net: reduce structures when XFRM=n

ifdef out * struct sk_buff::sp (pointer) * struct dst_entry::xfrm (pointer) * struct sock::sk_policy (2 pointers) Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Alexey Dobriyan <adobriyan@gmail.com> 2008-10-28 16:24:06 -0400
committer: David S. Miller <davem@davemloft.net> 2008-10-28 16:24:06 -0400
commit: def8b4faff5ca349beafbbfeb2c51f3602a6ef3a (patch)
tree: a90fbb0b6ae2a49c507465801f31df77bc5ebf9d
parent: b057efd4d226fcc3a92b0dc6d8ea8e8185ecb260 (diff)
11 files changed, 33 insertions, 9 deletions
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 2725f4e5a9bf..487e34507b41 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -269,8 +269,9 @@ struct sk_buff {
                struct  dst_entry       *dst;
                struct  rtable          *rtable;
        };
+#ifdef CONFIG_XFRM
        struct  sec_path        *sp;
+#endif
        /*
         * This is the control buffer. It is free to use for every
         * layer. Please put your private variables there. If you
@@ -1864,6 +1865,18 @@ static inline void skb_copy_queue_mapping(struct sk_buff *to, const struct sk_bu
        to->queue_mapping = from->queue_mapping;
 }
+#ifdef CONFIG_XFRM
+static inline struct sec_path *skb_sec_path(struct sk_buff *skb)
+{
+        return skb->sp;
+}
+#else
+static inline struct sec_path *skb_sec_path(struct sk_buff *skb)
+{
+        return NULL;
+}
+#endif
 static inline int skb_is_gso(const struct sk_buff *skb)
 {
        return skb_shinfo(skb)->gso_size;
diff --git a/include/net/dst.h b/include/net/dst.h
index 8a8b71e5f3f1..f96c4ba4dd32 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -59,8 +59,9 @@ struct dst_entry
        struct neighbour        *neighbour;
        struct hh_cache         *hh;
+#ifdef CONFIG_XFRM
        struct xfrm_state       *xfrm;
+#endif
        int                     (*input)(struct sk_buff*);
        int                     (*output)(struct sk_buff*);
diff --git a/include/net/sock.h b/include/net/sock.h
index ada50c04d09f..d6b750a25078 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -229,7 +229,9 @@ struct sock {
        } sk_backlog;
        wait_queue_head_t       *sk_sleep;
        struct dst_entry        *sk_dst_cache;
+#ifdef CONFIG_XFRM
        struct xfrm_policy      *sk_policy[2];
+#endif
        rwlock_t                sk_dst_lock;
        atomic_t                sk_rmem_alloc;
        atomic_t                sk_wmem_alloc;
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 11c890ad8ebb..f2c5ba28a428 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -882,6 +882,7 @@ struct xfrm_dst
        u32 path_cookie;
 };
+#ifdef CONFIG_XFRM
 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
 {
        dst_release(xdst->route);
@@ -894,6 +895,7 @@ static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
        xdst->partner = NULL;
 #endif
 }
+#endif
 extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
@@ -1536,9 +1538,11 @@ static inline void xfrm_states_delete(struct xfrm_state **states, int n)
 }
 #endif
+#ifdef CONFIG_XFRM
 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
 {
        return skb->sp->xvec[skb->sp->len - 1];
 }
+#endif
 #endif  /* _NET_XFRM_H */
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 4e22e3a35359..cdfe473181af 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -489,7 +489,7 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
        new->network_header     = old->network_header;
        new->mac_header         = old->mac_header;
        new->dst                = dst_clone(old->dst);
-#ifdef CONFIG_INET
+#ifdef CONFIG_XFRM
        new->sp                 = secpath_get(old->sp);
 #endif
        memcpy(new->cb, old->cb, sizeof(old->cb));
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 72b2de76f1cd..e9d6ea0b49ca 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -976,9 +976,10 @@ int icmp_rcv(struct sk_buff *skb)
        struct net *net = dev_net(rt->u.dst.dev);
        if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
+                struct sec_path *sp = skb_sec_path(skb);
                int nh;
-                if (!(skb->sp && skb->sp->xvec[skb->sp->len - 1]->props.flags &
+                if (!(sp && sp->xvec[sp->len - 1]->props.flags &
                                 XFRM_STATE_ICMP))
                        goto drop;
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index 450016b89a18..df3fe50bbf0d 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -106,7 +106,7 @@ int ip_forward(struct sk_buff *skb)
         *      We now generate an ICMP HOST REDIRECT giving the route
         *      we calculated.
         */
-        if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb->sp)
+        if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb_sec_path(skb))
                ip_rt_send_redirect(skb);
        skb->priority = rt_tos2priority(iph->tos);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 21ce7e1b2284..ffb2c5705432 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1399,7 +1399,9 @@ void ip_rt_redirect(__be32 old_gw, __be32 daddr, __be32 new_gw,
                                rt->u.dst.path          = &rt->u.dst;
                                rt->u.dst.neighbour     = NULL;
                                rt->u.dst.hh            = NULL;
+#ifdef CONFIG_XFRM
                                rt->u.dst.xfrm          = NULL;
+#endif
                                rt->rt_genid            = rt_genid(net);
                                rt->rt_flags            |= RTCF_REDIRECTED;
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 9b7d19ae5ced..508a713ac045 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -646,9 +646,10 @@ static int icmpv6_rcv(struct sk_buff *skb)
        int type;
        if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
+                struct sec_path *sp = skb_sec_path(skb);
                int nh;
-                if (!(skb->sp && skb->sp->xvec[skb->sp->len - 1]->props.flags &
+                if (!(sp && sp->xvec[sp->len - 1]->props.flags &
                                 XFRM_STATE_ICMP))
                        goto drop_no_count;
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index c77db0b95e26..7d92fd97cfb9 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -490,7 +490,7 @@ int ip6_forward(struct sk_buff *skb)
           We don't send redirects to frames decapsulated from IPsec.
         */
        if (skb->dev == dst->dev && dst->neighbour && opt->srcrt == 0 &&
-            !skb->sp) {
+            !skb_sec_path(skb)) {
                struct in6_addr *target = NULL;
                struct rt6_info *rt;
                struct neighbour *n = dst->neighbour;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3e3fde7c1d2b..aedf02b1345a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4626,7 +4626,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
         * as fast and as clean as possible. */
        if (selinux_compat_net || !selinux_policycap_netpeer)
                return selinux_ip_postroute_compat(skb, ifindex, family);
+#ifdef CONFIG_XFRM
        /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
         * packet transformation so allow the packet to pass without any checks
         * since we'll have another chance to perform access control checks
@@ -4635,7 +4635,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
         *       is NULL, in this case go ahead and apply access control. */
        if (skb->dst != NULL && skb->dst->xfrm != NULL)
                return NF_ACCEPT;
+#endif
        secmark_active = selinux_secmark_enabled();
        peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
        if (!secmark_active && !peerlbl_active)
author	Alexey Dobriyan <adobriyan@gmail.com>	2008-10-28 16:24:06 -0400
committer	David S. Miller <davem@davemloft.net>	2008-10-28 16:24:06 -0400
commit	def8b4faff5ca349beafbbfeb2c51f3602a6ef3a (patch)
tree	a90fbb0b6ae2a49c507465801f31df77bc5ebf9d
parent	b057efd4d226fcc3a92b0dc6d8ea8e8185ecb260 (diff)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 2725f4e5a9bf..487e34507b41 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h
@@ -269,8 +269,9 @@ struct sk_buff {
269	struct dst_entry *dst;	269	struct dst_entry *dst;
270	struct rtable *rtable;	270	struct rtable *rtable;
271	};	271	};
		272	#ifdef CONFIG_XFRM
272	struct sec_path *sp;	273	struct sec_path *sp;
273		274	#endif
274	/*	275	/*
275	* This is the control buffer. It is free to use for every	276	* This is the control buffer. It is free to use for every
276	* layer. Please put your private variables there. If you	277	* layer. Please put your private variables there. If you
@@ -1864,6 +1865,18 @@ static inline void skb_copy_queue_mapping(struct sk_buff *to, const struct sk_bu
1864	to->queue_mapping = from->queue_mapping;	1865	to->queue_mapping = from->queue_mapping;
1865	}	1866	}
1866		1867
		1868	#ifdef CONFIG_XFRM
		1869	static inline struct sec_path skb_sec_path(struct sk_buff skb)
		1870	{
		1871	return skb->sp;
		1872	}
		1873	#else
		1874	static inline struct sec_path skb_sec_path(struct sk_buff skb)
		1875	{
		1876	return NULL;
		1877	}
		1878	#endif
		1879
1867	static inline int skb_is_gso(const struct sk_buff *skb)	1880	static inline int skb_is_gso(const struct sk_buff *skb)
1868	{	1881	{
1869	return skb_shinfo(skb)->gso_size;	1882	return skb_shinfo(skb)->gso_size;


diff --git a/include/net/dst.h b/include/net/dst.h index 8a8b71e5f3f1..f96c4ba4dd32 100644 --- a/include/net/dst.h +++ b/include/net/dst.h
@@ -59,8 +59,9 @@ struct dst_entry
59		59
60	struct neighbour *neighbour;	60	struct neighbour *neighbour;
61	struct hh_cache *hh;	61	struct hh_cache *hh;
		62	#ifdef CONFIG_XFRM
62	struct xfrm_state *xfrm;	63	struct xfrm_state *xfrm;
63		64	#endif
64	int (input)(struct sk_buff);	65	int (input)(struct sk_buff);
65	int (output)(struct sk_buff);	66	int (output)(struct sk_buff);
66		67


diff --git a/include/net/sock.h b/include/net/sock.h index ada50c04d09f..d6b750a25078 100644 --- a/include/net/sock.h +++ b/include/net/sock.h
@@ -229,7 +229,9 @@ struct sock {
229	} sk_backlog;	229	} sk_backlog;
230	wait_queue_head_t *sk_sleep;	230	wait_queue_head_t *sk_sleep;
231	struct dst_entry *sk_dst_cache;	231	struct dst_entry *sk_dst_cache;
		232	#ifdef CONFIG_XFRM
232	struct xfrm_policy *sk_policy[2];	233	struct xfrm_policy *sk_policy[2];
		234	#endif
233	rwlock_t sk_dst_lock;	235	rwlock_t sk_dst_lock;
234	atomic_t sk_rmem_alloc;	236	atomic_t sk_rmem_alloc;
235	atomic_t sk_wmem_alloc;	237	atomic_t sk_wmem_alloc;


diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 11c890ad8ebb..f2c5ba28a428 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h
@@ -882,6 +882,7 @@ struct xfrm_dst
882	u32 path_cookie;	882	u32 path_cookie;
883	};	883	};
884		884
		885	#ifdef CONFIG_XFRM
885	static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)	886	static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
886	{	887	{
887	dst_release(xdst->route);	888	dst_release(xdst->route);
@@ -894,6 +895,7 @@ static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
894	xdst->partner = NULL;	895	xdst->partner = NULL;
895	#endif	896	#endif
896	}	897	}
		898	#endif
897		899
898	extern void xfrm_dst_ifdown(struct dst_entry dst, struct net_device dev);	900	extern void xfrm_dst_ifdown(struct dst_entry dst, struct net_device dev);
899		901
@@ -1536,9 +1538,11 @@ static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1536	}	1538	}
1537	#endif	1539	#endif
1538		1540
		1541	#ifdef CONFIG_XFRM
1539	static inline struct xfrm_state xfrm_input_state(struct sk_buff skb)	1542	static inline struct xfrm_state xfrm_input_state(struct sk_buff skb)
1540	{	1543	{
1541	return skb->sp->xvec[skb->sp->len - 1];	1544	return skb->sp->xvec[skb->sp->len - 1];
1542	}	1545	}
		1546	#endif
1543		1547
1544	#endif /* _NET_XFRM_H */	1548	#endif /* _NET_XFRM_H */


diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 4e22e3a35359..cdfe473181af 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c
@@ -489,7 +489,7 @@ static void __copy_skb_header(struct sk_buff new, const struct sk_buff old)
489	new->network_header = old->network_header;	489	new->network_header = old->network_header;
490	new->mac_header = old->mac_header;	490	new->mac_header = old->mac_header;
491	new->dst = dst_clone(old->dst);	491	new->dst = dst_clone(old->dst);
492	#ifdef CONFIG_INET	492	#ifdef CONFIG_XFRM
493	new->sp = secpath_get(old->sp);	493	new->sp = secpath_get(old->sp);
494	#endif	494	#endif
495	memcpy(new->cb, old->cb, sizeof(old->cb));	495	memcpy(new->cb, old->cb, sizeof(old->cb));


diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 72b2de76f1cd..e9d6ea0b49ca 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c
@@ -976,9 +976,10 @@ int icmp_rcv(struct sk_buff *skb)
976	struct net *net = dev_net(rt->u.dst.dev);	976	struct net *net = dev_net(rt->u.dst.dev);
977		977
978	if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {	978	if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
		979	struct sec_path *sp = skb_sec_path(skb);
979	int nh;	980	int nh;
980		981
981	if (!(skb->sp && skb->sp->xvec[skb->sp->len - 1]->props.flags &	982	if (!(sp && sp->xvec[sp->len - 1]->props.flags &
982	XFRM_STATE_ICMP))	983	XFRM_STATE_ICMP))
983	goto drop;	984	goto drop;
984		985


diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c index 450016b89a18..df3fe50bbf0d 100644 --- a/net/ipv4/ip_forward.c +++ b/net/ipv4/ip_forward.c
@@ -106,7 +106,7 @@ int ip_forward(struct sk_buff *skb)
106	* We now generate an ICMP HOST REDIRECT giving the route	106	* We now generate an ICMP HOST REDIRECT giving the route
107	* we calculated.	107	* we calculated.
108	*/	108	*/
109	if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb->sp)	109	if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb_sec_path(skb))
110	ip_rt_send_redirect(skb);	110	ip_rt_send_redirect(skb);
111		111
112	skb->priority = rt_tos2priority(iph->tos);	112	skb->priority = rt_tos2priority(iph->tos);


diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 21ce7e1b2284..ffb2c5705432 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c
@@ -1399,7 +1399,9 @@ void ip_rt_redirect(__be32 old_gw, __be32 daddr, __be32 new_gw,
1399	rt->u.dst.path = &rt->u.dst;	1399	rt->u.dst.path = &rt->u.dst;
1400	rt->u.dst.neighbour = NULL;	1400	rt->u.dst.neighbour = NULL;
1401	rt->u.dst.hh = NULL;	1401	rt->u.dst.hh = NULL;
		1402	#ifdef CONFIG_XFRM
1402	rt->u.dst.xfrm = NULL;	1403	rt->u.dst.xfrm = NULL;
		1404	#endif
1403	rt->rt_genid = rt_genid(net);	1405	rt->rt_genid = rt_genid(net);
1404	rt->rt_flags \|= RTCF_REDIRECTED;	1406	rt->rt_flags \|= RTCF_REDIRECTED;
1405		1407


diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index 9b7d19ae5ced..508a713ac045 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c
@@ -646,9 +646,10 @@ static int icmpv6_rcv(struct sk_buff *skb)
646	int type;	646	int type;
647		647
648	if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {	648	if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
		649	struct sec_path *sp = skb_sec_path(skb);
649	int nh;	650	int nh;
650		651
651	if (!(skb->sp && skb->sp->xvec[skb->sp->len - 1]->props.flags &	652	if (!(sp && sp->xvec[sp->len - 1]->props.flags &
652	XFRM_STATE_ICMP))	653	XFRM_STATE_ICMP))
653	goto drop_no_count;	654	goto drop_no_count;
654		655


diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index c77db0b95e26..7d92fd97cfb9 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c
@@ -490,7 +490,7 @@ int ip6_forward(struct sk_buff *skb)
490	We don't send redirects to frames decapsulated from IPsec.	490	We don't send redirects to frames decapsulated from IPsec.
491	*/	491	*/
492	if (skb->dev == dst->dev && dst->neighbour && opt->srcrt == 0 &&	492	if (skb->dev == dst->dev && dst->neighbour && opt->srcrt == 0 &&
493	!skb->sp) {	493	!skb_sec_path(skb)) {
494	struct in6_addr *target = NULL;	494	struct in6_addr *target = NULL;
495	struct rt6_info *rt;	495	struct rt6_info *rt;
496	struct neighbour *n = dst->neighbour;	496	struct neighbour *n = dst->neighbour;


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3e3fde7c1d2b..aedf02b1345a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -4626,7 +4626,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4626	* as fast and as clean as possible. */	4626	* as fast and as clean as possible. */
4627	if (selinux_compat_net \|\| !selinux_policycap_netpeer)	4627	if (selinux_compat_net \|\| !selinux_policycap_netpeer)
4628	return selinux_ip_postroute_compat(skb, ifindex, family);	4628	return selinux_ip_postroute_compat(skb, ifindex, family);
4629		4629	#ifdef CONFIG_XFRM
4630	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec	4630	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4631	* packet transformation so allow the packet to pass without any checks	4631	* packet transformation so allow the packet to pass without any checks
4632	* since we'll have another chance to perform access control checks	4632	* since we'll have another chance to perform access control checks
@@ -4635,7 +4635,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4635	* is NULL, in this case go ahead and apply access control. */	4635	* is NULL, in this case go ahead and apply access control. */
4636	if (skb->dst != NULL && skb->dst->xfrm != NULL)	4636	if (skb->dst != NULL && skb->dst->xfrm != NULL)
4637	return NF_ACCEPT;	4637	return NF_ACCEPT;
4638		4638	#endif
4639	secmark_active = selinux_secmark_enabled();	4639	secmark_active = selinux_secmark_enabled();
4640	peerlbl_active = netlbl_enabled() \|\| selinux_xfrm_enabled();	4640	peerlbl_active = netlbl_enabled() \|\| selinux_xfrm_enabled();
4641	if (!secmark_active && !peerlbl_active)	4641	if (!secmark_active && !peerlbl_active)