aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/net/ip.h1
-rw-r--r--include/net/netns/xfrm.h10
-rw-r--r--include/net/xfrm.h14
-rw-r--r--net/core/sysctl_net_core.c42
-rw-r--r--net/xfrm/Makefile4
-rw-r--r--net/xfrm/xfrm_policy.c10
-rw-r--r--net/xfrm/xfrm_state.c16
-rw-r--r--net/xfrm/xfrm_sysctl.c85
-rw-r--r--net/xfrm/xfrm_user.c4
9 files changed, 125 insertions, 61 deletions
diff --git a/include/net/ip.h b/include/net/ip.h
index ddef10c22e3..10868139e65 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -187,6 +187,7 @@ extern void inet_get_local_port_range(int *low, int *high);
187extern int sysctl_ip_default_ttl; 187extern int sysctl_ip_default_ttl;
188extern int sysctl_ip_nonlocal_bind; 188extern int sysctl_ip_nonlocal_bind;
189 189
190extern struct ctl_path net_core_path[];
190extern struct ctl_path net_ipv4_ctl_path[]; 191extern struct ctl_path net_ipv4_ctl_path[];
191 192
192/* From inetpeer.c */ 193/* From inetpeer.c */
diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
index 09f3060e9d1..1ba912749ca 100644
--- a/include/net/netns/xfrm.h
+++ b/include/net/netns/xfrm.h
@@ -6,6 +6,8 @@
6#include <linux/workqueue.h> 6#include <linux/workqueue.h>
7#include <linux/xfrm.h> 7#include <linux/xfrm.h>
8 8
9struct ctl_table_header;
10
9struct xfrm_policy_hash { 11struct xfrm_policy_hash {
10 struct hlist_head *table; 12 struct hlist_head *table;
11 unsigned int hmask; 13 unsigned int hmask;
@@ -41,6 +43,14 @@ struct netns_xfrm {
41 struct work_struct policy_hash_work; 43 struct work_struct policy_hash_work;
42 44
43 struct sock *nlsk; 45 struct sock *nlsk;
46
47 u32 sysctl_aevent_etime;
48 u32 sysctl_aevent_rseqth;
49 int sysctl_larval_drop;
50 u32 sysctl_acq_expires;
51#ifdef CONFIG_SYSCTL
52 struct ctl_table_header *sysctl_hdr;
53#endif
44}; 54};
45 55
46#endif 56#endif
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 1554ccd0c94..2e9f5c0018a 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -47,11 +47,6 @@
47#define XFRM_INC_STATS_USER(net, field) ((void)(net)) 47#define XFRM_INC_STATS_USER(net, field) ((void)(net))
48#endif 48#endif
49 49
50extern u32 sysctl_xfrm_aevent_etime;
51extern u32 sysctl_xfrm_aevent_rseqth;
52extern int sysctl_xfrm_larval_drop;
53extern u32 sysctl_xfrm_acq_expires;
54
55extern struct mutex xfrm_cfg_mutex; 50extern struct mutex xfrm_cfg_mutex;
56 51
57/* Organization of SPD aka "XFRM rules" 52/* Organization of SPD aka "XFRM rules"
@@ -1310,6 +1305,15 @@ extern int xfrm_proc_init(struct net *net);
1310extern void xfrm_proc_fini(struct net *net); 1305extern void xfrm_proc_fini(struct net *net);
1311#endif 1306#endif
1312 1307
1308extern int xfrm_sysctl_init(struct net *net);
1309#ifdef CONFIG_SYSCTL
1310extern void xfrm_sysctl_fini(struct net *net);
1311#else
1312static inline void xfrm_sysctl_fini(struct net *net)
1313{
1314}
1315#endif
1316
1313extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto); 1317extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto);
1314extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, 1318extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1315 int (*func)(struct xfrm_state *, int, void*), void *); 1319 int (*func)(struct xfrm_state *, int, void*), void *);
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index 2bc0384b044..83d3398559e 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -12,7 +12,6 @@
12#include <linux/netdevice.h> 12#include <linux/netdevice.h>
13#include <linux/init.h> 13#include <linux/init.h>
14#include <net/sock.h> 14#include <net/sock.h>
15#include <net/xfrm.h>
16 15
17static struct ctl_table net_core_table[] = { 16static struct ctl_table net_core_table[] = {
18#ifdef CONFIG_NET 17#ifdef CONFIG_NET
@@ -89,40 +88,6 @@ static struct ctl_table net_core_table[] = {
89 .mode = 0644, 88 .mode = 0644,
90 .proc_handler = proc_dointvec 89 .proc_handler = proc_dointvec
91 }, 90 },
92#ifdef CONFIG_XFRM
93 {
94 .ctl_name = NET_CORE_AEVENT_ETIME,
95 .procname = "xfrm_aevent_etime",
96 .data = &sysctl_xfrm_aevent_etime,
97 .maxlen = sizeof(u32),
98 .mode = 0644,
99 .proc_handler = proc_dointvec
100 },
101 {
102 .ctl_name = NET_CORE_AEVENT_RSEQTH,
103 .procname = "xfrm_aevent_rseqth",
104 .data = &sysctl_xfrm_aevent_rseqth,
105 .maxlen = sizeof(u32),
106 .mode = 0644,
107 .proc_handler = proc_dointvec
108 },
109 {
110 .ctl_name = CTL_UNNUMBERED,
111 .procname = "xfrm_larval_drop",
112 .data = &sysctl_xfrm_larval_drop,
113 .maxlen = sizeof(int),
114 .mode = 0644,
115 .proc_handler = proc_dointvec
116 },
117 {
118 .ctl_name = CTL_UNNUMBERED,
119 .procname = "xfrm_acq_expires",
120 .data = &sysctl_xfrm_acq_expires,
121 .maxlen = sizeof(int),
122 .mode = 0644,
123 .proc_handler = proc_dointvec
124 },
125#endif /* CONFIG_XFRM */
126#endif /* CONFIG_NET */ 91#endif /* CONFIG_NET */
127 { 92 {
128 .ctl_name = NET_CORE_BUDGET, 93 .ctl_name = NET_CORE_BUDGET,
@@ -155,7 +120,7 @@ static struct ctl_table netns_core_table[] = {
155 { .ctl_name = 0 } 120 { .ctl_name = 0 }
156}; 121};
157 122
158static __net_initdata struct ctl_path net_core_path[] = { 123__net_initdata struct ctl_path net_core_path[] = {
159 { .procname = "net", .ctl_name = CTL_NET, }, 124 { .procname = "net", .ctl_name = CTL_NET, },
160 { .procname = "core", .ctl_name = NET_CORE, }, 125 { .procname = "core", .ctl_name = NET_CORE, },
161 { }, 126 { },
@@ -207,8 +172,11 @@ static __net_initdata struct pernet_operations sysctl_core_ops = {
207 172
208static __init int sysctl_core_init(void) 173static __init int sysctl_core_init(void)
209{ 174{
175 static struct ctl_table empty[1];
176
177 register_sysctl_paths(net_core_path, empty);
210 register_net_sysctl_rotable(net_core_path, net_core_table); 178 register_net_sysctl_rotable(net_core_path, net_core_table);
211 return register_pernet_subsys(&sysctl_core_ops); 179 return register_pernet_subsys(&sysctl_core_ops);
212} 180}
213 181
214__initcall(sysctl_core_init); 182fs_initcall(sysctl_core_init);
diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile
index 0f439a72cca..c631047e1b2 100644
--- a/net/xfrm/Makefile
+++ b/net/xfrm/Makefile
@@ -3,8 +3,8 @@
3# 3#
4 4
5obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \ 5obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \
6 xfrm_input.o xfrm_output.o xfrm_algo.o 6 xfrm_input.o xfrm_output.o xfrm_algo.o \
7 xfrm_sysctl.o
7obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o 8obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o
8obj-$(CONFIG_XFRM_USER) += xfrm_user.o 9obj-$(CONFIG_XFRM_USER) += xfrm_user.o
9obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o 10obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o
10
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 38822b34ba7..393cc65dbfa 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -34,8 +34,6 @@
34 34
35#include "xfrm_hash.h" 35#include "xfrm_hash.h"
36 36
37int sysctl_xfrm_larval_drop __read_mostly = 1;
38
39DEFINE_MUTEX(xfrm_cfg_mutex); 37DEFINE_MUTEX(xfrm_cfg_mutex);
40EXPORT_SYMBOL(xfrm_cfg_mutex); 38EXPORT_SYMBOL(xfrm_cfg_mutex);
41 39
@@ -1671,7 +1669,7 @@ restart:
1671 1669
1672 if (unlikely(nx<0)) { 1670 if (unlikely(nx<0)) {
1673 err = nx; 1671 err = nx;
1674 if (err == -EAGAIN && sysctl_xfrm_larval_drop) { 1672 if (err == -EAGAIN && net->xfrm.sysctl_larval_drop) {
1675 /* EREMOTE tells the caller to generate 1673 /* EREMOTE tells the caller to generate
1676 * a one-shot blackhole route. 1674 * a one-shot blackhole route.
1677 */ 1675 */
@@ -2504,8 +2502,13 @@ static int __net_init xfrm_net_init(struct net *net)
2504 rv = xfrm_policy_init(net); 2502 rv = xfrm_policy_init(net);
2505 if (rv < 0) 2503 if (rv < 0)
2506 goto out_policy; 2504 goto out_policy;
2505 rv = xfrm_sysctl_init(net);
2506 if (rv < 0)
2507 goto out_sysctl;
2507 return 0; 2508 return 0;
2508 2509
2510out_sysctl:
2511 xfrm_policy_fini(net);
2509out_policy: 2512out_policy:
2510 xfrm_state_fini(net); 2513 xfrm_state_fini(net);
2511out_state: 2514out_state:
@@ -2516,6 +2519,7 @@ out_statistics:
2516 2519
2517static void __net_exit xfrm_net_exit(struct net *net) 2520static void __net_exit xfrm_net_exit(struct net *net)
2518{ 2521{
2522 xfrm_sysctl_fini(net);
2519 xfrm_policy_fini(net); 2523 xfrm_policy_fini(net);
2520 xfrm_state_fini(net); 2524 xfrm_state_fini(net);
2521 xfrm_statistics_fini(net); 2525 xfrm_statistics_fini(net);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 662e47b0bcc..2fd57f8f77c 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -24,14 +24,6 @@
24 24
25#include "xfrm_hash.h" 25#include "xfrm_hash.h"
26 26
27u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
28EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
29
30u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
31EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
32
33u32 sysctl_xfrm_acq_expires __read_mostly = 30;
34
35/* Each xfrm_state may be linked to two tables: 27/* Each xfrm_state may be linked to two tables:
36 28
37 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl) 29 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
@@ -851,8 +843,8 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
851 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, family); 843 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, family);
852 hlist_add_head(&x->byspi, net->xfrm.state_byspi+h); 844 hlist_add_head(&x->byspi, net->xfrm.state_byspi+h);
853 } 845 }
854 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; 846 x->lft.hard_add_expires_seconds = net->xfrm.sysctl_acq_expires;
855 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; 847 x->timer.expires = jiffies + net->xfrm.sysctl_acq_expires*HZ;
856 add_timer(&x->timer); 848 add_timer(&x->timer);
857 net->xfrm.state_num++; 849 net->xfrm.state_num++;
858 xfrm_hash_grow_check(net, x->bydst.next != NULL); 850 xfrm_hash_grow_check(net, x->bydst.next != NULL);
@@ -1040,9 +1032,9 @@ static struct xfrm_state *__find_acq_core(struct net *net, unsigned short family
1040 x->props.family = family; 1032 x->props.family = family;
1041 x->props.mode = mode; 1033 x->props.mode = mode;
1042 x->props.reqid = reqid; 1034 x->props.reqid = reqid;
1043 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; 1035 x->lft.hard_add_expires_seconds = net->xfrm.sysctl_acq_expires;
1044 xfrm_state_hold(x); 1036 xfrm_state_hold(x);
1045 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; 1037 x->timer.expires = jiffies + net->xfrm.sysctl_acq_expires*HZ;
1046 add_timer(&x->timer); 1038 add_timer(&x->timer);
1047 list_add(&x->km.all, &net->xfrm.state_all); 1039 list_add(&x->km.all, &net->xfrm.state_all);
1048 hlist_add_head(&x->bydst, net->xfrm.state_bydst+h); 1040 hlist_add_head(&x->bydst, net->xfrm.state_bydst+h);
diff --git a/net/xfrm/xfrm_sysctl.c b/net/xfrm/xfrm_sysctl.c
new file mode 100644
index 00000000000..2e6ffb66f06
--- /dev/null
+++ b/net/xfrm/xfrm_sysctl.c
@@ -0,0 +1,85 @@
1#include <linux/sysctl.h>
2#include <net/net_namespace.h>
3#include <net/xfrm.h>
4
5static void __xfrm_sysctl_init(struct net *net)
6{
7 net->xfrm.sysctl_aevent_etime = XFRM_AE_ETIME;
8 net->xfrm.sysctl_aevent_rseqth = XFRM_AE_SEQT_SIZE;
9 net->xfrm.sysctl_larval_drop = 1;
10 net->xfrm.sysctl_acq_expires = 30;
11}
12
13#ifdef CONFIG_SYSCTL
14static struct ctl_table xfrm_table[] = {
15 {
16 .ctl_name = NET_CORE_AEVENT_ETIME,
17 .procname = "xfrm_aevent_etime",
18 .maxlen = sizeof(u32),
19 .mode = 0644,
20 .proc_handler = proc_dointvec
21 },
22 {
23 .ctl_name = NET_CORE_AEVENT_RSEQTH,
24 .procname = "xfrm_aevent_rseqth",
25 .maxlen = sizeof(u32),
26 .mode = 0644,
27 .proc_handler = proc_dointvec
28 },
29 {
30 .ctl_name = CTL_UNNUMBERED,
31 .procname = "xfrm_larval_drop",
32 .maxlen = sizeof(int),
33 .mode = 0644,
34 .proc_handler = proc_dointvec
35 },
36 {
37 .ctl_name = CTL_UNNUMBERED,
38 .procname = "xfrm_acq_expires",
39 .maxlen = sizeof(int),
40 .mode = 0644,
41 .proc_handler = proc_dointvec
42 },
43 {}
44};
45
46int __net_init xfrm_sysctl_init(struct net *net)
47{
48 struct ctl_table *table;
49
50 __xfrm_sysctl_init(net);
51
52 table = kmemdup(xfrm_table, sizeof(xfrm_table), GFP_KERNEL);
53 if (!table)
54 goto out_kmemdup;
55 table[0].data = &net->xfrm.sysctl_aevent_etime;
56 table[1].data = &net->xfrm.sysctl_aevent_rseqth;
57 table[2].data = &net->xfrm.sysctl_larval_drop;
58 table[3].data = &net->xfrm.sysctl_acq_expires;
59
60 net->xfrm.sysctl_hdr = register_net_sysctl_table(net, net_core_path, table);
61 if (!net->xfrm.sysctl_hdr)
62 goto out_register;
63 return 0;
64
65out_register:
66 kfree(table);
67out_kmemdup:
68 return -ENOMEM;
69}
70
71void xfrm_sysctl_fini(struct net *net)
72{
73 struct ctl_table *table;
74
75 table = net->xfrm.sysctl_hdr->ctl_table_arg;
76 unregister_net_sysctl_table(net->xfrm.sysctl_hdr);
77 kfree(table);
78}
79#else
80int __net_init xfrm_sysctl_init(struct net *net)
81{
82 __xfrm_sysctl_init(net);
83 return 0;
84}
85#endif
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index b7240d5b77a..38ffaf33312 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -368,9 +368,9 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
368 goto error; 368 goto error;
369 369
370 x->km.seq = p->seq; 370 x->km.seq = p->seq;
371 x->replay_maxdiff = sysctl_xfrm_aevent_rseqth; 371 x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth;
372 /* sysctl_xfrm_aevent_etime is in 100ms units */ 372 /* sysctl_xfrm_aevent_etime is in 100ms units */
373 x->replay_maxage = (sysctl_xfrm_aevent_etime*HZ)/XFRM_AE_ETH_M; 373 x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M;
374 x->preplay.bitmap = 0; 374 x->preplay.bitmap = 0;
375 x->preplay.seq = x->replay.seq+x->replay_maxdiff; 375 x->preplay.seq = x->replay.seq+x->replay_maxdiff;
376 x->preplay.oseq = x->replay.oseq +x->replay_maxdiff; 376 x->preplay.oseq = x->replay.oseq +x->replay_maxdiff;
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-17 14:46:01 -0400