1 files changed, 36 insertions, 1 deletions
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 0071ee6f441f..74fb2eb833ec 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -264,6 +264,22 @@ static struct xfrm_policy_afinfo xfrm4_policy_afinfo = {
        .fill_dst =             xfrm4_fill_dst,
 };
+#ifdef CONFIG_SYSCTL
+static struct ctl_table xfrm4_policy_table[] = {
+        {
+                .ctl_name       = CTL_UNNUMBERED,
+                .procname       = "xfrm4_gc_thresh",
+                .data           = &xfrm4_dst_ops.gc_thresh,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec,
+        },
+        { }
+};
+static struct ctl_table_header *sysctl_hdr;
+#endif
 static void __init xfrm4_policy_init(void)
 {
        xfrm_policy_register_afinfo(&xfrm4_policy_afinfo);
@@ -271,12 +287,31 @@ static void __init xfrm4_policy_init(void)
 static void __exit xfrm4_policy_fini(void)
 {
+#ifdef CONFIG_SYSCTL
+        if (sysctl_hdr)
+                unregister_net_sysctl_table(sysctl_hdr);
+#endif
        xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo);
 }
-void __init xfrm4_init(void)
+void __init xfrm4_init(int rt_max_size)
 {
        xfrm4_state_init();
        xfrm4_policy_init();
+        /*
+         * Select a default value for the gc_thresh based on the main route
+         * table hash size.  It seems to me the worst case scenario is when
+         * we have ipsec operating in transport mode, in which we create a
+         * dst_entry per socket.  The xfrm gc algorithm starts trying to remove
+         * entries at gc_thresh, and prevents new allocations as 2*gc_thresh
+         * so lets set an initial xfrm gc_thresh value at the rt_max_size/2.
+         * That will let us store an ipsec connection per route table entry,
+         * and start cleaning when were 1/2 full
+         */
+        xfrm4_dst_ops.gc_thresh = rt_max_size/2;
+#ifdef CONFIG_SYSCTL
+        sysctl_hdr = register_net_sysctl_table(&init_net, net_ipv4_ctl_path,
+                                                xfrm4_policy_table);
+#endif
 }

diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 0071ee6f441f..74fb2eb833ec 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c
@@ -264,6 +264,22 @@ static struct xfrm_policy_afinfo xfrm4_policy_afinfo = {
264	.fill_dst = xfrm4_fill_dst,	264	.fill_dst = xfrm4_fill_dst,
265	};	265	};
266		266
		267	#ifdef CONFIG_SYSCTL
		268	static struct ctl_table xfrm4_policy_table[] = {
		269	{
		270	.ctl_name = CTL_UNNUMBERED,
		271	.procname = "xfrm4_gc_thresh",
		272	.data = &xfrm4_dst_ops.gc_thresh,
		273	.maxlen = sizeof(int),
		274	.mode = 0644,
		275	.proc_handler = proc_dointvec,
		276	},
		277	{ }
		278	};
		279
		280	static struct ctl_table_header *sysctl_hdr;
		281	#endif
		282
267	static void __init xfrm4_policy_init(void)	283	static void __init xfrm4_policy_init(void)
268	{	284	{
269	xfrm_policy_register_afinfo(&xfrm4_policy_afinfo);	285	xfrm_policy_register_afinfo(&xfrm4_policy_afinfo);
@@ -271,12 +287,31 @@ static void __init xfrm4_policy_init(void)
271		287
272	static void __exit xfrm4_policy_fini(void)	288	static void __exit xfrm4_policy_fini(void)
273	{	289	{
		290	#ifdef CONFIG_SYSCTL
		291	if (sysctl_hdr)
		292	unregister_net_sysctl_table(sysctl_hdr);
		293	#endif
274	xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo);	294	xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo);
275	}	295	}
276		296
277	void __init xfrm4_init(void)	297	void __init xfrm4_init(int rt_max_size)
278	{	298	{
279	xfrm4_state_init();	299	xfrm4_state_init();
280	xfrm4_policy_init();	300	xfrm4_policy_init();
		301	/*
		302	* Select a default value for the gc_thresh based on the main route
		303	* table hash size. It seems to me the worst case scenario is when
		304	* we have ipsec operating in transport mode, in which we create a
		305	* dst_entry per socket. The xfrm gc algorithm starts trying to remove
		306	* entries at gc_thresh, and prevents new allocations as 2*gc_thresh
		307	* so lets set an initial xfrm gc_thresh value at the rt_max_size/2.
		308	* That will let us store an ipsec connection per route table entry,
		309	* and start cleaning when were 1/2 full
		310	*/
		311	xfrm4_dst_ops.gc_thresh = rt_max_size/2;
		312	#ifdef CONFIG_SYSCTL
		313	sysctl_hdr = register_net_sysctl_table(&init_net, net_ipv4_ctl_path,
		314	xfrm4_policy_table);
		315	#endif
281	}	316	}
282		317