diff options
author | David S. Miller <davem@davemloft.net> | 2014-12-08 21:30:21 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-12-08 21:30:21 -0500 |
commit | 6db70e3e1d988005c9ae6cf0f023e3c653628efb (patch) | |
tree | 696620aaa6ca94caa627dc18617a164af4fdad29 | |
parent | f5f04bcf539b2cf896929dc00b82010df78045bf (diff) | |
parent | fbe68ee87522f6eaa10f9076c0a7117e1613f2f7 (diff) |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
Steffen Klassert says:
====================
pull request (net-next): ipsec-next 2014-12-03
1) Fix a set but not used warning. From Fabian Frederick.
2) Currently we make sequence number values available to userspace
only if we use ESN. Make the sequence number values also available
for non ESN states. From Zhi Ding.
3) Remove socket policy hashing. We don't need it because socket
policies are always looked up via a linked list. From Herbert Xu.
4) After removing socket policy hashing, we can use __xfrm_policy_link
in xfrm_policy_insert. From Herbert Xu.
5) Add a lookup method for vti6 tunnels with wildcard endpoints.
I forgot this when I initially implemented vti6.
Please pull or let me know if there are problems.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/net/netns/xfrm.h | 4 | ||||
-rw-r--r-- | net/ipv6/ip6_vti.c | 17 | ||||
-rw-r--r-- | net/xfrm/xfrm_policy.c | 52 | ||||
-rw-r--r-- | net/xfrm/xfrm_user.c | 12 |
4 files changed, 56 insertions, 29 deletions
diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h index 9da798256f0e..730d82ad6ee5 100644 --- a/include/net/netns/xfrm.h +++ b/include/net/netns/xfrm.h | |||
@@ -50,8 +50,8 @@ struct netns_xfrm { | |||
50 | struct list_head policy_all; | 50 | struct list_head policy_all; |
51 | struct hlist_head *policy_byidx; | 51 | struct hlist_head *policy_byidx; |
52 | unsigned int policy_idx_hmask; | 52 | unsigned int policy_idx_hmask; |
53 | struct hlist_head policy_inexact[XFRM_POLICY_MAX * 2]; | 53 | struct hlist_head policy_inexact[XFRM_POLICY_MAX]; |
54 | struct xfrm_policy_hash policy_bydst[XFRM_POLICY_MAX * 2]; | 54 | struct xfrm_policy_hash policy_bydst[XFRM_POLICY_MAX]; |
55 | unsigned int policy_count[XFRM_POLICY_MAX * 2]; | 55 | unsigned int policy_count[XFRM_POLICY_MAX * 2]; |
56 | struct work_struct policy_hash_work; | 56 | struct work_struct policy_hash_work; |
57 | struct xfrm_policy_hthresh policy_hthresh; | 57 | struct xfrm_policy_hthresh policy_hthresh; |
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index 16a7e81e3f99..ace10d0b3aac 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c | |||
@@ -95,6 +95,7 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote, | |||
95 | unsigned int hash = HASH(remote, local); | 95 | unsigned int hash = HASH(remote, local); |
96 | struct ip6_tnl *t; | 96 | struct ip6_tnl *t; |
97 | struct vti6_net *ip6n = net_generic(net, vti6_net_id); | 97 | struct vti6_net *ip6n = net_generic(net, vti6_net_id); |
98 | struct in6_addr any; | ||
98 | 99 | ||
99 | for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) { | 100 | for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) { |
100 | if (ipv6_addr_equal(local, &t->parms.laddr) && | 101 | if (ipv6_addr_equal(local, &t->parms.laddr) && |
@@ -102,6 +103,22 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote, | |||
102 | (t->dev->flags & IFF_UP)) | 103 | (t->dev->flags & IFF_UP)) |
103 | return t; | 104 | return t; |
104 | } | 105 | } |
106 | |||
107 | memset(&any, 0, sizeof(any)); | ||
108 | hash = HASH(&any, local); | ||
109 | for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) { | ||
110 | if (ipv6_addr_equal(local, &t->parms.laddr) && | ||
111 | (t->dev->flags & IFF_UP)) | ||
112 | return t; | ||
113 | } | ||
114 | |||
115 | hash = HASH(remote, &any); | ||
116 | for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) { | ||
117 | if (ipv6_addr_equal(remote, &t->parms.raddr) && | ||
118 | (t->dev->flags & IFF_UP)) | ||
119 | return t; | ||
120 | } | ||
121 | |||
105 | t = rcu_dereference(ip6n->tnls_wc[0]); | 122 | t = rcu_dereference(ip6n->tnls_wc[0]); |
106 | if (t && (t->dev->flags & IFF_UP)) | 123 | if (t && (t->dev->flags & IFF_UP)) |
107 | return t; | 124 | return t; |
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 88bf289abdc9..cee479bc655c 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
@@ -55,6 +55,7 @@ static int stale_bundle(struct dst_entry *dst); | |||
55 | static int xfrm_bundle_ok(struct xfrm_dst *xdst); | 55 | static int xfrm_bundle_ok(struct xfrm_dst *xdst); |
56 | static void xfrm_policy_queue_process(unsigned long arg); | 56 | static void xfrm_policy_queue_process(unsigned long arg); |
57 | 57 | ||
58 | static void __xfrm_policy_link(struct xfrm_policy *pol, int dir); | ||
58 | static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, | 59 | static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, |
59 | int dir); | 60 | int dir); |
60 | 61 | ||
@@ -561,7 +562,7 @@ static void xfrm_hash_resize(struct work_struct *work) | |||
561 | mutex_lock(&hash_resize_mutex); | 562 | mutex_lock(&hash_resize_mutex); |
562 | 563 | ||
563 | total = 0; | 564 | total = 0; |
564 | for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) { | 565 | for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { |
565 | if (xfrm_bydst_should_resize(net, dir, &total)) | 566 | if (xfrm_bydst_should_resize(net, dir, &total)) |
566 | xfrm_bydst_resize(net, dir); | 567 | xfrm_bydst_resize(net, dir); |
567 | } | 568 | } |
@@ -601,7 +602,7 @@ static void xfrm_hash_rebuild(struct work_struct *work) | |||
601 | write_lock_bh(&net->xfrm.xfrm_policy_lock); | 602 | write_lock_bh(&net->xfrm.xfrm_policy_lock); |
602 | 603 | ||
603 | /* reset the bydst and inexact table in all directions */ | 604 | /* reset the bydst and inexact table in all directions */ |
604 | for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) { | 605 | for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { |
605 | INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]); | 606 | INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]); |
606 | hmask = net->xfrm.policy_bydst[dir].hmask; | 607 | hmask = net->xfrm.policy_bydst[dir].hmask; |
607 | odst = net->xfrm.policy_bydst[dir].table; | 608 | odst = net->xfrm.policy_bydst[dir].table; |
@@ -779,8 +780,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) | |||
779 | hlist_add_behind(&policy->bydst, newpos); | 780 | hlist_add_behind(&policy->bydst, newpos); |
780 | else | 781 | else |
781 | hlist_add_head(&policy->bydst, chain); | 782 | hlist_add_head(&policy->bydst, chain); |
782 | xfrm_pol_hold(policy); | 783 | __xfrm_policy_link(policy, dir); |
783 | net->xfrm.policy_count[dir]++; | ||
784 | atomic_inc(&net->xfrm.flow_cache_genid); | 784 | atomic_inc(&net->xfrm.flow_cache_genid); |
785 | 785 | ||
786 | /* After previous checking, family can either be AF_INET or AF_INET6 */ | 786 | /* After previous checking, family can either be AF_INET or AF_INET6 */ |
@@ -799,7 +799,6 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) | |||
799 | policy->curlft.use_time = 0; | 799 | policy->curlft.use_time = 0; |
800 | if (!mod_timer(&policy->timer, jiffies + HZ)) | 800 | if (!mod_timer(&policy->timer, jiffies + HZ)) |
801 | xfrm_pol_hold(policy); | 801 | xfrm_pol_hold(policy); |
802 | list_add(&policy->walk.all, &net->xfrm.policy_all); | ||
803 | write_unlock_bh(&net->xfrm.xfrm_policy_lock); | 802 | write_unlock_bh(&net->xfrm.xfrm_policy_lock); |
804 | 803 | ||
805 | if (delpol) | 804 | if (delpol) |
@@ -1247,17 +1246,10 @@ out: | |||
1247 | static void __xfrm_policy_link(struct xfrm_policy *pol, int dir) | 1246 | static void __xfrm_policy_link(struct xfrm_policy *pol, int dir) |
1248 | { | 1247 | { |
1249 | struct net *net = xp_net(pol); | 1248 | struct net *net = xp_net(pol); |
1250 | struct hlist_head *chain = policy_hash_bysel(net, &pol->selector, | ||
1251 | pol->family, dir); | ||
1252 | 1249 | ||
1253 | list_add(&pol->walk.all, &net->xfrm.policy_all); | 1250 | list_add(&pol->walk.all, &net->xfrm.policy_all); |
1254 | hlist_add_head(&pol->bydst, chain); | ||
1255 | hlist_add_head(&pol->byidx, net->xfrm.policy_byidx+idx_hash(net, pol->index)); | ||
1256 | net->xfrm.policy_count[dir]++; | 1251 | net->xfrm.policy_count[dir]++; |
1257 | xfrm_pol_hold(pol); | 1252 | xfrm_pol_hold(pol); |
1258 | |||
1259 | if (xfrm_bydst_should_resize(net, dir, NULL)) | ||
1260 | schedule_work(&net->xfrm.policy_hash_work); | ||
1261 | } | 1253 | } |
1262 | 1254 | ||
1263 | static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, | 1255 | static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, |
@@ -1265,17 +1257,31 @@ static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, | |||
1265 | { | 1257 | { |
1266 | struct net *net = xp_net(pol); | 1258 | struct net *net = xp_net(pol); |
1267 | 1259 | ||
1268 | if (hlist_unhashed(&pol->bydst)) | 1260 | if (list_empty(&pol->walk.all)) |
1269 | return NULL; | 1261 | return NULL; |
1270 | 1262 | ||
1271 | hlist_del_init(&pol->bydst); | 1263 | /* Socket policies are not hashed. */ |
1272 | hlist_del(&pol->byidx); | 1264 | if (!hlist_unhashed(&pol->bydst)) { |
1273 | list_del(&pol->walk.all); | 1265 | hlist_del(&pol->bydst); |
1266 | hlist_del(&pol->byidx); | ||
1267 | } | ||
1268 | |||
1269 | list_del_init(&pol->walk.all); | ||
1274 | net->xfrm.policy_count[dir]--; | 1270 | net->xfrm.policy_count[dir]--; |
1275 | 1271 | ||
1276 | return pol; | 1272 | return pol; |
1277 | } | 1273 | } |
1278 | 1274 | ||
1275 | static void xfrm_sk_policy_link(struct xfrm_policy *pol, int dir) | ||
1276 | { | ||
1277 | __xfrm_policy_link(pol, XFRM_POLICY_MAX + dir); | ||
1278 | } | ||
1279 | |||
1280 | static void xfrm_sk_policy_unlink(struct xfrm_policy *pol, int dir) | ||
1281 | { | ||
1282 | __xfrm_policy_unlink(pol, XFRM_POLICY_MAX + dir); | ||
1283 | } | ||
1284 | |||
1279 | int xfrm_policy_delete(struct xfrm_policy *pol, int dir) | 1285 | int xfrm_policy_delete(struct xfrm_policy *pol, int dir) |
1280 | { | 1286 | { |
1281 | struct net *net = xp_net(pol); | 1287 | struct net *net = xp_net(pol); |
@@ -1307,7 +1313,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol) | |||
1307 | if (pol) { | 1313 | if (pol) { |
1308 | pol->curlft.add_time = get_seconds(); | 1314 | pol->curlft.add_time = get_seconds(); |
1309 | pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir, 0); | 1315 | pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir, 0); |
1310 | __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir); | 1316 | xfrm_sk_policy_link(pol, dir); |
1311 | } | 1317 | } |
1312 | if (old_pol) { | 1318 | if (old_pol) { |
1313 | if (pol) | 1319 | if (pol) |
@@ -1316,7 +1322,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol) | |||
1316 | /* Unlinking succeeds always. This is the only function | 1322 | /* Unlinking succeeds always. This is the only function |
1317 | * allowed to delete or replace socket policy. | 1323 | * allowed to delete or replace socket policy. |
1318 | */ | 1324 | */ |
1319 | __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir); | 1325 | xfrm_sk_policy_unlink(old_pol, dir); |
1320 | } | 1326 | } |
1321 | write_unlock_bh(&net->xfrm.xfrm_policy_lock); | 1327 | write_unlock_bh(&net->xfrm.xfrm_policy_lock); |
1322 | 1328 | ||
@@ -1349,7 +1355,7 @@ static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir) | |||
1349 | memcpy(newp->xfrm_vec, old->xfrm_vec, | 1355 | memcpy(newp->xfrm_vec, old->xfrm_vec, |
1350 | newp->xfrm_nr*sizeof(struct xfrm_tmpl)); | 1356 | newp->xfrm_nr*sizeof(struct xfrm_tmpl)); |
1351 | write_lock_bh(&net->xfrm.xfrm_policy_lock); | 1357 | write_lock_bh(&net->xfrm.xfrm_policy_lock); |
1352 | __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir); | 1358 | xfrm_sk_policy_link(newp, dir); |
1353 | write_unlock_bh(&net->xfrm.xfrm_policy_lock); | 1359 | write_unlock_bh(&net->xfrm.xfrm_policy_lock); |
1354 | xfrm_pol_put(newp); | 1360 | xfrm_pol_put(newp); |
1355 | } | 1361 | } |
@@ -1878,7 +1884,6 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols, | |||
1878 | 1884 | ||
1879 | static void xfrm_policy_queue_process(unsigned long arg) | 1885 | static void xfrm_policy_queue_process(unsigned long arg) |
1880 | { | 1886 | { |
1881 | int err = 0; | ||
1882 | struct sk_buff *skb; | 1887 | struct sk_buff *skb; |
1883 | struct sock *sk; | 1888 | struct sock *sk; |
1884 | struct dst_entry *dst; | 1889 | struct dst_entry *dst; |
@@ -1941,7 +1946,7 @@ static void xfrm_policy_queue_process(unsigned long arg) | |||
1941 | skb_dst_drop(skb); | 1946 | skb_dst_drop(skb); |
1942 | skb_dst_set(skb, dst); | 1947 | skb_dst_set(skb, dst); |
1943 | 1948 | ||
1944 | err = dst_output(skb); | 1949 | dst_output(skb); |
1945 | } | 1950 | } |
1946 | 1951 | ||
1947 | out: | 1952 | out: |
@@ -2966,10 +2971,11 @@ static int __net_init xfrm_policy_init(struct net *net) | |||
2966 | goto out_byidx; | 2971 | goto out_byidx; |
2967 | net->xfrm.policy_idx_hmask = hmask; | 2972 | net->xfrm.policy_idx_hmask = hmask; |
2968 | 2973 | ||
2969 | for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) { | 2974 | for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { |
2970 | struct xfrm_policy_hash *htab; | 2975 | struct xfrm_policy_hash *htab; |
2971 | 2976 | ||
2972 | net->xfrm.policy_count[dir] = 0; | 2977 | net->xfrm.policy_count[dir] = 0; |
2978 | net->xfrm.policy_count[XFRM_POLICY_MAX + dir] = 0; | ||
2973 | INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]); | 2979 | INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]); |
2974 | 2980 | ||
2975 | htab = &net->xfrm.policy_bydst[dir]; | 2981 | htab = &net->xfrm.policy_bydst[dir]; |
@@ -3021,7 +3027,7 @@ static void xfrm_policy_fini(struct net *net) | |||
3021 | 3027 | ||
3022 | WARN_ON(!list_empty(&net->xfrm.policy_all)); | 3028 | WARN_ON(!list_empty(&net->xfrm.policy_all)); |
3023 | 3029 | ||
3024 | for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) { | 3030 | for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { |
3025 | struct xfrm_policy_hash *htab; | 3031 | struct xfrm_policy_hash *htab; |
3026 | 3032 | ||
3027 | WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir])); | 3033 | WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir])); |
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index e812e988c111..8128594ab379 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -824,13 +824,15 @@ static int copy_to_user_state_extra(struct xfrm_state *x, | |||
824 | ret = xfrm_mark_put(skb, &x->mark); | 824 | ret = xfrm_mark_put(skb, &x->mark); |
825 | if (ret) | 825 | if (ret) |
826 | goto out; | 826 | goto out; |
827 | if (x->replay_esn) { | 827 | if (x->replay_esn) |
828 | ret = nla_put(skb, XFRMA_REPLAY_ESN_VAL, | 828 | ret = nla_put(skb, XFRMA_REPLAY_ESN_VAL, |
829 | xfrm_replay_state_esn_len(x->replay_esn), | 829 | xfrm_replay_state_esn_len(x->replay_esn), |
830 | x->replay_esn); | 830 | x->replay_esn); |
831 | if (ret) | 831 | else |
832 | goto out; | 832 | ret = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), |
833 | } | 833 | &x->replay); |
834 | if (ret) | ||
835 | goto out; | ||
834 | if (x->security) | 836 | if (x->security) |
835 | ret = copy_sec_ctx(x->security, skb); | 837 | ret = copy_sec_ctx(x->security, skb); |
836 | out: | 838 | out: |
@@ -2569,6 +2571,8 @@ static inline size_t xfrm_sa_len(struct xfrm_state *x) | |||
2569 | l += nla_total_size(sizeof(x->tfcpad)); | 2571 | l += nla_total_size(sizeof(x->tfcpad)); |
2570 | if (x->replay_esn) | 2572 | if (x->replay_esn) |
2571 | l += nla_total_size(xfrm_replay_state_esn_len(x->replay_esn)); | 2573 | l += nla_total_size(xfrm_replay_state_esn_len(x->replay_esn)); |
2574 | else | ||
2575 | l += nla_total_size(sizeof(struct xfrm_replay_state)); | ||
2572 | if (x->security) | 2576 | if (x->security) |
2573 | l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) + | 2577 | l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) + |
2574 | x->security->ctx_len); | 2578 | x->security->ctx_len); |