diff options
author | Alexey Dobriyan <adobriyan@gmail.com> | 2008-11-25 21:00:48 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-11-25 21:00:48 -0500 |
commit | b27aeadb5948d400df83db4d29590fb9862ba49d (patch) | |
tree | f76cc43150164facbb890e4d5c619a99fe6ce303 | |
parent | c68cd1a01ba56995d85a4a62b195b2b3f6415c64 (diff) |
netns xfrm: per-netns sysctls
Make
net.core.xfrm_aevent_etime
net.core.xfrm_acq_expires
net.core.xfrm_aevent_rseqth
net.core.xfrm_larval_drop
sysctls per-netns.
For that make net_core_path[] global, register it to prevent two
/proc/net/core antries and change initcall position -- xfrm_init() is called
from fs_initcall, so this one should be fs_initcall at least.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/net/ip.h | 1 | ||||
-rw-r--r-- | include/net/netns/xfrm.h | 10 | ||||
-rw-r--r-- | include/net/xfrm.h | 14 | ||||
-rw-r--r-- | net/core/sysctl_net_core.c | 42 | ||||
-rw-r--r-- | net/xfrm/Makefile | 4 | ||||
-rw-r--r-- | net/xfrm/xfrm_policy.c | 10 | ||||
-rw-r--r-- | net/xfrm/xfrm_state.c | 16 | ||||
-rw-r--r-- | net/xfrm/xfrm_sysctl.c | 85 | ||||
-rw-r--r-- | net/xfrm/xfrm_user.c | 4 |
9 files changed, 125 insertions, 61 deletions
diff --git a/include/net/ip.h b/include/net/ip.h index ddef10c22e3a..10868139e656 100644 --- a/include/net/ip.h +++ b/include/net/ip.h | |||
@@ -187,6 +187,7 @@ extern void inet_get_local_port_range(int *low, int *high); | |||
187 | extern int sysctl_ip_default_ttl; | 187 | extern int sysctl_ip_default_ttl; |
188 | extern int sysctl_ip_nonlocal_bind; | 188 | extern int sysctl_ip_nonlocal_bind; |
189 | 189 | ||
190 | extern struct ctl_path net_core_path[]; | ||
190 | extern struct ctl_path net_ipv4_ctl_path[]; | 191 | extern struct ctl_path net_ipv4_ctl_path[]; |
191 | 192 | ||
192 | /* From inetpeer.c */ | 193 | /* From inetpeer.c */ |
diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h index 09f3060e9d18..1ba912749caa 100644 --- a/include/net/netns/xfrm.h +++ b/include/net/netns/xfrm.h | |||
@@ -6,6 +6,8 @@ | |||
6 | #include <linux/workqueue.h> | 6 | #include <linux/workqueue.h> |
7 | #include <linux/xfrm.h> | 7 | #include <linux/xfrm.h> |
8 | 8 | ||
9 | struct ctl_table_header; | ||
10 | |||
9 | struct xfrm_policy_hash { | 11 | struct xfrm_policy_hash { |
10 | struct hlist_head *table; | 12 | struct hlist_head *table; |
11 | unsigned int hmask; | 13 | unsigned int hmask; |
@@ -41,6 +43,14 @@ struct netns_xfrm { | |||
41 | struct work_struct policy_hash_work; | 43 | struct work_struct policy_hash_work; |
42 | 44 | ||
43 | struct sock *nlsk; | 45 | struct sock *nlsk; |
46 | |||
47 | u32 sysctl_aevent_etime; | ||
48 | u32 sysctl_aevent_rseqth; | ||
49 | int sysctl_larval_drop; | ||
50 | u32 sysctl_acq_expires; | ||
51 | #ifdef CONFIG_SYSCTL | ||
52 | struct ctl_table_header *sysctl_hdr; | ||
53 | #endif | ||
44 | }; | 54 | }; |
45 | 55 | ||
46 | #endif | 56 | #endif |
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 1554ccd0c940..2e9f5c0018ae 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
@@ -47,11 +47,6 @@ | |||
47 | #define XFRM_INC_STATS_USER(net, field) ((void)(net)) | 47 | #define XFRM_INC_STATS_USER(net, field) ((void)(net)) |
48 | #endif | 48 | #endif |
49 | 49 | ||
50 | extern u32 sysctl_xfrm_aevent_etime; | ||
51 | extern u32 sysctl_xfrm_aevent_rseqth; | ||
52 | extern int sysctl_xfrm_larval_drop; | ||
53 | extern u32 sysctl_xfrm_acq_expires; | ||
54 | |||
55 | extern struct mutex xfrm_cfg_mutex; | 50 | extern struct mutex xfrm_cfg_mutex; |
56 | 51 | ||
57 | /* Organization of SPD aka "XFRM rules" | 52 | /* Organization of SPD aka "XFRM rules" |
@@ -1310,6 +1305,15 @@ extern int xfrm_proc_init(struct net *net); | |||
1310 | extern void xfrm_proc_fini(struct net *net); | 1305 | extern void xfrm_proc_fini(struct net *net); |
1311 | #endif | 1306 | #endif |
1312 | 1307 | ||
1308 | extern int xfrm_sysctl_init(struct net *net); | ||
1309 | #ifdef CONFIG_SYSCTL | ||
1310 | extern void xfrm_sysctl_fini(struct net *net); | ||
1311 | #else | ||
1312 | static inline void xfrm_sysctl_fini(struct net *net) | ||
1313 | { | ||
1314 | } | ||
1315 | #endif | ||
1316 | |||
1313 | extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto); | 1317 | extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto); |
1314 | extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, | 1318 | extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, |
1315 | int (*func)(struct xfrm_state *, int, void*), void *); | 1319 | int (*func)(struct xfrm_state *, int, void*), void *); |
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c index 2bc0384b0448..83d3398559ea 100644 --- a/net/core/sysctl_net_core.c +++ b/net/core/sysctl_net_core.c | |||
@@ -12,7 +12,6 @@ | |||
12 | #include <linux/netdevice.h> | 12 | #include <linux/netdevice.h> |
13 | #include <linux/init.h> | 13 | #include <linux/init.h> |
14 | #include <net/sock.h> | 14 | #include <net/sock.h> |
15 | #include <net/xfrm.h> | ||
16 | 15 | ||
17 | static struct ctl_table net_core_table[] = { | 16 | static struct ctl_table net_core_table[] = { |
18 | #ifdef CONFIG_NET | 17 | #ifdef CONFIG_NET |
@@ -89,40 +88,6 @@ static struct ctl_table net_core_table[] = { | |||
89 | .mode = 0644, | 88 | .mode = 0644, |
90 | .proc_handler = proc_dointvec | 89 | .proc_handler = proc_dointvec |
91 | }, | 90 | }, |
92 | #ifdef CONFIG_XFRM | ||
93 | { | ||
94 | .ctl_name = NET_CORE_AEVENT_ETIME, | ||
95 | .procname = "xfrm_aevent_etime", | ||
96 | .data = &sysctl_xfrm_aevent_etime, | ||
97 | .maxlen = sizeof(u32), | ||
98 | .mode = 0644, | ||
99 | .proc_handler = proc_dointvec | ||
100 | }, | ||
101 | { | ||
102 | .ctl_name = NET_CORE_AEVENT_RSEQTH, | ||
103 | .procname = "xfrm_aevent_rseqth", | ||
104 | .data = &sysctl_xfrm_aevent_rseqth, | ||
105 | .maxlen = sizeof(u32), | ||
106 | .mode = 0644, | ||
107 | .proc_handler = proc_dointvec | ||
108 | }, | ||
109 | { | ||
110 | .ctl_name = CTL_UNNUMBERED, | ||
111 | .procname = "xfrm_larval_drop", | ||
112 | .data = &sysctl_xfrm_larval_drop, | ||
113 | .maxlen = sizeof(int), | ||
114 | .mode = 0644, | ||
115 | .proc_handler = proc_dointvec | ||
116 | }, | ||
117 | { | ||
118 | .ctl_name = CTL_UNNUMBERED, | ||
119 | .procname = "xfrm_acq_expires", | ||
120 | .data = &sysctl_xfrm_acq_expires, | ||
121 | .maxlen = sizeof(int), | ||
122 | .mode = 0644, | ||
123 | .proc_handler = proc_dointvec | ||
124 | }, | ||
125 | #endif /* CONFIG_XFRM */ | ||
126 | #endif /* CONFIG_NET */ | 91 | #endif /* CONFIG_NET */ |
127 | { | 92 | { |
128 | .ctl_name = NET_CORE_BUDGET, | 93 | .ctl_name = NET_CORE_BUDGET, |
@@ -155,7 +120,7 @@ static struct ctl_table netns_core_table[] = { | |||
155 | { .ctl_name = 0 } | 120 | { .ctl_name = 0 } |
156 | }; | 121 | }; |
157 | 122 | ||
158 | static __net_initdata struct ctl_path net_core_path[] = { | 123 | __net_initdata struct ctl_path net_core_path[] = { |
159 | { .procname = "net", .ctl_name = CTL_NET, }, | 124 | { .procname = "net", .ctl_name = CTL_NET, }, |
160 | { .procname = "core", .ctl_name = NET_CORE, }, | 125 | { .procname = "core", .ctl_name = NET_CORE, }, |
161 | { }, | 126 | { }, |
@@ -207,8 +172,11 @@ static __net_initdata struct pernet_operations sysctl_core_ops = { | |||
207 | 172 | ||
208 | static __init int sysctl_core_init(void) | 173 | static __init int sysctl_core_init(void) |
209 | { | 174 | { |
175 | static struct ctl_table empty[1]; | ||
176 | |||
177 | register_sysctl_paths(net_core_path, empty); | ||
210 | register_net_sysctl_rotable(net_core_path, net_core_table); | 178 | register_net_sysctl_rotable(net_core_path, net_core_table); |
211 | return register_pernet_subsys(&sysctl_core_ops); | 179 | return register_pernet_subsys(&sysctl_core_ops); |
212 | } | 180 | } |
213 | 181 | ||
214 | __initcall(sysctl_core_init); | 182 | fs_initcall(sysctl_core_init); |
diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile index 0f439a72ccab..c631047e1b27 100644 --- a/net/xfrm/Makefile +++ b/net/xfrm/Makefile | |||
@@ -3,8 +3,8 @@ | |||
3 | # | 3 | # |
4 | 4 | ||
5 | obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \ | 5 | obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \ |
6 | xfrm_input.o xfrm_output.o xfrm_algo.o | 6 | xfrm_input.o xfrm_output.o xfrm_algo.o \ |
7 | xfrm_sysctl.o | ||
7 | obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o | 8 | obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o |
8 | obj-$(CONFIG_XFRM_USER) += xfrm_user.o | 9 | obj-$(CONFIG_XFRM_USER) += xfrm_user.o |
9 | obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o | 10 | obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o |
10 | |||
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 38822b34ba7d..393cc65dbfa4 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
@@ -34,8 +34,6 @@ | |||
34 | 34 | ||
35 | #include "xfrm_hash.h" | 35 | #include "xfrm_hash.h" |
36 | 36 | ||
37 | int sysctl_xfrm_larval_drop __read_mostly = 1; | ||
38 | |||
39 | DEFINE_MUTEX(xfrm_cfg_mutex); | 37 | DEFINE_MUTEX(xfrm_cfg_mutex); |
40 | EXPORT_SYMBOL(xfrm_cfg_mutex); | 38 | EXPORT_SYMBOL(xfrm_cfg_mutex); |
41 | 39 | ||
@@ -1671,7 +1669,7 @@ restart: | |||
1671 | 1669 | ||
1672 | if (unlikely(nx<0)) { | 1670 | if (unlikely(nx<0)) { |
1673 | err = nx; | 1671 | err = nx; |
1674 | if (err == -EAGAIN && sysctl_xfrm_larval_drop) { | 1672 | if (err == -EAGAIN && net->xfrm.sysctl_larval_drop) { |
1675 | /* EREMOTE tells the caller to generate | 1673 | /* EREMOTE tells the caller to generate |
1676 | * a one-shot blackhole route. | 1674 | * a one-shot blackhole route. |
1677 | */ | 1675 | */ |
@@ -2504,8 +2502,13 @@ static int __net_init xfrm_net_init(struct net *net) | |||
2504 | rv = xfrm_policy_init(net); | 2502 | rv = xfrm_policy_init(net); |
2505 | if (rv < 0) | 2503 | if (rv < 0) |
2506 | goto out_policy; | 2504 | goto out_policy; |
2505 | rv = xfrm_sysctl_init(net); | ||
2506 | if (rv < 0) | ||
2507 | goto out_sysctl; | ||
2507 | return 0; | 2508 | return 0; |
2508 | 2509 | ||
2510 | out_sysctl: | ||
2511 | xfrm_policy_fini(net); | ||
2509 | out_policy: | 2512 | out_policy: |
2510 | xfrm_state_fini(net); | 2513 | xfrm_state_fini(net); |
2511 | out_state: | 2514 | out_state: |
@@ -2516,6 +2519,7 @@ out_statistics: | |||
2516 | 2519 | ||
2517 | static void __net_exit xfrm_net_exit(struct net *net) | 2520 | static void __net_exit xfrm_net_exit(struct net *net) |
2518 | { | 2521 | { |
2522 | xfrm_sysctl_fini(net); | ||
2519 | xfrm_policy_fini(net); | 2523 | xfrm_policy_fini(net); |
2520 | xfrm_state_fini(net); | 2524 | xfrm_state_fini(net); |
2521 | xfrm_statistics_fini(net); | 2525 | xfrm_statistics_fini(net); |
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 662e47b0bcc3..2fd57f8f77c1 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c | |||
@@ -24,14 +24,6 @@ | |||
24 | 24 | ||
25 | #include "xfrm_hash.h" | 25 | #include "xfrm_hash.h" |
26 | 26 | ||
27 | u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME; | ||
28 | EXPORT_SYMBOL(sysctl_xfrm_aevent_etime); | ||
29 | |||
30 | u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE; | ||
31 | EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth); | ||
32 | |||
33 | u32 sysctl_xfrm_acq_expires __read_mostly = 30; | ||
34 | |||
35 | /* Each xfrm_state may be linked to two tables: | 27 | /* Each xfrm_state may be linked to two tables: |
36 | 28 | ||
37 | 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl) | 29 | 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl) |
@@ -851,8 +843,8 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, | |||
851 | h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, family); | 843 | h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, family); |
852 | hlist_add_head(&x->byspi, net->xfrm.state_byspi+h); | 844 | hlist_add_head(&x->byspi, net->xfrm.state_byspi+h); |
853 | } | 845 | } |
854 | x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; | 846 | x->lft.hard_add_expires_seconds = net->xfrm.sysctl_acq_expires; |
855 | x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; | 847 | x->timer.expires = jiffies + net->xfrm.sysctl_acq_expires*HZ; |
856 | add_timer(&x->timer); | 848 | add_timer(&x->timer); |
857 | net->xfrm.state_num++; | 849 | net->xfrm.state_num++; |
858 | xfrm_hash_grow_check(net, x->bydst.next != NULL); | 850 | xfrm_hash_grow_check(net, x->bydst.next != NULL); |
@@ -1040,9 +1032,9 @@ static struct xfrm_state *__find_acq_core(struct net *net, unsigned short family | |||
1040 | x->props.family = family; | 1032 | x->props.family = family; |
1041 | x->props.mode = mode; | 1033 | x->props.mode = mode; |
1042 | x->props.reqid = reqid; | 1034 | x->props.reqid = reqid; |
1043 | x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; | 1035 | x->lft.hard_add_expires_seconds = net->xfrm.sysctl_acq_expires; |
1044 | xfrm_state_hold(x); | 1036 | xfrm_state_hold(x); |
1045 | x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; | 1037 | x->timer.expires = jiffies + net->xfrm.sysctl_acq_expires*HZ; |
1046 | add_timer(&x->timer); | 1038 | add_timer(&x->timer); |
1047 | list_add(&x->km.all, &net->xfrm.state_all); | 1039 | list_add(&x->km.all, &net->xfrm.state_all); |
1048 | hlist_add_head(&x->bydst, net->xfrm.state_bydst+h); | 1040 | hlist_add_head(&x->bydst, net->xfrm.state_bydst+h); |
diff --git a/net/xfrm/xfrm_sysctl.c b/net/xfrm/xfrm_sysctl.c new file mode 100644 index 000000000000..2e6ffb66f06f --- /dev/null +++ b/net/xfrm/xfrm_sysctl.c | |||
@@ -0,0 +1,85 @@ | |||
1 | #include <linux/sysctl.h> | ||
2 | #include <net/net_namespace.h> | ||
3 | #include <net/xfrm.h> | ||
4 | |||
5 | static void __xfrm_sysctl_init(struct net *net) | ||
6 | { | ||
7 | net->xfrm.sysctl_aevent_etime = XFRM_AE_ETIME; | ||
8 | net->xfrm.sysctl_aevent_rseqth = XFRM_AE_SEQT_SIZE; | ||
9 | net->xfrm.sysctl_larval_drop = 1; | ||
10 | net->xfrm.sysctl_acq_expires = 30; | ||
11 | } | ||
12 | |||
13 | #ifdef CONFIG_SYSCTL | ||
14 | static struct ctl_table xfrm_table[] = { | ||
15 | { | ||
16 | .ctl_name = NET_CORE_AEVENT_ETIME, | ||
17 | .procname = "xfrm_aevent_etime", | ||
18 | .maxlen = sizeof(u32), | ||
19 | .mode = 0644, | ||
20 | .proc_handler = proc_dointvec | ||
21 | }, | ||
22 | { | ||
23 | .ctl_name = NET_CORE_AEVENT_RSEQTH, | ||
24 | .procname = "xfrm_aevent_rseqth", | ||
25 | .maxlen = sizeof(u32), | ||
26 | .mode = 0644, | ||
27 | .proc_handler = proc_dointvec | ||
28 | }, | ||
29 | { | ||
30 | .ctl_name = CTL_UNNUMBERED, | ||
31 | .procname = "xfrm_larval_drop", | ||
32 | .maxlen = sizeof(int), | ||
33 | .mode = 0644, | ||
34 | .proc_handler = proc_dointvec | ||
35 | }, | ||
36 | { | ||
37 | .ctl_name = CTL_UNNUMBERED, | ||
38 | .procname = "xfrm_acq_expires", | ||
39 | .maxlen = sizeof(int), | ||
40 | .mode = 0644, | ||
41 | .proc_handler = proc_dointvec | ||
42 | }, | ||
43 | {} | ||
44 | }; | ||
45 | |||
46 | int __net_init xfrm_sysctl_init(struct net *net) | ||
47 | { | ||
48 | struct ctl_table *table; | ||
49 | |||
50 | __xfrm_sysctl_init(net); | ||
51 | |||
52 | table = kmemdup(xfrm_table, sizeof(xfrm_table), GFP_KERNEL); | ||
53 | if (!table) | ||
54 | goto out_kmemdup; | ||
55 | table[0].data = &net->xfrm.sysctl_aevent_etime; | ||
56 | table[1].data = &net->xfrm.sysctl_aevent_rseqth; | ||
57 | table[2].data = &net->xfrm.sysctl_larval_drop; | ||
58 | table[3].data = &net->xfrm.sysctl_acq_expires; | ||
59 | |||
60 | net->xfrm.sysctl_hdr = register_net_sysctl_table(net, net_core_path, table); | ||
61 | if (!net->xfrm.sysctl_hdr) | ||
62 | goto out_register; | ||
63 | return 0; | ||
64 | |||
65 | out_register: | ||
66 | kfree(table); | ||
67 | out_kmemdup: | ||
68 | return -ENOMEM; | ||
69 | } | ||
70 | |||
71 | void xfrm_sysctl_fini(struct net *net) | ||
72 | { | ||
73 | struct ctl_table *table; | ||
74 | |||
75 | table = net->xfrm.sysctl_hdr->ctl_table_arg; | ||
76 | unregister_net_sysctl_table(net->xfrm.sysctl_hdr); | ||
77 | kfree(table); | ||
78 | } | ||
79 | #else | ||
80 | int __net_init xfrm_sysctl_init(struct net *net) | ||
81 | { | ||
82 | __xfrm_sysctl_init(net); | ||
83 | return 0; | ||
84 | } | ||
85 | #endif | ||
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index b7240d5b77ad..38ffaf33312e 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -368,9 +368,9 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, | |||
368 | goto error; | 368 | goto error; |
369 | 369 | ||
370 | x->km.seq = p->seq; | 370 | x->km.seq = p->seq; |
371 | x->replay_maxdiff = sysctl_xfrm_aevent_rseqth; | 371 | x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth; |
372 | /* sysctl_xfrm_aevent_etime is in 100ms units */ | 372 | /* sysctl_xfrm_aevent_etime is in 100ms units */ |
373 | x->replay_maxage = (sysctl_xfrm_aevent_etime*HZ)/XFRM_AE_ETH_M; | 373 | x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M; |
374 | x->preplay.bitmap = 0; | 374 | x->preplay.bitmap = 0; |
375 | x->preplay.seq = x->replay.seq+x->replay_maxdiff; | 375 | x->preplay.seq = x->replay.seq+x->replay_maxdiff; |
376 | x->preplay.oseq = x->replay.oseq +x->replay_maxdiff; | 376 | x->preplay.oseq = x->replay.oseq +x->replay_maxdiff; |