[XFRM]: Allow packet drops during larval state resolution.

The current IPSEC rule resolution behavior we have does not work for a lot of people, even though technically it's an improvement from the -EAGAIN buisness we had before. Right now we'll block until the key manager resolves the route. That works for simple cases, but many folks would rather packets get silently dropped until the key manager resolves the IPSEC rules. We can't tell these folks to "set the socket non-blocking" because they don't have control over the non-block setting of things like the sockets used to resolve DNS deep inside of the resolver libraries in libc. With that in mind I coded up the patch below with some help from Herbert Xu which provides packet-drop behavior during larval state resolution, controllable via sysctl and off by default. This lays the framework to either: 1) Make this default at some point or... 2) Move this logic into xfrm{4,6}_policy.c and implement the ARP-like resolution queue we've all been dreaming of. The idea would be to queue packets to the policy, then once the larval state is resolved by the key manager we re-resolve the route and push the packets out. The packets would timeout if the rule didn't get resolved in a certain amount of time. Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@sunset.davemloft.net> 2007-05-24 21:17:54 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2007-05-24 21:17:54 -0400
commit: 14e50e57aedb2a89cf79b77782879769794cab7b (patch)
tree: 46cbdab9c8007cea0821294c9d397214b38ea4c8 /net/ipv6/route.c
parent: 04efb8787e4d8a7b21a61aeb723de33154311256 (diff)
1 files changed, 63 insertions, 0 deletions
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index b46ad53044ba..1324b06796c0 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -119,6 +119,19 @@ static struct dst_ops ip6_dst_ops = {
        .entry_size             =       sizeof(struct rt6_info),
 };
+static void ip6_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
+{
+}
+static struct dst_ops ip6_dst_blackhole_ops = {
+        .family                 =       AF_INET6,
+        .protocol               =       __constant_htons(ETH_P_IPV6),
+        .destroy                =       ip6_dst_destroy,
+        .check                  =       ip6_dst_check,
+        .update_pmtu            =       ip6_rt_blackhole_update_pmtu,
+        .entry_size             =       sizeof(struct rt6_info),
+};
 struct rt6_info ip6_null_entry = {
        .u = {
                .dst = {
@@ -833,6 +846,54 @@ struct dst_entry * ip6_route_output(struct sock *sk, struct flowi *fl)
 EXPORT_SYMBOL(ip6_route_output);
+static int ip6_blackhole_output(struct sk_buff *skb)
+{
+        kfree_skb(skb);
+        return 0;
+}
+int ip6_dst_blackhole(struct sock *sk, struct dst_entry **dstp, struct flowi *fl)
+{
+        struct rt6_info *ort = (struct rt6_info *) *dstp;
+        struct rt6_info *rt = (struct rt6_info *)
+                dst_alloc(&ip6_dst_blackhole_ops);
+        struct dst_entry *new = NULL;
+        if (rt) {
+                new = &rt->u.dst;
+                atomic_set(&new->__refcnt, 1);
+                new->__use = 1;
+                new->input = ip6_blackhole_output;
+                new->output = ip6_blackhole_output;
+                memcpy(new->metrics, ort->u.dst.metrics, RTAX_MAX*sizeof(u32));
+                new->dev = ort->u.dst.dev;
+                if (new->dev)
+                        dev_hold(new->dev);
+                rt->rt6i_idev = ort->rt6i_idev;
+                if (rt->rt6i_idev)
+                        in6_dev_hold(rt->rt6i_idev);
+                rt->rt6i_expires = 0;
+                ipv6_addr_copy(&rt->rt6i_gateway, &ort->rt6i_gateway);
+                rt->rt6i_flags = ort->rt6i_flags & ~RTF_EXPIRES;
+                rt->rt6i_metric = 0;
+                memcpy(&rt->rt6i_dst, &ort->rt6i_dst, sizeof(struct rt6key));
+#ifdef CONFIG_IPV6_SUBTREES
+                memcpy(&rt->rt6i_src, &ort->rt6i_src, sizeof(struct rt6key));
+#endif
+                dst_free(new);
+        }
+        dst_release(*dstp);
+        *dstp = new;
+        return (new ? 0 : -ENOMEM);
+}
+EXPORT_SYMBOL_GPL(ip6_dst_blackhole);
 /*
 *      Destination cache support functions
 */
@@ -2495,6 +2556,8 @@ void __init ip6_route_init(void)
        ip6_dst_ops.kmem_cachep =
                kmem_cache_create("ip6_dst_cache", sizeof(struct rt6_info), 0,
                                  SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL, NULL);
+        ip6_dst_blackhole_ops.kmem_cachep = ip6_dst_ops.kmem_cachep;
        fib6_init();
 #ifdef  CONFIG_PROC_FS
        p = proc_net_create("ipv6_route", 0, rt6_proc_info);
author	David S. Miller <davem@sunset.davemloft.net>	2007-05-24 21:17:54 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2007-05-24 21:17:54 -0400
commit	14e50e57aedb2a89cf79b77782879769794cab7b (patch)
tree	46cbdab9c8007cea0821294c9d397214b38ea4c8 /net/ipv6/route.c
parent	04efb8787e4d8a7b21a61aeb723de33154311256 (diff)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c index b46ad53044ba..1324b06796c0 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c
@@ -119,6 +119,19 @@ static struct dst_ops ip6_dst_ops = {
119	.entry_size = sizeof(struct rt6_info),	119	.entry_size = sizeof(struct rt6_info),
120	};	120	};
121		121
		122	static void ip6_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
		123	{
		124	}
		125
		126	static struct dst_ops ip6_dst_blackhole_ops = {
		127	.family = AF_INET6,
		128	.protocol = __constant_htons(ETH_P_IPV6),
		129	.destroy = ip6_dst_destroy,
		130	.check = ip6_dst_check,
		131	.update_pmtu = ip6_rt_blackhole_update_pmtu,
		132	.entry_size = sizeof(struct rt6_info),
		133	};
		134
122	struct rt6_info ip6_null_entry = {	135	struct rt6_info ip6_null_entry = {
123	.u = {	136	.u = {
124	.dst = {	137	.dst = {
@@ -833,6 +846,54 @@ struct dst_entry * ip6_route_output(struct sock sk, struct flowi fl)
833		846
834	EXPORT_SYMBOL(ip6_route_output);	847	EXPORT_SYMBOL(ip6_route_output);
835		848
		849	static int ip6_blackhole_output(struct sk_buff *skb)
		850	{
		851	kfree_skb(skb);
		852	return 0;
		853	}
		854
		855	int ip6_dst_blackhole(struct sock sk, struct dst_entry dstp, struct flowi fl)
		856	{
		857	struct rt6_info ort = (struct rt6_info ) *dstp;
		858	struct rt6_info rt = (struct rt6_info )
		859	dst_alloc(&ip6_dst_blackhole_ops);
		860	struct dst_entry *new = NULL;
		861
		862	if (rt) {
		863	new = &rt->u.dst;
		864
		865	atomic_set(&new->__refcnt, 1);
		866	new->__use = 1;
		867	new->input = ip6_blackhole_output;
		868	new->output = ip6_blackhole_output;
		869
		870	memcpy(new->metrics, ort->u.dst.metrics, RTAX_MAX*sizeof(u32));
		871	new->dev = ort->u.dst.dev;
		872	if (new->dev)
		873	dev_hold(new->dev);
		874	rt->rt6i_idev = ort->rt6i_idev;
		875	if (rt->rt6i_idev)
		876	in6_dev_hold(rt->rt6i_idev);
		877	rt->rt6i_expires = 0;
		878
		879	ipv6_addr_copy(&rt->rt6i_gateway, &ort->rt6i_gateway);
		880	rt->rt6i_flags = ort->rt6i_flags & ~RTF_EXPIRES;
		881	rt->rt6i_metric = 0;
		882
		883	memcpy(&rt->rt6i_dst, &ort->rt6i_dst, sizeof(struct rt6key));
		884	#ifdef CONFIG_IPV6_SUBTREES
		885	memcpy(&rt->rt6i_src, &ort->rt6i_src, sizeof(struct rt6key));
		886	#endif
		887
		888	dst_free(new);
		889	}
		890
		891	dst_release(*dstp);
		892	*dstp = new;
		893	return (new ? 0 : -ENOMEM);
		894	}
		895	EXPORT_SYMBOL_GPL(ip6_dst_blackhole);
		896
836	/*	897	/*
837	* Destination cache support functions	898	* Destination cache support functions
838	*/	899	*/
@@ -2495,6 +2556,8 @@ void __init ip6_route_init(void)
2495	ip6_dst_ops.kmem_cachep =	2556	ip6_dst_ops.kmem_cachep =
2496	kmem_cache_create("ip6_dst_cache", sizeof(struct rt6_info), 0,	2557	kmem_cache_create("ip6_dst_cache", sizeof(struct rt6_info), 0,
2497	SLAB_HWCACHE_ALIGN\|SLAB_PANIC, NULL, NULL);	2558	SLAB_HWCACHE_ALIGN\|SLAB_PANIC, NULL, NULL);
		2559	ip6_dst_blackhole_ops.kmem_cachep = ip6_dst_ops.kmem_cachep;
		2560
2498	fib6_init();	2561	fib6_init();
2499	#ifdef CONFIG_PROC_FS	2562	#ifdef CONFIG_PROC_FS
2500	p = proc_net_create("ipv6_route", 0, rt6_proc_info);	2563	p = proc_net_create("ipv6_route", 0, rt6_proc_info);