diff options
| author | David S. Miller <davem@davemloft.net> | 2012-06-29 04:32:45 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-06-29 04:36:36 -0400 |
| commit | 7a9bc9b81a5bc6e44ebc80ef781332e4385083f2 (patch) | |
| tree | 1342c672823d47bfb112fee63951af9f6a3eb590 | |
| parent | b8c8430726e5bd552e01dacc5a44f3f83f7446ca (diff) | |
ipv4: Elide fib_validate_source() completely when possible.
If rpfilter is off (or the SKB has an IPSEC path) and there are not
tclassid users, we don't have to do anything at all when
fib_validate_source() is invoked besides setting the itag to zero.
We monitor tclassid uses with a counter (modified only under RTNL and
marked __read_mostly) and we protect the fib_validate_source() real
work with a test against this counter and whether rpfilter is to be
done.
Having a way to know whether we need no tclassid processing or not
also opens the door for future optimized rpfilter algorithms that do
not perform full FIB lookups.
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/net/fib_rules.h | 1 | ||||
| -rw-r--r-- | include/net/ip_fib.h | 5 | ||||
| -rw-r--r-- | net/core/fib_rules.c | 4 | ||||
| -rw-r--r-- | net/ipv4/fib_frontend.c | 32 | ||||
| -rw-r--r-- | net/ipv4/fib_rules.c | 16 | ||||
| -rw-r--r-- | net/ipv4/fib_semantics.c | 10 |
6 files changed, 59 insertions, 9 deletions
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h index 075f1e3a0fed..e361f4882426 100644 --- a/include/net/fib_rules.h +++ b/include/net/fib_rules.h | |||
| @@ -52,6 +52,7 @@ struct fib_rules_ops { | |||
| 52 | struct sk_buff *, | 52 | struct sk_buff *, |
| 53 | struct fib_rule_hdr *, | 53 | struct fib_rule_hdr *, |
| 54 | struct nlattr **); | 54 | struct nlattr **); |
| 55 | void (*delete)(struct fib_rule *); | ||
| 55 | int (*compare)(struct fib_rule *, | 56 | int (*compare)(struct fib_rule *, |
| 56 | struct fib_rule_hdr *, | 57 | struct fib_rule_hdr *, |
| 57 | struct nlattr **); | 58 | struct nlattr **); |
diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index 619f68a7185c..3dc7c96bbeab 100644 --- a/include/net/ip_fib.h +++ b/include/net/ip_fib.h | |||
| @@ -235,6 +235,11 @@ extern int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, | |||
| 235 | u8 tos, int oif, struct net_device *dev, | 235 | u8 tos, int oif, struct net_device *dev, |
| 236 | struct in_device *idev, u32 *itag); | 236 | struct in_device *idev, u32 *itag); |
| 237 | extern void fib_select_default(struct fib_result *res); | 237 | extern void fib_select_default(struct fib_result *res); |
| 238 | #ifdef CONFIG_IP_ROUTE_CLASSID | ||
| 239 | extern int fib_num_tclassid_users; | ||
| 240 | #else | ||
| 241 | #define fib_num_tclassid_users 0 | ||
| 242 | #endif | ||
| 238 | 243 | ||
| 239 | /* Exported by fib_semantics.c */ | 244 | /* Exported by fib_semantics.c */ |
| 240 | extern int ip_fib_check_default(__be32 gw, struct net_device *dev); | 245 | extern int ip_fib_check_default(__be32 gw, struct net_device *dev); |
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c index 72cceb79d0d4..ab7db83236c9 100644 --- a/net/core/fib_rules.c +++ b/net/core/fib_rules.c | |||
| @@ -151,6 +151,8 @@ static void fib_rules_cleanup_ops(struct fib_rules_ops *ops) | |||
| 151 | 151 | ||
| 152 | list_for_each_entry_safe(rule, tmp, &ops->rules_list, list) { | 152 | list_for_each_entry_safe(rule, tmp, &ops->rules_list, list) { |
| 153 | list_del_rcu(&rule->list); | 153 | list_del_rcu(&rule->list); |
| 154 | if (ops->delete) | ||
| 155 | ops->delete(rule); | ||
| 154 | fib_rule_put(rule); | 156 | fib_rule_put(rule); |
| 155 | } | 157 | } |
| 156 | } | 158 | } |
| @@ -499,6 +501,8 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | |||
| 499 | 501 | ||
| 500 | notify_rule_change(RTM_DELRULE, rule, ops, nlh, | 502 | notify_rule_change(RTM_DELRULE, rule, ops, nlh, |
| 501 | NETLINK_CB(skb).pid); | 503 | NETLINK_CB(skb).pid); |
| 504 | if (ops->delete) | ||
| 505 | ops->delete(rule); | ||
| 502 | fib_rule_put(rule); | 506 | fib_rule_put(rule); |
| 503 | flush_route_cache(ops); | 507 | flush_route_cache(ops); |
| 504 | rules_ops_put(ops); | 508 | rules_ops_put(ops); |
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index c84cff52021e..ae528d1b293a 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c | |||
| @@ -31,6 +31,7 @@ | |||
| 31 | #include <linux/if_addr.h> | 31 | #include <linux/if_addr.h> |
| 32 | #include <linux/if_arp.h> | 32 | #include <linux/if_arp.h> |
| 33 | #include <linux/skbuff.h> | 33 | #include <linux/skbuff.h> |
| 34 | #include <linux/cache.h> | ||
| 34 | #include <linux/init.h> | 35 | #include <linux/init.h> |
| 35 | #include <linux/list.h> | 36 | #include <linux/list.h> |
| 36 | #include <linux/slab.h> | 37 | #include <linux/slab.h> |
| @@ -217,6 +218,10 @@ __be32 fib_compute_spec_dst(struct sk_buff *skb) | |||
| 217 | return inet_select_addr(dev, ip_hdr(skb)->saddr, scope); | 218 | return inet_select_addr(dev, ip_hdr(skb)->saddr, scope); |
| 218 | } | 219 | } |
| 219 | 220 | ||
| 221 | #ifdef CONFIG_IP_ROUTE_CLASSID | ||
| 222 | int fib_num_tclassid_users __read_mostly; | ||
| 223 | #endif | ||
| 224 | |||
| 220 | /* Given (packet source, input interface) and optional (dst, oif, tos): | 225 | /* Given (packet source, input interface) and optional (dst, oif, tos): |
| 221 | * - (main) check, that source is valid i.e. not broadcast or our local | 226 | * - (main) check, that source is valid i.e. not broadcast or our local |
| 222 | * address. | 227 | * address. |
| @@ -225,11 +230,11 @@ __be32 fib_compute_spec_dst(struct sk_buff *skb) | |||
| 225 | * - check, that packet arrived from expected physical interface. | 230 | * - check, that packet arrived from expected physical interface. |
| 226 | * called with rcu_read_lock() | 231 | * called with rcu_read_lock() |
| 227 | */ | 232 | */ |
| 228 | int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, u8 tos, | 233 | static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, |
| 229 | int oif, struct net_device *dev, struct in_device *idev, | 234 | u8 tos, int oif, struct net_device *dev, |
| 230 | u32 *itag) | 235 | int rpf, struct in_device *idev, u32 *itag) |
| 231 | { | 236 | { |
| 232 | int ret, no_addr, rpf, accept_local; | 237 | int ret, no_addr, accept_local; |
| 233 | struct fib_result res; | 238 | struct fib_result res; |
| 234 | struct flowi4 fl4; | 239 | struct flowi4 fl4; |
| 235 | struct net *net; | 240 | struct net *net; |
| @@ -242,12 +247,9 @@ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, u8 tos, | |||
| 242 | fl4.flowi4_tos = tos; | 247 | fl4.flowi4_tos = tos; |
| 243 | fl4.flowi4_scope = RT_SCOPE_UNIVERSE; | 248 | fl4.flowi4_scope = RT_SCOPE_UNIVERSE; |
| 244 | 249 | ||
| 245 | no_addr = rpf = accept_local = 0; | 250 | no_addr = accept_local = 0; |
| 246 | no_addr = idev->ifa_list == NULL; | 251 | no_addr = idev->ifa_list == NULL; |
| 247 | 252 | ||
| 248 | /* Ignore rp_filter for packets protected by IPsec. */ | ||
| 249 | rpf = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev); | ||
| 250 | |||
| 251 | accept_local = IN_DEV_ACCEPT_LOCAL(idev); | 253 | accept_local = IN_DEV_ACCEPT_LOCAL(idev); |
| 252 | fl4.flowi4_mark = IN_DEV_SRC_VMARK(idev) ? skb->mark : 0; | 254 | fl4.flowi4_mark = IN_DEV_SRC_VMARK(idev) ? skb->mark : 0; |
| 253 | 255 | ||
| @@ -303,6 +305,20 @@ e_rpf: | |||
| 303 | return -EXDEV; | 305 | return -EXDEV; |
| 304 | } | 306 | } |
| 305 | 307 | ||
| 308 | /* Ignore rp_filter for packets protected by IPsec. */ | ||
| 309 | int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, | ||
| 310 | u8 tos, int oif, struct net_device *dev, | ||
| 311 | struct in_device *idev, u32 *itag) | ||
| 312 | { | ||
| 313 | int r = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev); | ||
| 314 | |||
| 315 | if (!r && !fib_num_tclassid_users) { | ||
| 316 | *itag = 0; | ||
| 317 | return 0; | ||
| 318 | } | ||
| 319 | return __fib_validate_source(skb, src, dst, tos, oif, dev, r, idev, itag); | ||
| 320 | } | ||
| 321 | |||
| 306 | static inline __be32 sk_extract_addr(struct sockaddr *addr) | 322 | static inline __be32 sk_extract_addr(struct sockaddr *addr) |
| 307 | { | 323 | { |
| 308 | return ((struct sockaddr_in *) addr)->sin_addr.s_addr; | 324 | return ((struct sockaddr_in *) addr)->sin_addr.s_addr; |
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c index 2d043f71ef70..b23fd952c84f 100644 --- a/net/ipv4/fib_rules.c +++ b/net/ipv4/fib_rules.c | |||
| @@ -169,8 +169,11 @@ static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb, | |||
| 169 | rule4->dst = nla_get_be32(tb[FRA_DST]); | 169 | rule4->dst = nla_get_be32(tb[FRA_DST]); |
| 170 | 170 | ||
| 171 | #ifdef CONFIG_IP_ROUTE_CLASSID | 171 | #ifdef CONFIG_IP_ROUTE_CLASSID |
| 172 | if (tb[FRA_FLOW]) | 172 | if (tb[FRA_FLOW]) { |
| 173 | rule4->tclassid = nla_get_u32(tb[FRA_FLOW]); | 173 | rule4->tclassid = nla_get_u32(tb[FRA_FLOW]); |
| 174 | if (rule4->tclassid) | ||
| 175 | fib_num_tclassid_users++; | ||
| 176 | } | ||
| 174 | #endif | 177 | #endif |
| 175 | 178 | ||
| 176 | rule4->src_len = frh->src_len; | 179 | rule4->src_len = frh->src_len; |
| @@ -184,6 +187,16 @@ errout: | |||
| 184 | return err; | 187 | return err; |
| 185 | } | 188 | } |
| 186 | 189 | ||
| 190 | static void fib4_rule_delete(struct fib_rule *rule) | ||
| 191 | { | ||
| 192 | #ifdef CONFIG_IP_ROUTE_CLASSID | ||
| 193 | struct fib4_rule *rule4 = (struct fib4_rule *) rule; | ||
| 194 | |||
| 195 | if (rule4->tclassid) | ||
| 196 | fib_num_tclassid_users--; | ||
| 197 | #endif | ||
| 198 | } | ||
| 199 | |||
| 187 | static int fib4_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh, | 200 | static int fib4_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh, |
| 188 | struct nlattr **tb) | 201 | struct nlattr **tb) |
| 189 | { | 202 | { |
| @@ -256,6 +269,7 @@ static const struct fib_rules_ops __net_initdata fib4_rules_ops_template = { | |||
| 256 | .action = fib4_rule_action, | 269 | .action = fib4_rule_action, |
| 257 | .match = fib4_rule_match, | 270 | .match = fib4_rule_match, |
| 258 | .configure = fib4_rule_configure, | 271 | .configure = fib4_rule_configure, |
| 272 | .delete = fib4_rule_delete, | ||
| 259 | .compare = fib4_rule_compare, | 273 | .compare = fib4_rule_compare, |
| 260 | .fill = fib4_rule_fill, | 274 | .fill = fib4_rule_fill, |
| 261 | .default_pref = fib_default_rule_pref, | 275 | .default_pref = fib_default_rule_pref, |
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c index 415f8230fc88..c46c20b6b0b6 100644 --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c | |||
| @@ -163,6 +163,12 @@ void free_fib_info(struct fib_info *fi) | |||
| 163 | return; | 163 | return; |
| 164 | } | 164 | } |
| 165 | fib_info_cnt--; | 165 | fib_info_cnt--; |
| 166 | #ifdef CONFIG_IP_ROUTE_CLASSID | ||
| 167 | change_nexthops(fi) { | ||
| 168 | if (nexthop_nh->nh_tclassid) | ||
| 169 | fib_num_tclassid_users--; | ||
| 170 | } endfor_nexthops(fi); | ||
| 171 | #endif | ||
| 166 | call_rcu(&fi->rcu, free_fib_info_rcu); | 172 | call_rcu(&fi->rcu, free_fib_info_rcu); |
| 167 | } | 173 | } |
| 168 | 174 | ||
| @@ -421,6 +427,8 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh, | |||
| 421 | #ifdef CONFIG_IP_ROUTE_CLASSID | 427 | #ifdef CONFIG_IP_ROUTE_CLASSID |
| 422 | nla = nla_find(attrs, attrlen, RTA_FLOW); | 428 | nla = nla_find(attrs, attrlen, RTA_FLOW); |
| 423 | nexthop_nh->nh_tclassid = nla ? nla_get_u32(nla) : 0; | 429 | nexthop_nh->nh_tclassid = nla ? nla_get_u32(nla) : 0; |
| 430 | if (nexthop_nh->nh_tclassid) | ||
| 431 | fib_num_tclassid_users++; | ||
| 424 | #endif | 432 | #endif |
| 425 | } | 433 | } |
| 426 | 434 | ||
| @@ -815,6 +823,8 @@ struct fib_info *fib_create_info(struct fib_config *cfg) | |||
| 815 | nh->nh_flags = cfg->fc_flags; | 823 | nh->nh_flags = cfg->fc_flags; |
| 816 | #ifdef CONFIG_IP_ROUTE_CLASSID | 824 | #ifdef CONFIG_IP_ROUTE_CLASSID |
| 817 | nh->nh_tclassid = cfg->fc_flow; | 825 | nh->nh_tclassid = cfg->fc_flow; |
| 826 | if (nh->nh_tclassid) | ||
| 827 | fib_num_tclassid_users++; | ||
| 818 | #endif | 828 | #endif |
| 819 | #ifdef CONFIG_IP_ROUTE_MULTIPATH | 829 | #ifdef CONFIG_IP_ROUTE_MULTIPATH |
| 820 | nh->nh_weight = 1; | 830 | nh->nh_weight = 1; |