[XFRM]: Add generation count to xfrm_state and xfrm_dst.

Each xfrm_state inserted gets a new generation counter
value.  When a bundle is created, the xfrm_dst objects
get the current generation counter of the xfrm_state
they will attach to at dst->xfrm.

xfrm_bundle_ok() will return false if it sees an
xfrm_dst with a generation count different from the
generation count of the xfrm_state that dst points to.

This provides a facility by which to passively and
cheaply invalidate cached IPSEC routes during SA
database changes.

Signed-off-by: David S. Miller <davem@davemloft.net>

5 files changed, 10 insertions, 0 deletions

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 3405e5d9d51c..fd4a300b5baf 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -104,6 +104,8 @@ struct xfrm_state
         struct xfrm_id          id;
         struct xfrm_selector    sel;
 
+        u32                     genid;
+
         /* Key manger bits */
         struct {
                 u8              state;
@@ -590,6 +592,7 @@ struct xfrm_dst
                 struct rt6_info         rt6;
         } u;
         struct dst_entry *route;
+        u32 genid;
         u32 route_mtu_cached;
         u32 child_mtu_cached;
         u32 route_cookie;
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 42d8ded0f96a..479598566f1d 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -93,6 +93,7 @@ __xfrm4_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
 
                 xdst = (struct xfrm_dst *)dst1;
                 xdst->route = &rt->u.dst;
+                xdst->genid = xfrm[i]->genid;
 
                 dst1->next = dst_prev;
                 dst_prev = dst1;
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 98c2fe449b3f..9391c4c94feb 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -149,6 +149,7 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
 
                 xdst = (struct xfrm_dst *)dst1;
                 xdst->route = &rt->u.dst;
+                xdst->genid = xfrm[i]->genid;
                 if (rt->rt6i_node)
                         xdst->route_cookie = rt->rt6i_node->fn_sernum;
 
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 1732159ffd01..7fc6944ee36f 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1536,6 +1536,8 @@ int xfrm_bundle_ok(struct xfrm_dst *first, struct flowi *fl, int family, int str
                         return 0;
                 if (dst->xfrm->km.state != XFRM_STATE_VALID)
                         return 0;
+                if (xdst->genid != dst->xfrm->genid)
+                        return 0;
 
                 if (strict && fl && dst->xfrm->props.mode != XFRM_MODE_TUNNEL &&
                     !xfrm_state_addr_flow_check(dst->xfrm, fl, family))
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 445263c54c94..535d43c14720 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -53,6 +53,7 @@ static struct hlist_head *xfrm_state_byspi __read_mostly;
 static unsigned int xfrm_state_hmask __read_mostly;
 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
 static unsigned int xfrm_state_num;
+static unsigned int xfrm_state_genid;
 
 static inline unsigned int __xfrm4_dst_hash(xfrm_address_t *addr, unsigned int hmask)
 {
@@ -745,6 +746,8 @@ static void __xfrm_state_insert(struct xfrm_state *x)
 {
         unsigned int h = xfrm_dst_hash(&x->id.daddr, x->props.family);
 
+        x->genid = ++xfrm_state_genid;
+
         hlist_add_head(&x->bydst, xfrm_state_bydst+h);
         xfrm_state_hold(x);