[XFRM]: Allow packet drops during larval state resolution.

The current IPSEC rule resolution behavior we have does not work for a lot of people, even though technically it's an improvement from the -EAGAIN buisness we had before. Right now we'll block until the key manager resolves the route. That works for simple cases, but many folks would rather packets get silently dropped until the key manager resolves the IPSEC rules. We can't tell these folks to "set the socket non-blocking" because they don't have control over the non-block setting of things like the sockets used to resolve DNS deep inside of the resolver libraries in libc. With that in mind I coded up the patch below with some help from Herbert Xu which provides packet-drop behavior during larval state resolution, controllable via sysctl and off by default. This lays the framework to either: 1) Make this default at some point or... 2) Move this logic into xfrm{4,6}_policy.c and implement the ARP-like resolution queue we've all been dreaming of. The idea would be to queue packets to the policy, then once the larval state is resolved by the key manager we re-resolve the route and push the packets out. The packets would timeout if the rule didn't get resolved in a certain amount of time. Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@sunset.davemloft.net> 2007-05-24 21:17:54 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2007-05-24 21:17:54 -0400
commit: 14e50e57aedb2a89cf79b77782879769794cab7b (patch)
tree: 46cbdab9c8007cea0821294c9d397214b38ea4c8 /net/ipv6
parent: 04efb8787e4d8a7b21a61aeb723de33154311256 (diff)
5 files changed, 87 insertions, 8 deletions
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 403eee66b9c5..b1fe7ac5dc90 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -177,8 +177,12 @@ ipv4_connected:
        if (final_p)
                ipv6_addr_copy(&fl.fl6_dst, final_p);
-        if ((err = xfrm_lookup(&dst, &fl, sk, 1)) < 0)
+        if ((err = __xfrm_lookup(&dst, &fl, sk, 1)) < 0) {
-                goto out;
+                if (err == -EREMOTE)
+                        err = ip6_dst_blackhole(sk, &dst, &fl);
+                if (err < 0)
+                        goto out;
+        }
        /* source address lookup done in ip6_dst_lookup */
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 009a1047fc3f..a58459a76684 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -818,8 +818,12 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
        if (final_p)
                ipv6_addr_copy(&fl.fl6_dst, final_p);
-        if ((err = xfrm_lookup(&dst, &fl, sk, 1)) < 0)
+        if ((err = __xfrm_lookup(&dst, &fl, sk, 1)) < 0) {
-                goto out;
+                if (err == -EREMOTE)
+                        err = ip6_dst_blackhole(sk, &dst, &fl);
+                if (err < 0)
+                        goto out;
+        }
        if (hlimit < 0) {
                if (ipv6_addr_is_multicast(&fl.fl6_dst))
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index b46ad53044ba..1324b06796c0 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -119,6 +119,19 @@ static struct dst_ops ip6_dst_ops = {
        .entry_size             =       sizeof(struct rt6_info),
 };
+static void ip6_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
+{
+}
+static struct dst_ops ip6_dst_blackhole_ops = {
+        .family                 =       AF_INET6,
+        .protocol               =       __constant_htons(ETH_P_IPV6),
+        .destroy                =       ip6_dst_destroy,
+        .check                  =       ip6_dst_check,
+        .update_pmtu            =       ip6_rt_blackhole_update_pmtu,
+        .entry_size             =       sizeof(struct rt6_info),
+};
 struct rt6_info ip6_null_entry = {
        .u = {
                .dst = {
@@ -833,6 +846,54 @@ struct dst_entry * ip6_route_output(struct sock *sk, struct flowi *fl)
 EXPORT_SYMBOL(ip6_route_output);
+static int ip6_blackhole_output(struct sk_buff *skb)
+{
+        kfree_skb(skb);
+        return 0;
+}
+int ip6_dst_blackhole(struct sock *sk, struct dst_entry **dstp, struct flowi *fl)
+{
+        struct rt6_info *ort = (struct rt6_info *) *dstp;
+        struct rt6_info *rt = (struct rt6_info *)
+                dst_alloc(&ip6_dst_blackhole_ops);
+        struct dst_entry *new = NULL;
+        if (rt) {
+                new = &rt->u.dst;
+                atomic_set(&new->__refcnt, 1);
+                new->__use = 1;
+                new->input = ip6_blackhole_output;
+                new->output = ip6_blackhole_output;
+                memcpy(new->metrics, ort->u.dst.metrics, RTAX_MAX*sizeof(u32));
+                new->dev = ort->u.dst.dev;
+                if (new->dev)
+                        dev_hold(new->dev);
+                rt->rt6i_idev = ort->rt6i_idev;
+                if (rt->rt6i_idev)
+                        in6_dev_hold(rt->rt6i_idev);
+                rt->rt6i_expires = 0;
+                ipv6_addr_copy(&rt->rt6i_gateway, &ort->rt6i_gateway);
+                rt->rt6i_flags = ort->rt6i_flags & ~RTF_EXPIRES;
+                rt->rt6i_metric = 0;
+                memcpy(&rt->rt6i_dst, &ort->rt6i_dst, sizeof(struct rt6key));
+#ifdef CONFIG_IPV6_SUBTREES
+                memcpy(&rt->rt6i_src, &ort->rt6i_src, sizeof(struct rt6key));
+#endif
+                dst_free(new);
+        }
+        dst_release(*dstp);
+        *dstp = new;
+        return (new ? 0 : -ENOMEM);
+}
+EXPORT_SYMBOL_GPL(ip6_dst_blackhole);
 /*
 *      Destination cache support functions
 */
@@ -2495,6 +2556,8 @@ void __init ip6_route_init(void)
        ip6_dst_ops.kmem_cachep =
                kmem_cache_create("ip6_dst_cache", sizeof(struct rt6_info), 0,
                                  SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL, NULL);
+        ip6_dst_blackhole_ops.kmem_cachep = ip6_dst_ops.kmem_cachep;
        fib6_init();
 #ifdef  CONFIG_PROC_FS
        p = proc_net_create("ipv6_route", 0, rt6_proc_info);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index e2f25ea43b68..4f06a51ad4fd 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -265,8 +265,12 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
        if (final_p)
                ipv6_addr_copy(&fl.fl6_dst, final_p);
-        if ((err = xfrm_lookup(&dst, &fl, sk, 1)) < 0)
+        if ((err = __xfrm_lookup(&dst, &fl, sk, 1)) < 0) {
-                goto failure;
+                if (err == -EREMOTE)
+                        err = ip6_dst_blackhole(sk, &dst, &fl);
+                if (err < 0)
+                        goto failure;
+        }
        if (saddr == NULL) {
                saddr = &fl.fl6_src;
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index a7ae59c954d5..d1fbddd172e7 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -767,8 +767,12 @@ do_udp_sendmsg:
        if (final_p)
                ipv6_addr_copy(&fl.fl6_dst, final_p);
-        if ((err = xfrm_lookup(&dst, &fl, sk, 1)) < 0)
+        if ((err = __xfrm_lookup(&dst, &fl, sk, 1)) < 0) {
-                goto out;
+                if (err == -EREMOTE)
+                        err = ip6_dst_blackhole(sk, &dst, &fl);
+                if (err < 0)
+                        goto out;
+        }
        if (hlimit < 0) {
                if (ipv6_addr_is_multicast(&fl.fl6_dst))
author	David S. Miller <davem@sunset.davemloft.net>	2007-05-24 21:17:54 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2007-05-24 21:17:54 -0400
commit	14e50e57aedb2a89cf79b77782879769794cab7b (patch)
tree	46cbdab9c8007cea0821294c9d397214b38ea4c8 /net/ipv6
parent	04efb8787e4d8a7b21a61aeb723de33154311256 (diff)

diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c index 403eee66b9c5..b1fe7ac5dc90 100644 --- a/net/ipv6/datagram.c +++ b/net/ipv6/datagram.c
@@ -177,8 +177,12 @@ ipv4_connected:
177	if (final_p)	177	if (final_p)
178	ipv6_addr_copy(&fl.fl6_dst, final_p);	178	ipv6_addr_copy(&fl.fl6_dst, final_p);
179		179
180	if ((err = xfrm_lookup(&dst, &fl, sk, 1)) < 0)	180	if ((err = __xfrm_lookup(&dst, &fl, sk, 1)) < 0) {
181	goto out;	181	if (err == -EREMOTE)
		182	err = ip6_dst_blackhole(sk, &dst, &fl);
		183	if (err < 0)
		184	goto out;
		185	}
182		186
183	/* source address lookup done in ip6_dst_lookup */	187	/* source address lookup done in ip6_dst_lookup */
184		188


diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 009a1047fc3f..a58459a76684 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c
@@ -818,8 +818,12 @@ static int rawv6_sendmsg(struct kiocb iocb, struct sock sk,
818	if (final_p)	818	if (final_p)
819	ipv6_addr_copy(&fl.fl6_dst, final_p);	819	ipv6_addr_copy(&fl.fl6_dst, final_p);
820		820
821	if ((err = xfrm_lookup(&dst, &fl, sk, 1)) < 0)	821	if ((err = __xfrm_lookup(&dst, &fl, sk, 1)) < 0) {
822	goto out;	822	if (err == -EREMOTE)
		823	err = ip6_dst_blackhole(sk, &dst, &fl);
		824	if (err < 0)
		825	goto out;
		826	}
823		827
824	if (hlimit < 0) {	828	if (hlimit < 0) {
825	if (ipv6_addr_is_multicast(&fl.fl6_dst))	829	if (ipv6_addr_is_multicast(&fl.fl6_dst))


diff --git a/net/ipv6/route.c b/net/ipv6/route.c index b46ad53044ba..1324b06796c0 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c
@@ -119,6 +119,19 @@ static struct dst_ops ip6_dst_ops = {
119	.entry_size = sizeof(struct rt6_info),	119	.entry_size = sizeof(struct rt6_info),
120	};	120	};
121		121
		122	static void ip6_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
		123	{
		124	}
		125
		126	static struct dst_ops ip6_dst_blackhole_ops = {
		127	.family = AF_INET6,
		128	.protocol = __constant_htons(ETH_P_IPV6),
		129	.destroy = ip6_dst_destroy,
		130	.check = ip6_dst_check,
		131	.update_pmtu = ip6_rt_blackhole_update_pmtu,
		132	.entry_size = sizeof(struct rt6_info),
		133	};
		134
122	struct rt6_info ip6_null_entry = {	135	struct rt6_info ip6_null_entry = {
123	.u = {	136	.u = {
124	.dst = {	137	.dst = {
@@ -833,6 +846,54 @@ struct dst_entry * ip6_route_output(struct sock sk, struct flowi fl)
833		846
834	EXPORT_SYMBOL(ip6_route_output);	847	EXPORT_SYMBOL(ip6_route_output);
835		848
		849	static int ip6_blackhole_output(struct sk_buff *skb)
		850	{
		851	kfree_skb(skb);
		852	return 0;
		853	}
		854
		855	int ip6_dst_blackhole(struct sock sk, struct dst_entry dstp, struct flowi fl)
		856	{
		857	struct rt6_info ort = (struct rt6_info ) *dstp;
		858	struct rt6_info rt = (struct rt6_info )
		859	dst_alloc(&ip6_dst_blackhole_ops);
		860	struct dst_entry *new = NULL;
		861
		862	if (rt) {
		863	new = &rt->u.dst;
		864
		865	atomic_set(&new->__refcnt, 1);
		866	new->__use = 1;
		867	new->input = ip6_blackhole_output;
		868	new->output = ip6_blackhole_output;
		869
		870	memcpy(new->metrics, ort->u.dst.metrics, RTAX_MAX*sizeof(u32));
		871	new->dev = ort->u.dst.dev;
		872	if (new->dev)
		873	dev_hold(new->dev);
		874	rt->rt6i_idev = ort->rt6i_idev;
		875	if (rt->rt6i_idev)
		876	in6_dev_hold(rt->rt6i_idev);
		877	rt->rt6i_expires = 0;
		878
		879	ipv6_addr_copy(&rt->rt6i_gateway, &ort->rt6i_gateway);
		880	rt->rt6i_flags = ort->rt6i_flags & ~RTF_EXPIRES;
		881	rt->rt6i_metric = 0;
		882
		883	memcpy(&rt->rt6i_dst, &ort->rt6i_dst, sizeof(struct rt6key));
		884	#ifdef CONFIG_IPV6_SUBTREES
		885	memcpy(&rt->rt6i_src, &ort->rt6i_src, sizeof(struct rt6key));
		886	#endif
		887
		888	dst_free(new);
		889	}
		890
		891	dst_release(*dstp);
		892	*dstp = new;
		893	return (new ? 0 : -ENOMEM);
		894	}
		895	EXPORT_SYMBOL_GPL(ip6_dst_blackhole);
		896
836	/*	897	/*
837	* Destination cache support functions	898	* Destination cache support functions
838	*/	899	*/
@@ -2495,6 +2556,8 @@ void __init ip6_route_init(void)
2495	ip6_dst_ops.kmem_cachep =	2556	ip6_dst_ops.kmem_cachep =
2496	kmem_cache_create("ip6_dst_cache", sizeof(struct rt6_info), 0,	2557	kmem_cache_create("ip6_dst_cache", sizeof(struct rt6_info), 0,
2497	SLAB_HWCACHE_ALIGN\|SLAB_PANIC, NULL, NULL);	2558	SLAB_HWCACHE_ALIGN\|SLAB_PANIC, NULL, NULL);
		2559	ip6_dst_blackhole_ops.kmem_cachep = ip6_dst_ops.kmem_cachep;
		2560
2498	fib6_init();	2561	fib6_init();
2499	#ifdef CONFIG_PROC_FS	2562	#ifdef CONFIG_PROC_FS
2500	p = proc_net_create("ipv6_route", 0, rt6_proc_info);	2563	p = proc_net_create("ipv6_route", 0, rt6_proc_info);


diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index e2f25ea43b68..4f06a51ad4fd 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c
@@ -265,8 +265,12 @@ static int tcp_v6_connect(struct sock sk, struct sockaddr uaddr,
265	if (final_p)	265	if (final_p)
266	ipv6_addr_copy(&fl.fl6_dst, final_p);	266	ipv6_addr_copy(&fl.fl6_dst, final_p);
267		267
268	if ((err = xfrm_lookup(&dst, &fl, sk, 1)) < 0)	268	if ((err = __xfrm_lookup(&dst, &fl, sk, 1)) < 0) {
269	goto failure;	269	if (err == -EREMOTE)
		270	err = ip6_dst_blackhole(sk, &dst, &fl);
		271	if (err < 0)
		272	goto failure;
		273	}
270		274
271	if (saddr == NULL) {	275	if (saddr == NULL) {
272	saddr = &fl.fl6_src;	276	saddr = &fl.fl6_src;


diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index a7ae59c954d5..d1fbddd172e7 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c
@@ -767,8 +767,12 @@ do_udp_sendmsg:
767	if (final_p)	767	if (final_p)
768	ipv6_addr_copy(&fl.fl6_dst, final_p);	768	ipv6_addr_copy(&fl.fl6_dst, final_p);
769		769
770	if ((err = xfrm_lookup(&dst, &fl, sk, 1)) < 0)	770	if ((err = __xfrm_lookup(&dst, &fl, sk, 1)) < 0) {
771	goto out;	771	if (err == -EREMOTE)
		772	err = ip6_dst_blackhole(sk, &dst, &fl);
		773	if (err < 0)
		774	goto out;
		775	}
772		776
773	if (hlimit < 0) {	777	if (hlimit < 0) {
774	if (ipv6_addr_is_multicast(&fl.fl6_dst))	778	if (ipv6_addr_is_multicast(&fl.fl6_dst))