diff options
| author | Neil Horman <nhorman@tuxdriver.com> | 2009-07-27 04:22:46 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-07-27 14:35:32 -0400 |
| commit | a44a4a006b860476881ec0098c36584036e1cb91 (patch) | |
| tree | d1f6f519b734ca3b4b9e18ad473577884fb6b0d1 /net | |
| parent | 8a729fce76f7af50d8b622f2fb26adce9c8df743 (diff) | |
xfrm: export xfrm garbage collector thresholds via sysctl
Export garbage collector thresholds for xfrm[4|6]_dst_ops
Had a problem reported to me recently in which a high volume of ipsec
connections on a system began reporting ENOBUFS for new connections
eventually.
It seemed that after about 2000 connections we started being unable to
create more. A quick look revealed that the xfrm code used a dst_ops
structure that limited the gc_thresh value to 1024, and always
dropped route cache entries after 2x the gc_thresh.
It seems the most direct solution is to export the gc_thresh values in
the xfrm[4|6] dst_ops as sysctls, like the main routing table does, so
that higher volumes of connections can be supported. This patch has
been tested and allows the reporter to increase their ipsec connection
volume successfully.
Reported-by: Joe Nall <joe@nall.com>
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
ipv4/xfrm4_policy.c | 18 ++++++++++++++++++
ipv6/xfrm6_policy.c | 18 ++++++++++++++++++
2 files changed, 36 insertions(+)
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/xfrm4_policy.c | 18 | ||||
| -rw-r--r-- | net/ipv6/xfrm6_policy.c | 18 |
2 files changed, 36 insertions, 0 deletions
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 0071ee6f441f..26496babdf3a 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c | |||
| @@ -264,6 +264,20 @@ static struct xfrm_policy_afinfo xfrm4_policy_afinfo = { | |||
| 264 | .fill_dst = xfrm4_fill_dst, | 264 | .fill_dst = xfrm4_fill_dst, |
| 265 | }; | 265 | }; |
| 266 | 266 | ||
| 267 | static struct ctl_table xfrm4_policy_table[] = { | ||
| 268 | { | ||
| 269 | .ctl_name = CTL_UNNUMBERED, | ||
| 270 | .procname = "xfrm4_gc_thresh", | ||
| 271 | .data = &xfrm4_dst_ops.gc_thresh, | ||
| 272 | .maxlen = sizeof(int), | ||
| 273 | .mode = 0644, | ||
| 274 | .proc_handler = proc_dointvec, | ||
| 275 | }, | ||
| 276 | { } | ||
| 277 | }; | ||
| 278 | |||
| 279 | static struct ctl_table_header *sysctl_hdr; | ||
| 280 | |||
| 267 | static void __init xfrm4_policy_init(void) | 281 | static void __init xfrm4_policy_init(void) |
| 268 | { | 282 | { |
| 269 | xfrm_policy_register_afinfo(&xfrm4_policy_afinfo); | 283 | xfrm_policy_register_afinfo(&xfrm4_policy_afinfo); |
| @@ -271,6 +285,8 @@ static void __init xfrm4_policy_init(void) | |||
| 271 | 285 | ||
| 272 | static void __exit xfrm4_policy_fini(void) | 286 | static void __exit xfrm4_policy_fini(void) |
| 273 | { | 287 | { |
| 288 | if (sysctl_hdr) | ||
| 289 | unregister_net_sysctl_table(sysctl_hdr); | ||
| 274 | xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo); | 290 | xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo); |
| 275 | } | 291 | } |
| 276 | 292 | ||
| @@ -278,5 +294,7 @@ void __init xfrm4_init(void) | |||
| 278 | { | 294 | { |
| 279 | xfrm4_state_init(); | 295 | xfrm4_state_init(); |
| 280 | xfrm4_policy_init(); | 296 | xfrm4_policy_init(); |
| 297 | sysctl_hdr = register_net_sysctl_table(&init_net, net_ipv4_ctl_path, | ||
| 298 | xfrm4_policy_table); | ||
| 281 | } | 299 | } |
| 282 | 300 | ||
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index 3a3c677bc0f2..4acc308eac7f 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c | |||
| @@ -306,6 +306,20 @@ static void xfrm6_policy_fini(void) | |||
| 306 | xfrm_policy_unregister_afinfo(&xfrm6_policy_afinfo); | 306 | xfrm_policy_unregister_afinfo(&xfrm6_policy_afinfo); |
| 307 | } | 307 | } |
| 308 | 308 | ||
| 309 | static struct ctl_table xfrm6_policy_table[] = { | ||
| 310 | { | ||
| 311 | .ctl_name = CTL_UNNUMBERED, | ||
| 312 | .procname = "xfrm6_gc_thresh", | ||
| 313 | .data = &xfrm6_dst_ops.gc_thresh, | ||
| 314 | .maxlen = sizeof(int), | ||
| 315 | .mode = 0644, | ||
| 316 | .proc_handler = proc_dointvec, | ||
| 317 | }, | ||
| 318 | { } | ||
| 319 | }; | ||
| 320 | |||
| 321 | static struct ctl_table_header *sysctl_hdr; | ||
| 322 | |||
| 309 | int __init xfrm6_init(void) | 323 | int __init xfrm6_init(void) |
| 310 | { | 324 | { |
| 311 | int ret; | 325 | int ret; |
| @@ -317,6 +331,8 @@ int __init xfrm6_init(void) | |||
| 317 | ret = xfrm6_state_init(); | 331 | ret = xfrm6_state_init(); |
| 318 | if (ret) | 332 | if (ret) |
| 319 | goto out_policy; | 333 | goto out_policy; |
| 334 | sysctl_hdr = register_net_sysctl_table(&init_net, net_ipv6_ctl_path, | ||
| 335 | xfrm6_policy_table); | ||
| 320 | out: | 336 | out: |
| 321 | return ret; | 337 | return ret; |
| 322 | out_policy: | 338 | out_policy: |
| @@ -326,6 +342,8 @@ out_policy: | |||
| 326 | 342 | ||
| 327 | void xfrm6_fini(void) | 343 | void xfrm6_fini(void) |
| 328 | { | 344 | { |
| 345 | if (sysctl_hdr) | ||
| 346 | unregister_net_sysctl_table(sysctl_hdr); | ||
| 329 | //xfrm6_input_fini(); | 347 | //xfrm6_input_fini(); |
| 330 | xfrm6_policy_fini(); | 348 | xfrm6_policy_fini(); |
| 331 | xfrm6_state_fini(); | 349 | xfrm6_state_fini(); |