
@@ -1316,7 +1323,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
/* Unlinking succeeds always. This is the only function
* allowed to delete or replace socket policy.
*/
- __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
+ xfrm_sk_policy_unlink(old_pol, dir);
}
write_unlock_bh(&net->xfrm.xfrm_policy_lock);
@@ -1349,7 +1356,7 @@ static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
memcpy(newp->xfrm_vec, old->xfrm_vec,
newp->xfrm_nr*sizeof(struct xfrm_tmpl));
write_lock_bh(&net->xfrm.xfrm_policy_lock);
- __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir);
+ xfrm_sk_policy_link(newp, dir);
write_unlock_bh(&net->xfrm.xfrm_policy_lock);
xfrm_pol_put(newp);
}
@@ -2965,10 +2972,11 @@ static int __net_init xfrm_policy_init(struct net *net)
goto out_byidx;
net->xfrm.policy_idx_hmask = hmask;
- for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
+ for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
struct xfrm_policy_hash *htab;
net->xfrm.policy_count[dir] = 0;
+ net->xfrm.policy_count[XFRM_POLICY_MAX + dir] = 0;
INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]);
htab = &net->xfrm.policy_bydst[dir];
@@ -3020,7 +3028,7 @@ static void xfrm_policy_fini(struct net *net)
WARN_ON(!list_empty(&net->xfrm.policy_all));
- for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
+ for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
struct xfrm_policy_hash *htab;
WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));
--
1.9.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/5] xfrm: Use __xfrm_policy_link in xfrm_policy_insert
2014-12-03 10:04 pull request (net-next): ipsec-next 2014-12-03 Steffen Klassert
` (2 preceding siblings ...)
2014-12-03 10:04 ` [PATCH 3/5] xfrm: Do not hash socket policies Steffen Klassert
@ 2014-12-03 10:05 ` Steffen Klassert
2014-12-03 10:05 ` [PATCH 5/5] vti6: Add a lookup method for tunnels with wildcard endpoints Steffen Klassert
2014-12-09 2:30 ` pull request (net-next): ipsec-next 2014-12-03 David Miller
5 siblings, 0 replies; 7+ messages in thread
From: Steffen Klassert @ 2014-12-03 10:05 UTC (permalink / raw
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Herbert Xu <herbert@gondor.apana.org.au>
For a long time we couldn't actually use __xfrm_policy_link in
xfrm_policy_insert because the latter wanted to do hashing at
a specific position.
Now that __xfrm_policy_link no longer does hashing it can now
be safely used in xfrm_policy_insert to kill some duplicate code,
finally reuniting general policies with socket policies.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_policy.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index f4d3a12..178fa0e 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -55,6 +55,7 @@ static int stale_bundle(struct dst_entry *dst);
static int xfrm_bundle_ok(struct xfrm_dst *xdst);
static void xfrm_policy_queue_process(unsigned long arg);
+static void __xfrm_policy_link(struct xfrm_policy *pol, int dir);
static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
int dir);
@@ -779,8 +780,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
hlist_add_behind(&policy->bydst, newpos);
else
hlist_add_head(&policy->bydst, chain);
- xfrm_pol_hold(policy);
- net->xfrm.policy_count[dir]++;
+ __xfrm_policy_link(policy, dir);
atomic_inc(&net->xfrm.flow_cache_genid);
/* After previous checking, family can either be AF_INET or AF_INET6 */
@@ -799,7 +799,6 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
policy->curlft.use_time = 0;
if (!mod_timer(&policy->timer, jiffies + HZ))
xfrm_pol_hold(policy);
- list_add(&policy->walk.all, &net->xfrm.policy_all);
write_unlock_bh(&net->xfrm.xfrm_policy_lock);
if (delpol)
--
1.9.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/5] vti6: Add a lookup method for tunnels with wildcard endpoints.
2014-12-03 10:04 pull request (net-next): ipsec-next 2014-12-03 Steffen Klassert
` (3 preceding siblings ...)
2014-12-03 10:05 ` [PATCH 4/5] xfrm: Use __xfrm_policy_link in xfrm_policy_insert Steffen Klassert
@ 2014-12-03 10:05 ` Steffen Klassert
2014-12-09 2:30 ` pull request (net-next): ipsec-next 2014-12-03 David Miller
5 siblings, 0 replies; 7+ messages in thread
From: Steffen Klassert @ 2014-12-03 10:05 UTC (permalink / raw
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
Currently we can't lookup tunnels with wildcard endpoints.
This patch adds a method to lookup these tunnels in the
receive path.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/ipv6/ip6_vti.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index d440bb5..6101919 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -95,6 +95,7 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,
unsigned int hash = HASH(remote, local);
struct ip6_tnl *t;
struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+ struct in6_addr any;
for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {
if (ipv6_addr_equal(local, &t->parms.laddr) &&
@@ -102,6 +103,22 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,
(t->dev->flags & IFF_UP))
return t;
}
+
+ memset(&any, 0, sizeof(any));
+ hash = HASH(&any, local);
+ for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {
+ if (ipv6_addr_equal(local, &t->parms.laddr) &&
+ (t->dev->flags & IFF_UP))
+ return t;
+ }
+
+ hash = HASH(remote, &any);
+ for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {
+ if (ipv6_addr_equal(remote, &t->parms.raddr) &&
+ (t->dev->flags & IFF_UP))
+ return t;
+ }
+
t = rcu_dereference(ip6n->tnls_wc[0]);
if (t && (t->dev->flags & IFF_UP))
return t;
--
1.9.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: pull request (net-next): ipsec-next 2014-12-03
2014-12-03 10:04 pull request (net-next): ipsec-next 2014-12-03 Steffen Klassert
` (4 preceding siblings ...)
2014-12-03 10:05 ` [PATCH 5/5] vti6: Add a lookup method for tunnels with wildcard endpoints Steffen Klassert
@ 2014-12-09 2:30 ` David Miller
5 siblings, 0 replies; 7+ messages in thread
From: David Miller @ 2014-12-09 2:30 UTC (permalink / raw
To: steffen.klassert; +Cc: herbert, netdev
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Wed, 3 Dec 2014 11:04:56 +0100
> 1) Fix a set but not used warning. From Fabian Frederick.
>
> 2) Currently we make sequence number values available to userspace
> only if we use ESN. Make the sequence number values also available
> for non ESN states. From Zhi Ding.
>
> 3) Remove socket policy hashing. We don't need it because socket
> policies are always looked up via a linked list. From Herbert Xu.
>
> 4) After removing socket policy hashing, we can use __xfrm_policy_link
> in xfrm_policy_insert. From Herbert Xu.
>
> 5) Add a lookup method for vti6 tunnels with wildcard endpoints.
> I forgot this when I initially implemented vti6.
>
> Please pull or let me know if there are problems.
Pulled, thanks a lot Steffen.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-12-09 2:30 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-03 10:04 pull request (net-next): ipsec-next 2014-12-03 Steffen Klassert
2014-12-03 10:04 ` [PATCH 1/5] xfrm: fix set but not used warning in xfrm_policy_queue_process() Steffen Klassert
2014-12-03 10:04 ` [PATCH 2/5] xfrm: add XFRMA_REPLAY_VAL attribute to SA messages Steffen Klassert
2014-12-03 10:04 ` [PATCH 3/5] xfrm: Do not hash socket policies Steffen Klassert
2014-12-03 10:05 ` [PATCH 4/5] xfrm: Use __xfrm_policy_link in xfrm_policy_insert Steffen Klassert
2014-12-03 10:05 ` [PATCH 5/5] vti6: Add a lookup method for tunnels with wildcard endpoints Steffen Klassert
2014-12-09 2:30 ` pull request (net-next): ipsec-next 2014-12-03 David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.